IP Threat Rep Script
Script that calls multiple API’s to return threat rep for user specified IP and writes findings to a text file. Useful for sec analyst investigations.
import requests
import json
import shodan
from requests.auth import HTTPBasicAuth
import os
import datetime
import time
import wget
def Grey_Noise(file,ip):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
### greynoise API
r = requests.post("http://api.greynoise.io:8888/v1/query/ip",data = {'ip':ip} )
print("**** Greynoise ****")
#print(r.json())
grey_noise_dataREAL = r.json()
grey_noise_data = json.dumps(grey_noise_dataREAL)
file.write("**** Greynoise ****")
file.write('\n')
file.write('\n')
try:
for x in range(0,len(grey_noise_dataREAL['records'])):
file.write(str(grey_noise_dataREAL['records'][x]))
file.write('\n')
except:
print('No malware records found.')
file.write('No malware records found.')
file.write('\n')
file.write('\n')
#finally:
# file.write(grey_noise_data)
# file.write('\n')
return file.close()
def Shodan(file,ip):
port = ['Port List: ']
data = {}
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
print("**** Shodan ****")
file.write("**** Shodan ****")
file.write('\n')
file.write('\n')
SHODAN_API_KEY = 'yourkey'
api = shodan.Shodan(SHODAN_API_KEY)
try:
host = api.host(ip)
print("""
IP: {}
ORG: {}
OS: {}
""".format(host['ip_str'],host.get('org','n/a'),host.get('os','n/a')))
for item in host['data']:
data[item['port']] = item['data']
port.append(item['port'])
print(""" Port: {}
Banner: {}
""".format(item['port'],item['data']))
time.sleep(10)
except:
print('No Data Found')
file.write("**** Shodan ****")
file.write('\n')
file.write('No Data available')
try:
print('Error {}'.format(shodan.APIError))
except:
print('No Shodan Data Found')
try:
file.write(str(port))
file.write('\n')
for key ,value in data.items():
file.write('{} : {}'.format(key,value))
#file.write(str(new))
#shodan_data = port + shodan_ports + shodan_space + shodan_banners
#shodan_data = str(shodan_data)
file.write('\n')
except:
print('no shodan data to append')
return file.close()
def Maltiverse(file,ip):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
print("**** Maltiverse ****")
r = requests.get('https://api.maltiverse.com/ip/{}'.format(ip))
print(r.json())
Maltiverse_Data = r.json()
try:
data = json.dumps(Maltiverse_Data['blacklist'])
except:
data = 'Multiverse has no malware for this ip'
### blacklist dict of lists
try:
country = Maltiverse_Data['asn_country_code']
except:
country = "Multiverse has no country for this ip"
try:
city = Maltiverse_Data['city']
except:
city = "Multiverse has no city for this ip"
try:
state = Maltiverse_Data['state']
except:
state = "Multiverse has no State for this ip"
try:
comp_name = Maltiverse_Data['as_name']
except:
comp_name = "Multiverse has no AS Name for this ip"
#Maltiverse_Data = json.dumps(Maltiverse_Data)
file.write("**** Maltiverse ****")
file.write('\n')
file.write(data)
file.write('\n')
file.write(country)
file.write('\n')
file.write(city)
file.write('\n')
file.write(state)
file.write('\n')
file.write(comp_name)
file.write('\n')
file.write('\n')
return file.close()
def FraudGuard(file,ip):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
print("**** FraudGuard Trial Expired April 3rd ****")
r = requests.get('https://@api.fraudguard.io/ip/{}'.format(ip), verify=True, auth = HTTPBasicAuth('yourkey','yourkey'))
print(r.text)
fraudGuard_data = r.text
file.write("**** FraudGaurd Trial Expired April 3rd ****")
file.write('\n')
file.write(fraudGuard_data)
file.write('\n')
file.write('\n')
return file.close()
def ReverseDNS(file,ip):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
print("**** ReverseDNS ****")
r = requests.get('https://api.hackertarget.com/reverseiplookup/?q={}'.format(ip))
print(r.text)
Reverse_DNS_Data = r.text
file.write("**** ReverseDNS ****")
file.write('\n')
file.write(Reverse_DNS_Data)
file.write('\n')
file.close()
return Reverse_DNS_Data
def MalwarePatrol(file,ip,DNS_INFO):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
# malware patrol api
# iterate through file and see if ip is in block list
print("**** Malware Patrol ****")
counter = 0
dir = "C:\\Users\\calonso\\Desktop\\block_list.txt"
#Reverse_DNS_Data = Reverse_DNS_Data.split(' ')
# taking hostname from reverse dns and splitting ip and host name putting into block list loop
hostname = DNS_INFO.split('\n')
hostname = hostname[:-1]
# remove empty string in ths list
#[hostname[:-2] for w in hostname]
url = "https://lists.malwarepatrol.net/cgi/getfile?receipt=yourreciept&product=32&list=firekeeper"
if "record" not in hostname:
if not os.path.exists(dir):
try:
block_list = wget.download(url,out=dir)
if block_list:
print("Block List Downloaded and updated")
print("Checking blocklist...")
