这里是普通文章模块栏目内容页
Harpoon:OSINT威胁情报工具

Harpoon是一款自动化的用于从各种公开资源中收集威胁情报的工具。它是由Python 3编写的,并在其设计中体现了模块化思想,每个平台和任务都会有一个插件。大家可以在Github上查看其源码,并向作者提出建议或Pull Requests。

安装和配置:

pip install git+ssh://git@github.com/Te-k/harpoon --process-dependency-links npm install -g phantomjs harpoon config -u harpoon config

接着,我们通过查看harpoo的帮助模块了解每个模块的使用方法

Harpoon ?

在过去的一年半里,我一直忙于对多种恶意软件的威胁情报收集和分析任务。威胁情报的主要来源,一方面是被动DNS/恶意软件数据库,另一方面是恶意活动数据库。其目的是映射攻击的基础架构,并在可能的情况下将其与其他恶意活动相关联。某些威胁情报平台是完全免费的,并且面向所有人开放(例如OTX 或 RobTex)。而有的则是完全商业化的,需要收取一定的费用才能使用(例如 VirusTotal 或 PassiveTotal)。最后不难发现这项任务的大部分时间,都花在了在不同平台寻找信息上。为此,许多人试图创建一个平台来集中化收集这些信息。但在研究过程中,我们发现总有另一些平台要需要我们考虑。

xkcd927.png

新标准问题完全适用于威胁情报(xkcd 927)

公开资源情报计划(OSINT)在另一方面则更加多样化。我们的目标是,尽可能多的向互联网上的个人或组织提供互联网上可公开访问的任何数据信息。当然,还有一些有趣的平台(如SpyOnWeb),它会从公开资源网站聚合信息,接着进行组织,方便用户迅速和方便地搜索网站。

总而言之,大量任务需要我们手动完成,并且很糟糕。起初,我试图创建一些Python脚本,来自动化的帮我完成一部分任务,但它很快就变得一团糟:脚本越来越多,有python 2中的也有python 3的,一些使用配置文件,还有一些在参数中获取API密钥…最终,我决定将这些脚本作为模块组织成一个名为Harpoon的工具。用了几个月后,我觉决定将这款工具开源,并希望能帮到大家。

关于此工具的一些说明:

Harpoon仅支持Python 3

许多OSINT工具都尝试从域或电子邮件收集尽可能多的信息,而不关心其来源。Harpoon并不遵循这一理念。它主要允许你为每个命令实现单个任务。我认为在调查期间,了解信息的来源以及信息的可靠性非常重要。

我重写了一些库(如SpyOnWeb),因为我想明确地知道它做了什么以及是如何做的。所以我重复造轮子了很多次,并且我感到很满意。

Harpoon被组织成容易实现的子命令,这些命令依赖于内部或外部库。这些命令使用单个配置文件,当需要API密钥时需要我们手动完成。

该工具仍有许多不足之处需要改进,因此也欢迎大家提出建议或Pull Requests。

安装 pip install git+ssh://git@github.com/Te-k/harpoon --process-dependency-links npm install -g phantomjs harpoon config -u harpoon config

我已通过pip打包Harpoon(感谢@cybersteez的帮助),因此大家可以通过pip install git+ssh://git@github.com/Te-k/harpoon –process-dependency-links进行安装。

打包最大的挑战就是我写的大多数库都托管在github而不是Pypi,所以应该在同一时间安装它们。或者,你可以在克隆存储库(pip install -r requirements.txt)后安装requirements.txt中的所有内容。

如果你想使用截图模块(网站截图),你需要通过npm来安装它:npm install -g phantomjs

现在我们已经安装了Harpoon。接着,我们需要安装Harpoon所需文件并对其进行配置。要安装所需文件(目前,主要是 MaxMind GeoIP数据库),只需运行harpoon config -u命令即可。最后,我们需要进行相关的配置,主要是提供你可以/想要使用的平台的API密钥。我们只需运行harpoon config,它将复制空配置文件并使用vim打开它,以便你可以提供给定的密钥。如果你没有相关密钥,留空即可。你可以使用harpoon config -c命令查看配置模块列表。在我当前的系统上,显示结果如下:

