3 @6^X&@s8ddlZddlZddlmZmZmZGdddeZdS)N) SpiderFootSpiderFootPluginSpiderFootEventc@speZdZdZddddddZddd d d dZd ZdZd Ze fddZ ddZ ddZ e fddZ ddZd S) sfp_riskiqzRiskIQ:Investigate,Passive:Reputation Systems:apikey:Obtain information from RiskIQ's (formerly PassiveTotal) Passive DNS and Passive SSL databases.TFd) api_key_loginapi_key_passwordverifycohostsamedomain maxcohostz RiskIQ login.zRiskIQ API Key.zMVerify co-hosts are valid by checking if they still resolve to the shared IP.z>Treat co-hosted sites on the same target domain as co-hosting?zbStop reporting co-hosted sites after this many are found, as it would likely indicate web hosting.NrcCs>||_|j|_d|_x"t|jD]}|||j|<q$WdS)Nr)sf tempStorageresults cohostcountlistkeysopts)selfsfcuserOptsoptr5/var/www/spiderfoot.crq.systems/modules/sfp_riskiq.pysetup.s  zsfp_riskiq.setupcCs ddddgS)N INTERNET_NAME IP_ADDRESS DOMAIN_NAME EMAILADDRr)rrrr watchedEvents:szsfp_riskiq.watchedEventscCsdddddddgS)NrrAFFILIATE_INTERNET_NAMErAFFILIATE_DOMAIN_NAMECO_HOSTED_SITENETBLOCK_OWNERr)rrrrproducedEvents>szsfp_riskiq.producedEventsc Csd}d}|jrdS|dkr*d}d|d}|dkrBd}d|d}|dkrZd }d |d}|jd }t|tkrz|jd }|jd }t|tkr|jd }tj|djd |} d| jd dd} |jj |dd| |d} | dd!kr|jj ddd|_dS| ddkr$|jj d|dSy0t j | d}d|krR|jj d|dSWn0tk r} z|jj d ddSd} ~ XnX|dS)"NPDNSz2https://api.passivetotal.org/v2/dns/search/keywordz {"query": "z"}PSSLz6https://api.passivetotal.org/v2/ssl-certificate/searchz){"field": "subjectCommonName", "query": "WHOISz,https://api.passivetotal.org/v2/whois/searchz{"field": "email", "query": "rzutf-8r :zBasic zapplication/json) Authorizationz Content-Typer)timeout useragentheaderspostDatacode400429500403zLRiskIQ access seems to have been rejected or you have exceeded usage limits.FTcontentzNo RiskIQ info found for rz Invalid JSON returned by RiskIQ.)r0r1r2r3) errorStatertypestrencodebase64 b64encodedecoder fetchUrlerrorinfojsonloads BaseException) rqryZqtyperretposturlrr Zcredr-reserrrqueryCsR            zsfp_riskiq.queryc Cs|j}|j}|j}d}|jr dS|jjd|d||dkrX|jjd|ddS|jddkst|jddkr|jjd d d |_dS||jkr|jjd |d dSd |j|<|d*kr|j |d}|s|jj d||ryx|D]~}|d|krq|j j |dd drt d|d|j|}|j||jj|d|jdrt d|d|j|}|j|qWWn:tk r}z|jjdt|d WYdd}~XnX|dkr|j |d}|s|jj d|dSx|D]}|jd|ds|jj|drd} nd} t | |d|j|}|j|| dkr|jj|d|jdrt d|d|j|} |j| qWdS|d+kr|j |d}|s|jj d|dSt} |dkr*xd|D]\}|d jd!r|d dd,|d <|j j |d  rd#|d kr| j|d qW|d-krx\|D]T}|d jd!rb|d dd.|d <|d |kr:d#|d kr:| j|d q:Wx| D]} | |krq|dkr|jd$r|jj| | r|jjd%q|jd&sP|j j | d d'rPt d| |j|}|j||jj| |jdrt d| |j|}|j|q|j|jd(krt d)| |j|}|j||jd"7_qWdS)/NzReceived event, z, from rz Ignoring z , from self.rrr z6You enabled sfp_riskiq but did not set an credentials!FTz Skipping z as already mapped.rr&z%No RiskIQ passive SSL data found for ZsubjectCommonName)includeChildrenr _internettldsz'Invalid response returned from RiskIQ: rr'z%No RiskIQ passive DNS data found for @domainr#r r!rr%Z focusPoint.*r z"Host no longer resolves to our IP.r )includeParentsr r")r)rrr)rrrQ) eventTypemoduledatar5r debugrr=rrHr> getTargetmatchesr__name__notifyListenersisDomainrAr7endswithvalidIPrappend validateIPr) revent eventName srcModuleName eventDatarCrFrGrtevtZcohostscorrr handleEventzs          (    $    $    (     zsfp_riskiq.handleEvent)rX __module__ __qualname____doc__roptdescsrr5rdictrrr$rHrgrrrrrs& 7r)r?r9sflibrrrrrrrr s