mihari 0.13.2 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5a283261490c642311f94a2cb72a5a1596b2b5b2d3ba1b69d54b7ef785b4d39
-  data.tar.gz: '078f0fa96c14cd90a1c91ba1ca6235c453049b826719fc69db8e2c629e7fcc49'
+  metadata.gz: 429387bdb6483e260f1631661721fce1a5abc284711a2c763b50452140388a0c
+  data.tar.gz: 7ba6ad5c62da25d668cf975a4ffecb3e70a01c7c5c6961e646412b0227886fc0
 SHA512:
-  metadata.gz: d9189cbee2cce11c71342a06f741a8ff5d9351aedc0dd84e85378f8e2b4c88275812fa12cf0b8681965b09f27f7009bb7e7267cade8dd0c74655c11e28cd0d35
-  data.tar.gz: ead6cf8241cdba49266abdc455ba8d65287aa1defe9d8dd49a528b7061b26bcf7a23fb80c377d3c26a3a4554e3105aad57775affcf4ee5e720bf31885c1c9558
+  metadata.gz: c64e408f6e8d11c27285f1bceccd504cbffa360978864cf5c4a45b7841a1718166158b6818af2d2a3f83087af21cda7c1808e948335270ac742a0c0094c467c4
+  data.tar.gz: c36b4d97ae530b19c5c9f06b22438032eeca23aeea941a39a12b56a0236565de1a09c7f977b8d04b7f2a5c62fbcfe4e2abf06f553d497d05660982879fa9edba

data/README.md

@@ -77,9 +77,13 @@ Commands:
   mihari help [COMMAND]                       # Describe available commands or one specific command
   mihari import_from_json                     # Give a JSON input via STDIN
   mihari onyphe [QUERY]                       # Onyphe datascan search by a query
+  mihari passive_dns [IP|Domain]              # Cross search with passive DNS services by an ip / domain
+  mihari passive_ssl [SHA1]                   # Cross search with passive SSL services by an SHA1 certificate fingerprint
   mihari passivetotal [IP|DOMAIN|EMAIL|SHA1]  # PassiveTotal lookup by an ip / domain / email / SHA1 certificate fingerprint
+  mihari reverse_whois [email]                # Cross search with reverse whois services by an email
   mihari securitytrails [IP|DOMAIN|EMAIL]     # SecurityTrails lookup by an ip, domain or email
   mihari securitytrails_domain_feed [REGEXP]  # SecurityTrails new domain feed search by a regexp
+  mihari sha256 [SHA256]                      # Cross search with search engines by an SHA256 hash
   mihari shodan [QUERY]                       # Shodan host search by a query
   mihari status                               # Show the current configuration status
   mihari urlscan [QUERY]                      # urlscan search by a given query
@@ -88,6 +92,19 @@ Commands:
 
 ```
 
+### Cross searches
+
+mihari has cross search features. A cross search is a search across a number of services.
+
+You can get aggregated results by using the following commands.
+
+| Command       | Desc.                                                                                  |
+|---------------|----------------------------------------------------------------------------------------|
+| passive_dns   | Passive DNS lookup with CIRCL passive DNS, PassiveTotal, SecurityTrails and VirusTotal |
+| passive_ssl   | Passive SSL lookup with CIRCL passive SSL and PassiveTotal                             |
+| reverse_whois | Revese Whois lookup with PassiveTotal and SecurityTrails                               |
+| sha256        | SHA256 hash search with BinaryEdge and Censys                                          |
+
 ### Example usages
 
 ```bash

data/lib/mihari.rb

@@ -51,6 +51,11 @@ require "mihari/analyzers/urlscan"
 require "mihari/analyzers/virustotal"
 require "mihari/analyzers/zoomeye"
 