Configuration check: -hibp -> OK -twitter -> OK -misp -> FAILED -robtex -> OK -totalhash -> OK -pt -> OK -asn -> OK -otx -> OK -bitly -> OK -vt -> OK -screenshot -> OK -dns -> OK -safebrowsing -> OK -threatgrid -> OK -help -> OK -shodan -> OK -greynoise -> OK -crtsh -> OK -domain -> OK -pgp -> OK -github -> OK -malshare -> OK -config -> OK -hunter -> OK -hybrid -> OK -cache -> OK -spyonweb -> OK -telegram -> FAILED -fullcontact -> OK -ip -> OK -censys -> OK -googl -> OK

Harpoon所需的所有文件(包括配置文件)都安装在~/.config/harpoon目录中。

功能 #p#分页标题#e#

在没有列出模块的情况下,我很难对这些功能进行描述,因为我几乎为我需要自动执行的每项任务都创建了一个新命令。下面,我将通过实例来演示Harpoon的用法:

威胁情报平台: Virus Total, Passive Total, Hybrid Analysis, AlienVault OTX,  Shodan, Censys, RobTex, ThreatGrid, GreyNoise,  TotalHash, MISP, MalShare:

$ harpoon otx -s cdnverify.net No analysis on this file Listed in 1 pulses -Sofacy targeting Romanian Embassy Sofacy targeting the embassy of Romania in Moscow - Email Subject: Upcoming Defense events February 2018 Created: 2018-02-08T11:50:07.652000 References: https://twitter.com/ClearskySec/status/960924755355369472 id: 5a7c396f6db26d7636273c44 URL list: [2018-02-06T19:12:50] https://cdnverify.net/ on IP 151.80.74.167 [2018-02-02T18:44:09] on IP 151.80.74.167

最重要的是,我已经实现了一些更高级的命令,来从所有这些平台上通过ip和域名收集信息。这些命令会从所有配置的插件中搜索相关信息:

$ harpoon domain intel cdnverify.net ###################### cdnverify.net ################### [+] Downloading OTX information.... [+] Downloading Robtex information.... [+] Downloading Passive Total information.... [+] Downloading VT information.... ----------------- Intelligence Report OTX: -Sofacy targeting Romanian Embassy (2018-02-08 - https://otx.alienvault.com/pulse/5a7c396f6db26d7636273c44) PT: Nothing found! ----------------- Malware [PT (Emerging Threats (Proofpoint))] 36524c90ca1fac2102e7653dfadb31b2 2018-02-04 ----------------- Urls [VT] - 2018-02-15 [VT] https://cdnverify.net/ - 2018-02-09 [OTX] https://cdnverify.net/ - 151.80.74.167 2018-02-06 [OTX] - 151.80.74.167 2018-02-02 ----------------- Passive DNS [+] 151.80.74.167 (2018-02-07 -> 2018-02-07)(PT) [+] 151.80.74.167 (2018-02-04 -> 2018-02-04)(VT) [+] 151.80.74.167 (2018-02-02 -> 2018-02-06)(Robtex) [+] 208.91.197.91 (2018-01-31 -> 2018-01-31)(PT)

网络信息:ip,dns和asn命令会提供相关IP,域或ASN码(位置,DNS解析或ASN信息)的基本信息。

$ harpoon ip info 151.80.74.167 MaxMind: Located in Roubaix, France MaxMind: ASN16276, OVH SAS ASN 16276 - OVH, FR (range 151.80.0.0/16) Censys: https://censys.io/ipv4/151.80.74.167 Shodan: https://www.shodan.io/host/151.80.74.167 IP Info: BGP HE: https://bgp.he.net/ip/151.80.74.167 IP Location: https://www.iplocation.net/?query=151.80.74.167

社交媒体快速保存社交媒体账户中的所有内容是非常有必要的,网站截图的功能在这就非常适用。目前仅Twitter和Telegram存在:

$ harpoon twitter -s realDonaldTrump > @realDonaldTrump

短网址服务:为了尽可能多的从API获取数据,我也通过命令实现了bit.ly和goo.gl的短网址服务:

