U @6^X&@s8ddlZddlZddlmZmZmZGdddeZdS)N) SpiderFootSpiderFootPluginSpiderFootEventc@speZdZdZddddddZddd d d dZd ZdZd Ze fddZ ddZ ddZ e fddZ ddZd S) sfp_riskiqzRiskIQ:Investigate,Passive:Reputation Systems:apikey:Obtain information from RiskIQ's (formerly PassiveTotal) Passive DNS and Passive SSL databases.TFd) api_key_loginapi_key_passwordverifycohostsamedomain maxcohostz RiskIQ login.zRiskIQ API Key.zMVerify co-hosts are valid by checking if they still resolve to the shared IP.z>Treat co-hosted sites on the same target domain as co-hosting?zbStop reporting co-hosted sites after this many are found, as it would likely indicate web hosting.NrcCs:||_||_d|_t|D]}|||j|<q"dS)Nr)sf tempStorageresults cohostcountlistkeysopts)selfsfcuserOptsoptr5/var/www/spiderfoot.crq.systems/modules/sfp_riskiq.pysetup.s  zsfp_riskiq.setupcCs ddddgS)N INTERNET_NAME IP_ADDRESS DOMAIN_NAME EMAILADDRrrrrr watchedEvents:szsfp_riskiq.watchedEventscCsdddddddgS)NrrAFFILIATE_INTERNET_NAMErAFFILIATE_DOMAIN_NAMECO_HOSTED_SITENETBLOCK_OWNERrrrrrproducedEvents>s zsfp_riskiq.producedEventsc Csd}d}|jrdS|dkr*d}d|d}|dkrBd}d|d}|dkrZd }d |d}|jd }t|tkrz|d }|jd }t|tkr|d }t|dd |} d| d dd} |jj |dd| |d} | ddkr|j ddd|_dS| ddkr$|j d|dSz2t | d}d|krT|j d|WdSWn8tk r} z|j ddWYdSd} ~ XYnX|dS)NPDNSz2https://api.passivetotal.org/v2/dns/search/keywordz {"query": "z"}PSSLz6https://api.passivetotal.org/v2/ssl-certificate/searchz){"field": "subjectCommonName", "query": "WHOISz,https://api.passivetotal.org/v2/whois/searchz{"field": "email", "query": "rzutf-8r :zBasic zapplication/json) Authorizationz Content-Typer)timeout useragentheaderspostDatacode)400429500403zLRiskIQ access seems to have been rejected or you have exceeded usage limits.FTcontentzNo RiskIQ info found for rz Invalid JSON returned by RiskIQ.) errorStatertypestrencodebase64 b64encodedecoder fetchUrlerrorinfojsonloads BaseException) rqryZqtyperretposturlrr Zcredr.reserrrqueryCsX             zsfp_riskiq.queryc Cs||j}|j}|j}d}|jr dS|jd|d||dkrX|jd|ddS|jddkst|jddkr|jd d d |_dS||jkr|jd |d dSd |j|<|dkr| |d}|s|j d||rz|D]~}|d|krq| j |dd drt d|d|j|}|||j|d|jdrt d|d|j|}||qWn:tk r}z|jdt|d W5d}~XYnX|dkr|| |d}|s|j d|dS|D]}|d|ds|j|drd} nd} t | |d|j|}||| dkr|j|d|jdrt d|d|j|} || qdS|dkrx| |d }|s|j d|dSt} |d!kr|D]Z}|d"d#r|d"dd$|d"<| |d"sd%|d"kr| |d"q|d&kr|D]T}|d"d#rR|d"dd$|d"<|d"|kr*d%|d"kr*| |d"q*| D]} | |krq|d!kr|jd'r|j| |s|jd(q|jd)s:| j | d d*r:t d| |j|}|||j| |jdrt d| |j|}||q|j|jd+krt d,| |j|}|||jd-7_qdS).NzReceived event, z, from rz Ignoring z , from self.rrr z6You enabled sfp_riskiq but did not set an credentials!FTz Skipping z as already mapped.)rr'z%No RiskIQ passive SSL data found for ZsubjectCommonName)includeChildrenr _internettldsrz'Invalid response returned from RiskIQ: rr(z%No RiskIQ passive DNS data found for @domainr$r!r")rrrr&rZ focusPoint.*)rrr z"Host no longer resolves to our IP.r )includeParentsr r#) eventTypemoduledatar6r debugrr>rrIr? getTargetmatchesr__name__notifyListenersisDomainrBr8endswithvalidIPrappend validateIPr) revent eventName srcModuleName eventDatarDrGrHrtevtZcohostscorrr handleEventzs       (   $   "  &     zsfp_riskiq.handleEvent)rY __module__ __qualname____doc__roptdescsrr6rdictrr r%rIrhrrrrrs*   7r)r@r:sflibrrrrrrrr s