+require "mihari/analyzers/passive_dns"
+require "mihari/analyzers/passive_ssl"
+require "mihari/analyzers/reverse_whois"
+require "mihari/analyzers/sha256"
+
 require "mihari/notifiers/base"
 require "mihari/notifiers/slack"
 require "mihari/notifiers/exception_notifier"

data/lib/mihari/analyzers/passive_dns.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "parallel"
+
+module Mihari
+  module Analyzers
+    class PassiveDNS < Base
+      attr_reader :query
+      attr_reader :type
+
+      attr_reader :title
+      attr_reader :description
+      attr_reader :tags
+
+      ANALYZERS = [
+        Mihari::Analyzers::CIRCL,
+        Mihari::Analyzers::PassiveTotal,
+        Mihari::Analyzers::SecurityTrails,
+        Mihari::Analyzers::VirusTotal,
+      ].freeze
+
+      def initialize(query, title: nil, description: nil, tags: [])
+        super()
+
+        @query = query
+        @type = TypeChecker.type(query)
+
+        @title = title || "PassiveDNS cross search"
+        @description = description || "query = #{query}"
+        @tags = tags
+      end
+
+      def artifacts
+        Parallel.map(analyzers) do |analyzer|
+          run_analyzer analyzer
+        end.flatten
+      end
+
+      private
+
+      def valid_type?
+        %w(ip domain).include? type
+      end
+
+      def analyzers
+        raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+
+        ANALYZERS.map do |klass|
+          klass.new(query)
+        end
+      end
+
+      def run_analyzer(analyzer)
+        analyzer.artifacts
+      rescue ArgumentError, InvalidInputError => _e
+        nil
+      rescue ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::SecurityTrails::Error, ::VirusTotal::Error => _e
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/passive_ssl.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "parallel"
+
+module Mihari
+  module Analyzers
+    class PassiveSSL < Base
+      attr_reader :query
+      attr_reader :type
+
+      attr_reader :title
+      attr_reader :description
+      attr_reader :tags
+
+      ANALYZERS = [
+        Mihari::Analyzers::CIRCL,
+        Mihari::Analyzers::PassiveTotal,
+      ].freeze
+
+      def initialize(query, title: nil, description: nil, tags: [])
+        super()
+
+        @query = query
+        @type = TypeChecker.detailed_type(query)
+
+        @title = title || "PassiveSSL cross search"
+        @description = description || "query = #{query}"
+        @tags = tags
+      end
+
+      def artifacts
+        Parallel.map(analyzers) do |analyzer|
+          run_analyzer analyzer
+        end.flatten
+      end
+
+      private
+
+      def valid_type?
+        %w(sha1).include? type
+      end
+
+      def analyzers
+        raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+
+        ANALYZERS.map do |klass|
+          klass.new(query)
+        end
+      end
+
+      def run_analyzer(analyzer)
+        analyzer.artifacts
+      rescue ArgumentError, InvalidInputError => _e
+        nil
+      rescue ::PassiveCIRCL::Error, ::PassiveTotal::Error => _e
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/reverse_whois.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "parallel"
+
+module Mihari
+  module Analyzers
+    class ReveseWhois < Base
+      attr_reader :query
+      attr_reader :type
+
+      attr_reader :title
+      attr_reader :description
+      attr_reader :tags
+
+      ANALYZERS = [
+        Mihari::Analyzers::PassiveTotal,
+        Mihari::Analyzers::SecurityTrails,
+      ].freeze
+
+      def initialize(query, title: nil, description: nil, tags: [])
+        super()
+
+        @query = query
+        @type = TypeChecker.type(query)
+
+        @title = title || "ReveseWhois cross search"
+        @description = description || "query = #{query}"
+        @tags = tags
+      end
+
+      def artifacts
+        Parallel.map(analyzers) do |analyzer|
+          run_analyzer analyzer
+        end.flatten
+      end
+
+      private
+
+      def valid_type?
+        %w(mail).include? type
+      end
+
+      def analyzers
+        raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+
+        ANALYZERS.map do |klass|
+          klass.new(query)
+        end
+      end
+
+      def run_analyzer(analyzer)
+        analyzer.artifacts
+      rescue ArgumentError, InvalidInputError => _e
+        nil
+      rescue ::PassiveTotal::Error, ::SecurityTrails::Error => _e
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/sha256.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "parallel"
+
+module Mihari
+  module Analyzers
+    class SHA256 < Base
+      attr_reader :query
+      attr_reader :type
+
+      attr_reader :title
+      attr_reader :description
+      attr_reader :tags
+
+      ANALYZERS = [
+        Mihari::Analyzers::BinaryEdge,
+        Mihari::Analyzers::Censys,
+      ].freeze
+
+      def initialize(query, title: nil, description: nil, tags: [])
+        super()
+
+        @query = query
+        @type = TypeChecker.detailed_type(query)
+
+        @title = title || "SHA256 hash cross search"
+        @description = description || "query = #{query}"
+        @tags = tags
+      end
+
+      def artifacts
+        Parallel.map(analyzers) do |analyzer|
+          run_analyzer analyzer
+        end.flatten
+      end
+
+      private
+
+      def valid_type?
+        %w(sha256).include? type
+      end
+
+      def analyzers
+        raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+
+        ANALYZERS.map do |klass|
+          klass.new(query)
+        end
+      end
+
+      def run_analyzer(analyzer)
+        analyzer.artifacts
+      rescue ArgumentError, InvalidInputError => _e
+        nil
+      rescue ::BinaryEdge::Error, ::Censys::ResponseError => _e
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/cli.rb