$ harpoon bitly -H 2oh6Nrj -------------------- Bit.ly Link infos ------------------- # INFO Link: Metrics: + Expanded url: https://ooni.torproject.org/post/mining-ooni-data/ Creation Date: 2018-02-19 00:15:03 Aggregate link: 2 bitly redirect to this url # LINK INFO original_url: https://ooni.torproject.org/post/mining-ooni-data/ canonical_url: https://ooni.torproject.org/post/mining-ooni-data/ html_title: OONI - I have hands, how can I mine OONI data? aggregate_link: indexed: 1519017306 # USERS User: 2oh6Nrj Invalid user! # CLICKS 0 clicks on this link # COUNTRIES # REFERRERS

我还实现了其他一些命令,例如,有一个命令让github在github repos中搜索,或者通过pgp来搜索密钥。我特别喜欢的一个命令是,用于检查不同缓存平台中是否存在网页的cache命令。

$ harpoon cache https://citizenlab.ca/2016/11/parliament-keyboy/ Google: FOUND https://webcache.googleusercontent.com/search?q=cache%3Ahttps%3A%2F%2Fcitizenlab.ca%2F2016%2F11%2Fparliament-keyboy%2F&strip=0&num=1&vwsrc=1 (2018-02-05 20:02:18+00:00) Yandex: FOUND https://hghltd.yandex.net/yandbtm?fmode=inject&url=https%3A%2F%2Fcitizenlab.ca%2F2016%2F11%2Fparliament-keyboy%2F&tld=ru&lang=en&la=1518660992&tm=1519019381&text=https%3A%2F%2Fcitizenlab.ca%2F2016%2F11%2Fparliament-keyboy%2F&l10n=ru&mime=html&sign=ef543d285bc848b89e51b5a654f7f6aa&keyno=0 Archive.is: NOT FOUND Archive.org: FOUND -2018-02-03 10:05:03: ://citizenlab.ca/2016/11/parliament-keyboy/ Bing: FOUND ?d=5023416941477933&w=p_fS69zzGSfsYoCCryqQAHXJ09tpPdBB (2016-11-17 00:00:00)

最后,我们还可以通过help命令来查看其它命令的使用方法:

$ harpoon help ip # IP Gathers information on an IP address Get information on an IP: harpoon ip info 172.34.127.2 MaxMind: Located in None, United States MaxMind: ASN21928, T-Mobile USA, Inc. ASN 21928 - T-MOBILE-AS21928 - T-Mobile USA, Inc., US (range 172.32.0.0/11) Censys: https://censys.io/ipv4/172.34.127.2 Shodan: https://www.shodan.io/host/172.34.127.2 IP Info: BGP HE: https://bgp.he.net/ip/172.34.127.2 IP Location: https://www.iplocation.net/?query=172.34.127.2 * Get intelligence information on an IP: harpoon ip intel IP harpoontools #p#分页标题#e#

在使用过程中,我发现我经常会重复使用一些命令。所以我创建了一个存储库harpoontools,它使用Harpoon功能来安装命令。你可以通过pip install git+ssh://git@github.com/Te-k/harpoontools安装它。

现在我只实现了ipinfo,asninfo和dns:

$ cat ips | ipinfo 66.249.66.6 ; ASN15169 ; Google LLC ; Mountain View ; United States 184.105.139.116 ; ASN6939 ; Hurricane Electric, Inc. ; Fremont ; United States 184.105.247.206 ; ASN6939 ; Hurricane Electric, Inc. ; Salt Lake City ; United States 示例

我们以最近的Palo Alto关于Quasar RAT的报告和akamaicdn[.]ru域为例。

首先,我们来检查下DNS情况:

$ harpoon dns akamaicdn[.]ru # A No A entry # AAAA No AAAA entry configured # NS ns2.reg.ru. - 176.99.13.12 - ASN197695 Domain names registrar REG.RU, Ltd - None Russia ns1.reg.ru. - 176.99.13.15 - ASN197695 Domain names registrar REG.RU, Ltd - None Russia # MX: No MX entry configured # SOA NS: ns1.reg.ru. Owner: hostmaster.ns1@reg.ru # TXT: No TXT entry configured

