ukemi 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a77579f014e97cc048e95dc5488e228ee19baba62d5074dbc9bfcb5c75f9d568
+  data.tar.gz: e156b9c6de521ea49d7a69725c724176a5d1739deee7bba32aef4e662c64ddae
+SHA512:
+  metadata.gz: f4e3eb6f8f4dd2223ba2eed1846ff8d95ee8d14913f5f6e682269489ee9348fea3af858c9bf849bac4d612a42a0a3c1c7bae3b27dde3461b1104c3e0e3752964
+  data.tar.gz: 34467c49986dc11f2ac4fae646c1d96419ebe199838fe20a8f859c1619137ce2f3d0bcfc11e1f356545e14f63a6b5ff81b7ad9f39b206b70469959a8ca9a5986

data/.gitignore

@@ -0,0 +1,59 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+# Ignore Byebug command history file.
+.byebug_history
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# Used by RuboCop. Remote config files pulled in from inherit_from directive.
+# .rubocop-https?--*
+
+# RSpec
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,6 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.7
+before_install: gem install bundler -v 2.1

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in ukemi.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Manabu Niseki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,423 @@
+# ukemi
+
+[![Build Status](https://travis-ci.com/ninoseki/ukemi.svg?branch=master)](https://travis-ci.com/ninoseki/ukemi)
+[![Coverage Status](https://coveralls.io/repos/github/ninoseki/ukemi/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/ukemi?branch=master)
+[![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/ukemi/badge)](https://www.codefactor.io/repository/github/ninoseki/ukemi)
+
+Ukemi is a CIL tool for querying passive DNS services.
+
+It supports the following services.
+
+- [CIRCL passive DNS](https://www.circl.lu/services/passive-dns/)
+- [PassiveTotal](https://community.riskiq.com/)
+- [SecurityTrails](https://securitytrails.com/)
+- [VirusTotal](http://virustotal.com)
+
+It outputs passive DNS resolutions as JSON.
+
+## Instalattion
+
+```bash
+gem install ukemi
+```
+
+## Configuration
+
+Configuration is done via environment variables.
+
+| Key                    | Desc.                      |
+|------------------------|----------------------------|
+| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS password |
+| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS username |
+| PASSIVETOTAL_API_KEY   | PassiveTotal API key       |
+| PASSIVETOTAL_USERNAME  | PassiveTotal username      |
+| SECURITYTRAILS_API_KEY | SecurityTrails API key     |
+| VIRUSTOTAL_API_KEY     | VirusTotal API key         |
+
+## Usage
+
+```bash
+$ ukemi
+Commands:
+  ukemi help [COMMAND]      # Describe available commands or one specific command
+  ukemi lookup [IP|DOMAIN]  # Lookup passive DNS services
+
+$ ukemi help looup
+Usage:
+  ukemi lookup [IP|DOMAIN]
+
+Lookup passive DNS services
+```
+
+```bash
+$ ukemi lookup circl.lu
+{
+  "149.13.33.14": [
+    {
+      "firtst_seen": "2016-10-07",
+      "last_seen": "2018-10-26",
+      "source": "CIRCL"
+    },
+    {
+      "firtst_seen": "2017-05-26",
+      "last_seen": "2020-03-15",
+      "source": "SecurityTrails"
+    },
+    {
+      "firtst_seen": "2019-12-04",
+      "last_seen": "2019-12-04",
+      "source": "VirusTotal"
+    }
+  ],
+  "149.13.33.4": [
+    {
+      "firtst_seen": "2011-03-08",
+      "last_seen": "2012-02-13",
+      "source": "CIRCL"
+    },
+    {
+      "firtst_seen": "2013-07-30",
+      "last_seen": "2013-07-30",
+      "source": "VirusTotal"
+    }
+  ],
+  "194.154.205.24": [
+    {
+      "firtst_seen": "2011-03-03",
+      "last_seen": "2011-03-03",
+      "source": "CIRCL"
+    }
+  ]
+}
+
+$ ukemi lookup 195.123.226.243
+{
+  "liankt.club": [
+    {
+      "firtst_seen": "2020-02-15",
+      "last_seen": "2020-03-13",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-16",
+      "last_seen": "2020-02-16",
+      "source": "VirusTotal"
+    }
+  ],
+  "weidt.club": [
+    {
+      "firtst_seen": "2020-03-12",
+      "last_seen": "2020-03-12",
+      "source": "PassiveTotal"
+    }
+  ],
+  "jikt.club": [
+    {
+      "firtst_seen": "2020-03-04",
+      "last_seen": "2020-03-12",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-03-05",
+      "last_seen": "2020-03-05",
+      "source": "VirusTotal"
+    }
+  ],
+  "biesi.club": [
+    {
+      "firtst_seen": "2020-02-15",
+      "last_seen": "2020-03-12",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-20",
+      "last_seen": "2020-02-20",
+      "source": "VirusTotal"
+    }
+  ],
+  "kaikt.club": [
+    {
+      "firtst_seen": "2020-02-15",
+      "last_seen": "2020-03-12",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "VirusTotal"
+    }
+  ],
+  "zhaokt.club": [
+    {
+      "firtst_seen": "2020-02-15",
+      "last_seen": "2020-03-11",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-18",
