U @6^&@sDddlZddlZddlmZddlmZmZmZGdddeZdS)N) IPNetwork) SpiderFootSpiderFootPluginSpiderFootEventc @sveZdZdZdddddddddd Zdddd d d d d dd ZdZdZefddZ ddZ ddZ ddZ ddZ dS)sfp_virustotalzzVirusTotal:Investigate,Passive:Reputation Systems:apikey:Obtain information from VirusTotal about identified IP addresses.T) api_keyverify publicapi checkcohostscheckaffiliatesnetblocklookup maxnetblock subnetlookup maxsubnetzVirusTotal API Key.z~Are you using a public key? If so SpiderFoot will pause for 15 seconds after each query to avoid VirusTotal dropping requests.zCheck co-hosted sites?zCheck affiliates?zvLook up all IPs on netblocks deemed to be owned by your target for possible hosts on the same target subdomain/domain?zyIf looking up owned netblocks, the maximum netblock size to look up all IPs within (CIDR value, 24 = /24, 16 = /16, etc.)z:Look up all IPs on subnets which your target is a part of?zsIf looking up subnets, the maximum subnet size to look up all the IPs within (CIDR value, 24 = /24, 16 = /16, etc.)zCVerify that any hostnames found on the target domain still resolve?) r r r r rrrrr NFcCs4||_||_t|D]}|||j|<qdS)N)sf tempStorageresultslistkeysopts)selfsfcuserOptsoptr9/var/www/spiderfoot.crq.systems/modules/sfp_virustotal.pysetup7s zsfp_virustotal.setupcCsddddddgS)N IP_ADDRESSAFFILIATE_IPADDR INTERNET_NAMECO_HOSTED_SITENETBLOCK_OWNERNETBLOCK_MEMBERrrrrr watchedEventsBs zsfp_virustotal.watchedEventsc Csddddddddd d d g S) NMALICIOUS_IPADDRMALICIOUS_INTERNET_NAMEMALICIOUS_COHOST!MALICIOUS_AFFILIATE_INTERNET_NAMEMALICIOUS_AFFILIATE_IPADDRMALICIOUS_NETBLOCKMALICIOUS_SUBNETr!AFFILIATE_INTERNET_NAMEINTERNET_NAME_UNRESOLVED DOMAIN_NAMErr%rrrproducedEventsHszsfp_virustotal.producedEventsc Csd}|j|rd|}nd|}|jj|d|jd|jddd}|jdr\td |d dkr||jd |dSzt|d }Wn<t k r}z|j d d d|_ WYdSd}~XYnX|S)Nz9https://www.virustotal.com/vtapi/v2/ip-address/report?ip=z9https://www.virustotal.com/vtapi/v2/domain/report?domain=z&apikey=r _fetchtimeoutr)timeout useragentr contentzNo VirusTotal info found for z/Error processing JSON response from VirusTotal.FT) rvalidIPfetchUrlrtimesleepinfojsonloads Exceptionerror errorState)rqryreturlreserrrqueryOs(     zsfp_virustotal.querycCsT|j}|j}|j}|jrdS|jd|d||jddkrZ|jddd|_dS||jkr||jd|d dSd|j|<| d r|jd sdS|d kr|jd sdS|dkr|jdsdSt |j |jdkr|jdt t |j dt |jddS|dkrr|jds,dSt |j |jdkrr|jdt t |j dt |jddSt }| drt |D]"}|t |d|jt |<qn |||D]}|rdS||}|dkrqt|dgdkr|jd||dks*| dr2d} d} |dkrDd} d} |dkrVd } d!} |d"krhd#} d!} |d krzd$} d!} d%| d&|d'} t| d(|d)| |j|} || d*|kr|d+kr|d*D]} || rr| |jkr|jd,r@|j| s&td-| |j|} || ntd| |j|} || |j| |jd.rtd/| |j|} || n&| |jkrtd"| |j|} || qd0|kr|dkr|d0D]}||jkr|jd,r|j|std-||j|} || ntd||j|} || |j||jd.rtd/||j|} || qqdS)1NzReceived event, z, from r rz6You enabled sfp_virustotal but did not set an API key!FTz Skipping z as already mapped. AFFILIATEr r"r r#rrz$Network size bigger than permitted: z > r$rr NETBLOCK_Z detected_urlsrzFound VirusTotal URL data for )rr'z ip-addressr r+r!r(domainr.r*r)z%https://www.virustotal.com/en//z/information/z VirusTotal [z] Zdomain_siblings)rr!r r/ _internettldsr0Z subdomains) eventTypemoduledatar@rdebugrr?r startswithr prefixlenstrrappend checkForStoprFlengetr;r__name__notifyListeners getTargetmatches resolveHostisDomain)revent eventName srcModuleName eventDataqrylistipaddraddrr;evtZinfotypeinfourlrEsnrrr handleEventls                                     zsfp_virustotal.handleEvent)rW __module__ __qualname____doc__roptdescsrr@dictrr&r1rFrhrrrrrs8 r) r<r9netaddrrsflibrrrrrrrr s