没有条目被配置,让我们看看是否可以使用robtex,来获取到其它以前使用的IP:

$ harpoon robtex domain akamaicdn.ru Passive DNS info: [+] A 194.85.61.76 (2017-03-16T14:55:12 -> 2017-03-16T14:55:12) [+] NS ns1.expired.r01.ru (2017-03-16T14:55:12 -> 2017-03-16T14:55:12) [+] A 109.70.26.37 (2017-03-16T14:55:12 -> 2017-03-16T14:55:12) [+] NS ns2.expired.r01.ru (2017-03-16T14:55:12 -> 2017-03-16T14:55:12) [+] MX nomail.nic.ru (2017-03-16T14:55:12 -> 2017-03-16T14:55:12)

查看这些IP的所属地区:

$ ipinfo 194.85.61.76 109.70.26.37 194.85.61.76 ; ASN48287 ; Jsc ru-center ; Moscow ; Russia 109.70.26.37 ; ASN48287 ; Jsc ru-center ; None ; Russia

我们可以使用crt.sh检查该域是否创建了证书:

$ harpoon crtsh -d akamaicdn.ru Certificates sni11878.cloudflaressl.com 2017-03-02T00:00:00+00:00 2017-09-03T23:59:59+00:00 B05CB0F1425FBFA7E9407C777C6B4DC0E3F7F1B6 sni11878.cloudflaressl.com 2017-02-21T00:00:00+00:00 2017-08-06T23:59:59+00:00 7B9F1F8A2F7211C332C60EBFDB6CF739DF7D2A3A sni11878.cloudflaressl.com 2017-01-22T00:00:00+00:00 2017-07-30T23:59:59+00:00 D372B140802DA627BD0745B447A9E3A48B2FBD15 sni11878.cloudflaressl.com 2017-01-19T00:00:00+00:00 2017-07-23T23:59:59+00:00 3868C466BC8D131B2EB6B65CD7B20E7FFB255C51 sni11878.cloudflaressl.com 2016-12-05T00:00:00+00:00 2017-06-04T23:59:59+00:00 BBEBA7914A4287C8BDDCD81510A327D33E6476F5 sni11878.cloudflaressl.com 2016-12-05T00:00:00+00:00 2017-06-04T23:59:59+00:00 F0F0A0D02A8E16B3A261382D75B8C96393A16264 sni11878.cloudflaressl.com 2016-11-27T00:00:00+00:00 2017-06-04T23:59:59+00:00 E285191C82EA0F5FD23EF4688A62E5772F4584D4 sni11878.cloudflaressl.com 2016-11-23T00:00:00+00:00 2017-05-28T23:59:59+00:00 7F40B0D369700BFC27C2AD2EB858D8DF4955624D sni11878.cloudflaressl.com 2016-11-21T00:00:00+00:00 2017-05-28T23:59:59+00:00 EDE5454F23BBC7BFBA17F2E293D7FBDD1266B260 sni11878.cloudflaressl.com 2016-10-23T00:00:00+00:00 2017-04-30T23:59:59+00:00 68D504FAEB6AF1DDA50062B16CBFB46AAD490171 sni11878.cloudflaressl.com 2016-10-23T00:00:00+00:00 2017-04-30T23:59:59+00:00 2F2231766F8432343B579DB21ECF829CB171E481 sni11878.cloudflaressl.com 2016-10-23T00:00:00+00:00 2017-04-30T23:59:59+00:00 B11FCBEAD0A2D174C661D8095A0693955FC62A99 sni11878.cloudflaressl.com 2016-09-12T00:00:00+00:00 2017-03-19T23:59:59+00:00 62578BABE0AFFE15ABE3FBD68A6EE8EF76AB556A sni11878.cloudflaressl.com 2016-05-18T00:00:00+00:00 2016-11-20T23:59:59+00:00 5630B82083D14B0D5202FEAC7566971ECA41BBDC sni11878.cloudflaressl.com 2016-05-18T00:00:00+00:00 2016-11-20T23:59:59+00:00 D5A7B4CC6DF2340E8F547E3CC0A17163A81FD51A sni11878.cloudflaressl.com 2016-05-06T00:00:00+00:00 2016-11-06T23:59:59+00:00 500DA087F038AEB5A37D9F60638332DBA8368BA2 sni11878.cloudflaressl.com 2016-05-06T00:00:00+00:00 2016-11-06T23:59:59+00:00 C54AEC0DA67F1B12A134C6B997EE93DFA0EEE4F2 sni11878.cloudflaressl.com 2016-04-11T00:00:00+00:00 2016-10-16T23:59:59+00:00 E746CD3581198237D3D26F8A80FF71BAD88D1544 sni11878.cloudflaressl.com 2016-02-18T00:00:00+00:00 2016-08-21T23:59:59+00:00 451608653F741F079CC52569F7FAFB8C5B1F8855