+      "last_seen": "2020-02-18",
+      "source": "VirusTotal"
+    }
+  ],
+  "yangdt.club": [
+    {
+      "firtst_seen": "2020-02-26",
+      "last_seen": "2020-03-10",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-27",
+      "last_seen": "2020-02-27",
+      "source": "VirusTotal"
+    }
+  ],
+  "jinkt.club": [
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-03-10",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "VirusTotal"
+    }
+  ],
+  "taokt.club": [
+    {
+      "firtst_seen": "2020-03-10",
+      "last_seen": "2020-03-10",
+      "source": "PassiveTotal"
+    }
+  ],
+  "xinkt.club": [
+    {
+      "firtst_seen": "2020-02-17",
+      "last_seen": "2020-03-09",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-19",
+      "last_seen": "2020-02-19",
+      "source": "VirusTotal"
+    }
+  ],
+  "mail.realty-advertising.ru": [
+    {
+      "firtst_seen": "2019-11-08",
+      "last_seen": "2020-03-09",
+      "source": "PassiveTotal"
+    }
+  ],
+  "realty-advertising.ru": [
+    {
+      "firtst_seen": "2019-11-08",
+      "last_seen": "2020-03-06",
+      "source": "PassiveTotal"
+    }
+  ],
+  "ns1.realty-advertising.ru": [
+    {
+      "firtst_seen": "2019-12-02",
+      "last_seen": "2020-03-04",
+      "source": "PassiveTotal"
+    }
+  ],
+  "ns2.realty-advertising.ru": [
+    {
+      "firtst_seen": "2019-12-04",
+      "last_seen": "2020-03-04",
+      "source": "PassiveTotal"
+    }
+  ],
+  "xiankt.club": [
+    {
+      "firtst_seen": "2020-02-15",
+      "last_seen": "2020-03-03",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-16",
+      "last_seen": "2020-02-16",
+      "source": "VirusTotal"
+    }
+  ],
+  "nittsu-si.com": [
+    {
+      "firtst_seen": "2020-02-15",
+      "last_seen": "2020-03-03",
+      "source": "PassiveTotal"
+    },
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "VirusTotal"
+    }
+  ],
+  "mailer.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-23",
+      "last_seen": "2020-02-23",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mail7.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-23",
+      "last_seen": "2020-02-23",
+      "source": "PassiveTotal"
+    }
+  ],
+  "zimbra.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-23",
+      "last_seen": "2020-02-23",
+      "source": "PassiveTotal"
+    }
+  ],
+  "relay2.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-23",
+      "last_seen": "2020-02-23",
+      "source": "PassiveTotal"
+    }
+  ],
+  "sniper.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mailx.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "send.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mta.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "home.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "pbrand.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "smtpauth.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-22",
+      "last_seen": "2020-02-22",
+      "source": "PassiveTotal"
+    }
+  ],
+  "gate.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mx02.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "PassiveTotal"
+    }
+  ],
+  "outmail.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "PassiveTotal"
+    }
+  ],
+  "exchange.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "PassiveTotal"
+    }
+  ],
+  "ms.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-21",
+      "last_seen": "2020-02-21",
+      "source": "PassiveTotal"
+    }
+  ],
+  "owa.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-20",
+      "last_seen": "2020-02-20",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mail8.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-02-20",
+      "last_seen": "2020-02-20",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mta-sts.realty-advertising.ru": [
+    {
+      "firtst_seen": "2019-11-11",
+      "last_seen": "2020-02-08",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mail02.realty-advertising.ru": [
+    {
+      "firtst_seen": "2020-01-18",
+      "last_seen": "2020-01-18",
+      "source": "PassiveTotal"
+    }
+  ],
+  "www.realty-advertising.ru": [
+    {
+      "firtst_seen": "2019-11-08",
+      "last_seen": "2019-11-12",
+      "source": "PassiveTotal"
+    }
+  ],
+  "ln-048.rd-00003024.id-11744955.v0.tun.vpnoverdns.com": [
+    {
+      "firtst_seen": "2017-04-06",
+      "last_seen": "2017-04-06",
+      "source": "PassiveTotal"
+    }
+  ],
+  "mnen6k7g.info": [
+    {
+      "firtst_seen": "2010-10-28",
+      "last_seen": "2010-10-28",
+      "source": "PassiveTotal"
+    }
+  ]
+}
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "ukemi"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/ukemi