z = open("block_list.txt",'r')
file.write("**** Malware Patrol ****")
file.write("\n")
for line in z:
counter +=1
print('Reading Line # {}'.format(counter))
for word in hostname:
if word in line:
print(word)
file.write("**** Malware Patrol ****")
file.write('\n')
file.write("HOSTNAME FOUND ON BLOCKLIST")
file.write('\n')
file.write(line)
file.write('\n')
print('blocked hostname found!!!')
time.sleep(2)
except:
print('Could not download blocked url list')
else:
print('Checking blocklist...')
z = open("block_list.txt",'r')
#file.write("**** Malware Patrol ****")
file.write("\n")
for line in z:
counter +=1
print('Reading Line # {}'.format(counter))
for word in hostname:
if word in line:
print(word)
file.write("**** Malware Patrol ****")
file.write('\n')
file.write("HOSTNAME FOUND ON BLOCKLIST")
file.write('\n')
file.write(line)
file.write('\n')
print('blocked hostname found!!!')
time.sleep(2)
else:
print('IP Not resolved Cannot check blacklist')
file.write("**** Malware Patrol ****")
file.write("\n")
file.write("IP Not resolved Cannot check blacklist")
file.write("\n")
file.close()
def VirusTotal_Scan(file,ip):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
file.write("**** Virus Total ****")
file.write("\n")
virus_total_key = 'yourkey'
VT_data = {'apikey':virus_total_key,'url':'http://{}/'.format(ip)}
response = requests.post('https://www.virustotal.com/vtapi/v2/url/scan',data=VT_data)
print(response.json())
response = response.json()
response_string = json.dumps(response)
file.write(response_string)
file.write('\n')
file.write('*** Virus Total Scan Report Below ***')
file.write('\n')
file.close()
return str(response['scan_id']), virus_total_key
## retrive report
def VirusTotal_Results(file,ip,scan_id):
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
print(scan_id)
key = 'yourkey'
params = (('apikey',key),('resource',scan_id))
getresults = requests.get('https://www.virustotal.com/vtapi/v2/url/report',params=params)
results = getresults.json()
try:
print(results['scans'])
for key, value in results['scans'].items():
print(key,'\n',value,'\n')
file.write(str(key))
file.write('\n')
file.write(str(value))
file.write('\n')
except:
print('No Scan Data Found Yet Try Again Later...')
return file.close()
## IPinfo.io API For when fraud guard expires
def IP_Info(file,ip):
key = 'yourkey'
file = open(current_time.strftime('%d_%m_%Y') +'_'+ ip + '.txt','a')
response = requests.get('http://ipinfo.io/{}?token={}'.format(ip,key))
data = response.json()
file.write("**** IP Info.io ****")
file.write('\n')
try:
file.write(data['ip'])
file.write('\n')
file.write(data['hostname'])
file.write('\n')
file.write('Organization name: ')
file.write(data['country'])
file.write('\n')
file.write(data['org'])
file.write('\n')
file.write('\n')
except:
file.write('Error Writing IP INFO DATA')
file.write('\n')
file.write('\n')
if __name__ == "__main__":
print('*** THREAT REP SCANNER v1 ***\n')
host_ip = input('Enter IP to be scanned: ')
current_time = datetime.datetime.today()
file1 = open(current_time.strftime('%d_%m_%Y') +'_'+ host_ip + '.txt','w')
file1.write('*** THREAT REP SCANNER v1 ***')
file1.write('\n')
file1.write('\n')
file1.close()
IP_Info(file1,host_ip)
FraudGuard(file1,host_ip)
Grey_Noise(file1,host_ip)
Shodan(file1,host_ip)
Maltiverse(file1,host_ip)
MalwarePatrol(file1,host_ip,ReverseDNS(file1,host_ip))
VirusTotal_Results(file1,host_ip,VirusTotal_Scan(file1,host_ip))