3 @6^ @sPddlZddlmZddlZddlmZddlmZmZmZGdddeZ dS)N)datetime) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc@sveZdZdZddddddddZdd d d d d ddZdZdZdZdZ e fddZ ddZ ddZ ddZddZdS)sfp_threatminerzThreatMiner:Footprint,Investigate,Passive:Search Engines::Obtain information from ThreatMiner's database for passive DNS and threat intelligence.TFdZ)verifynetblocklookup maxnetblock subnetlookup maxsubnet maxcohostage_limit_dayszCVerify that any hostnames found on the target domain still resolve?zLook up all IPs on netblocks deemed to be owned by your target for possible blacklisted hosts on the same target subdomain/domain?zyIf looking up owned netblocks, the maximum netblock size to look up all IPs within (CIDR value, 24 = /24, 16 = /16, etc.)z:Look up all IPs on subnets which your target is a part of?zsIf looking up subnets, the maximum subnet size to look up all the IPs within (CIDR value, 24 = /24, 16 = /16, etc.)zbStop reporting co-hosted sites after this many are found, as it would likely indicate web hosting.z8Ignore records older than this many days. 0 = Unlimited.NrcCsR||_|j|_|j|_|j|_d|_x"t|jD]}|||j|<q8WdS)Nr) sf tempStorageresults reportedhosts checkedips cohostcountlistkeysopts)selfsfcuserOptsoptr:/var/www/spiderfoot.crq.systems/modules/sfp_threatminer.pysetup4s   zsfp_threatminer.setupcCs ddddgS)N IP_ADDRESS DOMAIN_NAMENETBLOCK_OWNERNETBLOCK_MEMBERr)rrrr watchedEventsBszsfp_threatminer.watchedEventscCsddgS)N INTERNET_NAMECO_HOSTED_SITEr)rrrr producedEventsGszsfp_threatminer.producedEventsc Cs|jj|rd}nd}|dkr*d|d}|dkr>d|d}d}||j|jd d d }|jj|d d d}|ddkr|jjd|dSt|ddkr|jjd|dSytj|d}Wn.t k r} z|jj dddSd} ~ XnX|S)Nhostdomainsubsz/v2/z.php?q={0}&rt=5passivez.php?q={0}&rt=2zhttps://api.threatminer.orgzutf-8replace)errors r)timeout useragentcontentzNo ThreatMiner info found for rz0Error processing JSON response from ThreatMiner.F) rvalidIPformatencodefetchUrlinfolenjsonloads Exceptionerror) rqry querytypeZtgttypequeryurlZthreatminerurlurlresr8errr queryJs,    zsfp_threatminer.querycCs|j}|j}|j}|jjd|d|||jkrL|jjd|ddSd|j|<|dkr|jdsldSt|j|jdkr|jjd t t|jd t |jddS|d kr|jd sdSt|j|jd kr|jjd t t|jd t |jd dSt }|j drPx.t|D]"}|j t |d|jt |<q*W|dkrd|j |x|D]}d}|j |d} | dkr|jjd|dSd| krqlt| ddkrĐql|jjd| d} x8| D].} | jddkrqtj| jddd} ttj| j} ttjd|jd}|jddkrd| |krd|jjdq| d}||krzq|jj|ddr|jdr|jj|sqtd ||j|}|j|d|j|<q|j|jd!krt|||j|}|j||jd"7_qWqlW|d#krd }|j |d$} | dkrN|jjd%dSt| jdt dkrv|jjd%dSx| jdD]z} |jjd&| |jkrqn d|j| <|jdr|jj| s|jjd'| d(qt|| |j|}|j|qWdS))NzReceived event, z, from z Skipping z as already mapped.Tr$r r z$Network size bigger than permitted: z > r%rr NETBLOCK_r"r(r-zNo Passive DNS info for rrz(Found passive DNS results in ThreatMiner last_seenz1970-01-01 00:00:00z%Y-%m-%d %H:%M:%SiQrz#Record found but too old, skipping.r+)includeParentsr r'rr#r,zNo hosts foundz!Found host results in ThreatMinerzCouldn't resolve z, so skipping.) eventTypemoduledatardebugrrr prefixlenstrr startswithappendrDr8r9getrstrptimeinttimemktime timetuple getTargetmatches resolveHostr__name__notifyListenersrr)revent eventName srcModuleName eventDataqrylistipaddrr>evtTyperetrBrecrFlast_ts age_limit_tsr*evtrCrrr handleEventjs                           zsfp_threatminer.handleEvent)r[ __module__ __qualname____doc__roptdescsrrrrdictr!r&r)rDrirrrr rs0 r) r:rrUnetaddrrsflibrrrrrrrr  s