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift("#{__dir__}/../lib")
+
+require "ukemi"
+
+Ukemi::CLI.start

data/lib/ukemi/cli.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "json"
+require "thor"
+
+module Ukemi
+  class CLI < Thor
+    desc "lookup [IP|DOMAIN]", "Lookup passive DNS services"
+    def lookup(data)
+      data = refang(data)
+      result = Moderator.lookup(data)
+      puts JSON.pretty_generate(result)
+    end
+
+    no_commands do
+      def refang(data)
+        data.gsub("[.]", ".").gsub("(.)", ".")
+      end
+    end
+  end
+end

data/lib/ukemi/error.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Ukemi
+  class Error < StandardError; end
+end

data/lib/ukemi/moderator.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "parallel"
+require "time"
+
+module Ukemi
+  class Moderator
+    def lookup(data)
+      records = Parallel.map(Ukemi.services) do |klass|
+        service = klass.new
+        next unless service.configurated?
+
+        begin
+          service.lookup data
+        rescue ::PassiveTotal::Error, ::VirusTotal::Error, ::SecurityTrails::Error, PassiveCIRCL::Error
+          nil
+        end
+      end.flatten.compact
+
+      memo = Hash.new { |h, k| h[k] = [] }
+      records.each do |record|
+        memo[record.data] << {
+          firtst_seen: record.first_seen,
+          last_seen: record.last_seen,
+          source: record.source,
+        }
+      end
+
+      memo.sort_by do |_key, array|
+        last_seens = array.map do |record|
+          parse_to_unixtime record.dig(:last_seen)
+        end
+        -last_seens.max
+      end.to_h
+    end
+
+    def parse_to_unixtime(date)
+      return -1 unless date
+
+      Time.parse(date).to_i
+    end
+
+    class << self
+      def lookup(data)
+        new.lookup data
+      end
+    end
+  end
+end

data/lib/ukemi/record.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Ukemi
+  class Record
+    attr_reader :data
+    attr_reader :first_seen
+    attr_reader :last_seen
+    attr_reader :source
+
+    def initialize(data:, first_seen: nil, last_seen: nil, source: nil)
+      @data = data
+      @first_seen = first_seen
+      @last_seen = last_seen
+      @source = source
+    end
+
+    def to_h
+      {
+        data: data,
+        first_seen: first_seen,
+        last_seen: last_seen,
+        source: source
+      }
+    end
+  end
+end

data/lib/ukemi/services/circl.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "passive_circl"
+
+module Ukemi
+  module Services
+    class CIRCL < Service
+      private
+
+      def config_keys
+        %w(CIRCL_PASSIVE_USERNAME CIRCL_PASSIVE_PASSWORD)
+      end
+
+      def api
+        @api ||= PassiveCIRCL::API.new
+      end
+
+      def lookup_by_domain(data)
+        passive_dns_lookup(data, "rdata")
+      end
+
+      def lookup_by_ip(data)
+        passive_dns_lookup(data, "rrname")
+      end
+
+      def passive_dns_lookup(data, key = nil)
+        results = api.dns.query(data)
+        results = results.select do |result|
+          result.dig("rrtype") == "A"
+        end
+
+        results.map do |result|
+          Record.new(
+            data: result.dig(key),
+            first_seen: Time.at(result.dig("time_first")).to_date.to_s,
+            last_seen: Time.at(result.dig("time_last")).to_date.to_s,
+            source: name
+          )
+        end
+      end
+    end
+  end
+end