显然他们使用的是Cloudfare托管该域名。让我们通过OTX看看,是否可以获取到194.85.61.76这个IP地址的其它信息:

$ harpoon otx -s 194.85.61.76 No analysis on this file Listed in 5 pulses -BadRabbit-Ransomware - A Modified Version of NotPetya Created: 2017-11-03T17:58:14.502000 References: id: 59fcae36f0c4a216de3560ea -Blueliv Chasing cybercrime: Vawtrak v2 IOCs Vawtrak is a serious threat for the finance sector and is predicted to be the next major banking Trojan. Blueliv's investigation into Vawtrak v2 has revealed new information to piece together a more complete view of the Vawtrak banking Trojan and the cybercriminal groups behind it than we've seen before. The report also provides real infection data and Indicators of Compromise (IoCs) that readers can input into their existing security solutions to enhance their protection. Here is the full list of Vawtrak and Moskalvzapoe IOCs discovered as part of the Blueliv analysis. Created: 2016-09-12T17:36:18.734000 References: https://community.blueliv.com/#/s/57d6d33d82df41127d7a6ca4, https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak-v2-sahin-wyke.pdf?la=en id: 57d6e794aa954c115b68a85f -Ursnif CnC Created: 2016-02-17T00:35:04.809000 References: id: 56c3c03867db8c12501745c6 -Angler EK Network IOC Angler EK Network IOC observed in the past year. Created: 2016-02-17T15:25:35.814000 References: id: 56c490f067db8c1250175b9d -Chinese Government Website Compromised, Leads to Angler Despite a recent takedown targeting the Angler Exploit Kit (EK), it's back to business as usual for kit operators. On 30-October-2015, ThreatLabZ noticed a compromised Chinese government website that led to the Angler Exploit Kit with an end payload of Cryptowall 3.0. This compromise does not appear targeted and the compromised site was cleaned up within 24 hours. We have noticed some recent changes to Angler, as well as the inclusion of newer Flash exploits. A set of indicators for this compromise is at the end of this post. Created: 2015-11-03T19:21:57.947000 References: id: 563909554637f2388aaf2311 Passive DNS: [SNIP] 创建新命令 #p#分页标题#e#

Harpoon是一款基于插件的工具,因此只需创建新插件就可以轻松添加新的功能。你只需在harpoon/commands中创建一个新文件,并实现一个类继承Command类。假设我们想实现一个ping命令,我们可以创建下面的ping.py文件:

import os from harpoon.commands.base import Command class CommandPing(Command): """ # Ping Here put the help in markdown format """ name = "ping" decription = "Ping command" def add_arguments(self, parser): # Here add arguments to the parser (which is an argparse parser) parser.add_arguments('IP', help='IP to ping') # It is nice to save the parser to call help later if needed self.parser = parser def run(self, conf, args, plugins): # here, implements the actual task # args contains the arguments received from the parser os.system("ping -c 1 " + args.IP)

最后,欢迎大家随时向我提出意见或建议,也可通过Twitter与我取得联系。在这里我要特别感谢Starcat对博客文章的反馈!

收藏
0
有帮助
0
没帮助
0