@@ -141,6 +141,46 @@ module Mihari
       end
     end
 
+    desc "passive_dns [IP|Domain]", "Cross search with passive DNS services by an ip / domain"
+    method_option :title, type: :string, desc: "title"
+    method_option :description, type: :string, desc: "description"
+    method_option :tags, type: :array, desc: "tags"
+    def passive_dns(query)
+      with_error_handling do
+        run_analyzer Analyzers::PassiveDNS, query: query, options: options
+      end
+    end
+
+    desc "passive_ssl [SHA1]", "Cross search with passive SSL services by an SHA1 certificate fingerprint"
+    method_option :title, type: :string, desc: "title"
+    method_option :description, type: :string, desc: "description"
+    method_option :tags, type: :array, desc: "tags"
+    def passive_ssl(query)
+      with_error_handling do
+        run_analyzer Analyzers::PassiveSSL, query: query, options: options
+      end
+    end
+
+    desc "reverse_whois [email]", "Cross search with reverse whois services by an email"
+    method_option :title, type: :string, desc: "title"
+    method_option :description, type: :string, desc: "description"
+    method_option :tags, type: :array, desc: "tags"
+    def reverse_whois(query)
+      with_error_handling do
+        run_analyzer Analyzers::ReveseWhois, query: query, options: options
+      end
+    end
+
+    desc "sha256 [SHA256]", "Cross search with search engines by an SHA256 hash"
+    method_option :title, type: :string, desc: "title"
+    method_option :description, type: :string, desc: "description"
+    method_option :tags, type: :array, desc: "tags"
+    def sha256(query)
+      with_error_handling do
+        run_analyzer Analyzers::SHA256, query: query, options: options
+      end
+    end
+
     desc "import_from_json", "Give a JSON input via STDIN"
     def import_from_json(input = nil)
       with_error_handling do

data/lib/mihari/type_checker.rb

@@ -56,11 +56,26 @@ module Mihari
       return "mail" if mail?
     end
 
+    # @return [String, nil]
+    def detailed_type
+      return "md5" if md5?
+      return "sha1" if sha1?
+      return "sha256" if sha256?
+      return "sha512" if sha512?
+
+      type
+    end
+
     # @return [String, nil]
     def self.type(data)
       new(data).type
     end
 
+    # @return [String, nil]
+    def self.detailed_type(data)
+      new(data).detailed_type
+    end
+
     private
 
     # @return [true, false]

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "0.13.2"
+  VERSION = "0.14.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.13.2
+  version: 0.14.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-11-08 00:00:00.000000000 Z
+date: 2019-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -474,9 +474,13 @@ files:
 - lib/mihari/analyzers/crtsh.rb
 - lib/mihari/analyzers/dnpedia.rb
 - lib/mihari/analyzers/onyphe.rb
+- lib/mihari/analyzers/passive_dns.rb
+- lib/mihari/analyzers/passive_ssl.rb
 - lib/mihari/analyzers/passivetotal.rb
+- lib/mihari/analyzers/reverse_whois.rb
 - lib/mihari/analyzers/securitytrails.rb
 - lib/mihari/analyzers/securitytrails_domain_feed.rb
+- lib/mihari/analyzers/sha256.rb
 - lib/mihari/analyzers/shodan.rb
 - lib/mihari/analyzers/urlscan.rb
 - lib/mihari/analyzers/virustotal.rb