data/lib/ukemi/services/passivetotal.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "passivetotal"
+
+module Ukemi
+  module Services
+    class PassiveTotal < Service
+      private
+
+      def api
+        @api ||= ::PassiveTotal::API.new
+      end
+
+      def config_keys
+        %w(PASSIVETOTAL_USERNAME PASSIVETOTAL_API_KEY)
+      end
+
+      def lookup_by_ip(data)
+        res = api.dns.passive(data)
+        results = res.dig("results") || []
+        convert_to_records results
+      end
+
+      def lookup_by_domain(_data)
+        []
+      end
+
+      def convert_to_records(results)
+        results.map do |result|
+          data = result.dig("resolve")
+          first_seen = result.dig("firstSeen").to_s.split.first
+          last_seen = result.dig("lastSeen").to_s.split.first
+          Record.new(
+            data: data,
+            first_seen: first_seen,
+            last_seen: last_seen,
+            source: name
+          )
+        end
+      end
+    end
+  end
+end

data/lib/ukemi/services/securitytrails.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "date"
+require "securitytrails"
+
+module Ukemi
+  module Services
+    class SecurityTrails < Service
+      private
+
+      def config_keys
+        %w(SECURITYTRAILS_API_KEY)
+      end
+
+      def api
+        @api ||= ::SecurityTrails::API.new
+      end
+
+      def lookup_by_ip(data)
+        result = api.domains.search( filter: { ipv4: data })
+        records = result.dig("records") || []
+        hostnames = records.map { |record| record.dig("hostname") }
+        hostnames.map do |hostname|
+          Record.new(
+            data: hostname,
+            first_seen: nil,
+            last_seen: nil,
+            source: name
+          )
+        end
+      end
+
+      def lookup_by_domain(data)
+        result = api.history.get_all_dns_history(data, type: "a")
+        records = result.dig("records") || []
+        records.map do |record|
+          values = record.dig("values") || []
+          values.map do |value|
+            Record.new(
+              data: value.dig("ip"),
+              first_seen: record.dig("first_seen"),
+              last_seen: record.dig("last_seen"),
+              source: name
+            )
+          end
+        end.flatten
+      end
+
+      def extract_attributes(response)
+        data = response.dig("data") || []
+        data.map do |item|
+          item.dig("attributes") || []
+        end
+      end
+    end
+  end
+end

data/lib/ukemi/services/service.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require "addressable/uri"
+require "ipaddr"
+require "public_suffix"
+
+module Ukemi
+  module Services
+    class Service
+      def name
+        @name ||= self.class.to_s.split("::").last
+      end
+
+      def lookup(data)
+        @data = data
+
+        case type
+        when "ip"
+          lookup_by_ip data
+        when "domain"
+          lookup_by_domain data
+        else
+          raise ArgumentError, "#{data} is not a valid input."
+        end
+      end
+
+      def configurated?
+        config_keys.all? do |key|
+          ENV.key? key
+        end
+      end
+
+      class << self
+        def inherited(child)
+          Ukemi.services << child
+        end
+      end
+
+      private
+
+      def config_keys
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      def lookup_by_ip
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      def lookup_by_domain
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      def ip?
+        IPAddr.new @data
+        true
+      rescue IPAddr::InvalidAddressError => _e
+        false
+      end
+
+      def domain?
+        uri = Addressable::URI.parse("http://#{@data}")
+        uri.host == @data && PublicSuffix.valid?(uri.host)
+      rescue Addressable::URI::InvalidURIError => _e
+        false
+      end
+
+      def type
+        return "ip" if ip?
+        return "domain" if domain?
+      end
+    end
+  end
+end

data/lib/ukemi/services/virustotal.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "date"
+require "virustotal"
+
+module Ukemi
+  module Services
+    class VirusTotal < Service
+      private
+
+      def config_keys
+        %w(VIRUSTOTAL_API_KEY)
+      end
+
+      def api
+        @api ||= ::VirusTotal::API.new
+      end
+
+      def lookup_by_ip(data)
+        res = api.ip_address.resolutions(data)
+        attributes = extract_attributes(res)
+        convert_to_records attributes, "host_name"
+      end
+
+      def lookup_by_domain(data)
+        res = api.domain.resolutions(data)
+        attributes = extract_attributes(res)
+        convert_to_records attributes, "ip_address"
+      end
+
+      def extract_attributes(response)
+        data = response.dig("data") || []
+        data.map do |item|
+          item.dig("attributes") || []
+        end
+      end
+
+      def convert_to_records(attributes, key = nil)
+        memo = Hash.new { |h, k| h[k] = [] }
+
+        attributes.each do |attribute|
+          data = attribute.dig(key)
+          date = Time.at(attribute.dig("date")).to_date.to_s
+          memo[data] << date
+        end
+
+        memo.keys.map do |data|
+          Record.new(
+            data: data,
+            first_seen: memo[data].min,
+            last_seen: memo[data].max,
+            source: name
+          )
+        end
+      end
+    end
+  end
+end

data/lib/ukemi/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Ukemi
+  VERSION = "0.1.0"
+end

data/lib/ukemi.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require "mem"
+
+module Ukemi
+  class << self
+    include Mem
+
+    def services
+      []
+    end
+    memoize :services
+  end
+end
+
+require "ukemi/version"
+
+require "ukemi/error"
+
+require "ukemi/record"
+
+require "ukemi/services/service"
+
+require "ukemi/services/circl"
+require "ukemi/services/passivetotal"
+require "ukemi/services/securitytrails"
+require "ukemi/services/virustotal"
+
+require "ukemi/moderator"
+
+require "ukemi/cli"

data/ukemi.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative 'lib/ukemi/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "ukemi"
+  spec.version       = Ukemi::VERSION
+  spec.authors       = ["Manabu Niseki"]
+  spec.email         = ["manabu.niseki@gmail.com"]
+
+  spec.summary       = "A CLI tool for querying passive DNS services"
+  spec.description   = "A CLI tool for querying passive DNS services"
+  spec.homepage      = "https://github.com/ninoseki/ukemi"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.1"
+  spec.add_development_dependency "coveralls", "~> 0.8"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.9"
+  spec.add_development_dependency "vcr", "~> 5.0"
+  spec.add_development_dependency "webmock", "~> 3.8"
+
+  spec.add_dependency "addressable", "~> 2.7"
+  spec.add_dependency "mem", "~> 0.1"
+  spec.add_dependency "parallel", "~> 1.19"
+  spec.add_dependency "passive_circl", "~> 0.1"
+  spec.add_dependency "passivetotalx", "~> 0.1"
+  spec.add_dependency "public_suffix", "~> 4.0"
+  spec.add_dependency "securitytrails", "~> 1.0"
+  spec.add_dependency "thor", "~> 1.0"
+  spec.add_dependency "virustotalx", "~> 1.1"
+end

metadata

@@ -0,0 +1,277 @@
+--- !ruby/object:Gem::Specification
+name: ukemi
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Manabu Niseki
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-03-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: mem
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: parallel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.19'
+- !ruby/object:Gem::Dependency
+  name: passive_circl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: passivetotalx
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: securitytrails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: virustotalx
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+description: A CLI tool for querying passive DNS services
+email:
+- manabu.niseki@gmail.com
+executables:
+- ukemi
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/ukemi
+- lib/ukemi.rb
+- lib/ukemi/cli.rb
+- lib/ukemi/error.rb
+- lib/ukemi/moderator.rb
+- lib/ukemi/record.rb
+- lib/ukemi/services/circl.rb
+- lib/ukemi/services/passivetotal.rb
+- lib/ukemi/services/securitytrails.rb
+- lib/ukemi/services/service.rb
+- lib/ukemi/services/virustotal.rb
+- lib/ukemi/version.rb
+- ukemi.gemspec
+homepage: https://github.com/ninoseki/ukemi
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/ninoseki/ukemi
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: A CLI tool for querying passive DNS services
+test_files: []