woj-ciech / danger-zone Goto Github PK

Correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.

Python 100.00%

danger-zone's Introduction

Danger zone

Info

Correlate data between domains, ips and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.
Background story --> https://www.offensiveosint.io/osint-tool-for-visualizing-relationships-between-domains-ips-and-email-addresses/

Cases

Based on given email, check for associate domains and then check these domains for other emails and IPs.
For domains check for IP and Emails and next look for associated domains.
Extract domain from IP, check domain for other IPs and email.

Modules

Email:
- Trumail - Validation email address (https://trumail.io/)
- Whoxy - Reverse Whois service (https://whoxy.com/) KEY NEEDED
- haveIbeenPwned - Dumps (https://haveibeenpwned.com/)
- Username check - Check username, based on email address, across social media sites (https://username-availability.herokuapp.com/)
- Google - Query Google
IP:
- Geolocation - Geolocate IP (https://extreme-ip-lookup.com/)
- Threatcrowd - Information about IP (https://github.com/AlienVault-OTX/ApiV2)
- VirusTotal - Information about IP (https://www.virustotal.com/) Key needed
Domain:
- TLD - Get sponsor of particular Top Level Domain (https://raw.githubusercontent.com/mikewesthad/tld-data/master/data/tlds.json)
- Threatcrowd - Information about domain (https://github.com/AlienVault-OTX/ApiV2)
- Whoxy - Whois service (https://whoxy.com/)
- Whois history - Historical data about domain (https://whoxy.com/)
- Wayback Machine - Archive version of website (http://archive.org/)
- VirusTotal - Information about domain (https://www.virustotal.com/)

Setup & Configuration:

git clone
pip install -r requirements.txt

pip install Google-search-api

For Elasticsearch setup go here https://www.elastic.co/guide/en/elasticsearch/reference/current/_installation.html

For Kibana setup go here https://www.elastic.co/guide/en/kibana/6.4/install.html

Edit settings.json file and put there your keys and ElasticSearch info

{
  "keys":{
    "whoxy": "xxx",
    "virustotal": "xxx"
  },
  "elastic":{
    "host":"127.0.0.1",
    "port":9200
  }
}

Usage

python danger-zone.py -h
usage: dangerzone.py [-h] [--email EMAIL] [--address ADDRESS] [--domain DOMAIN]
               [--elasticsearch]

Correlate data between domains, ips and email addresses and present it as a
graph.

optional arguments:
  -h, --help         show this help message and exit
  --email EMAIL      Email address
  --address ADDRESS  IP address
  --domain DOMAIN    Domain name
  --elasticsearch    Elasticsearch output

Example domain check

python danger-zone.py --domain example.net --elastic
Successfully connected to ElasticSearch
----------------VirusTotal module---------------------------
[*] Domain was resolved to following IPs: 
xxx.xxx.xxx.xxx on 2017-02-20 00:00:00
[*] Saving output to Elasticsearch
-------------------WhoIs history module---------------------
[*} Found 1 result(s)
[*] Domain example.net was registered on 2017-02-15 in GoDaddy.com, LLC
[*] Contact: 
[REDACTED]
[*] Name servers:
ns47.domaincontrol.com
ns48.domaincontrol.com
---
[*] Saving output to Elasticsearch
.net is sponsored by VeriSign Global Registry Services
[...]
--------------------Threatcrowd module------------------------
Reputation of 0downcarleasedeals.com: no opinion
[*] Domain was resolved to following IPs: 
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
[*] Saving output to Elasticsearch
----------------VirusTotal module---------------------------
API limitation, putting into sleep for 70 sec
[*] Domain was resolved to following IPs: 
xxx.xxx.xxx.xxx on 2017-09-28 00:00:00
xxx.xxx.xxx.xxx on 2018-08-22 13:57:06
xxx.xxx.xxx.xxx on 2018-09-21 00:28:27
[*] Saving output to Elasticsearch
-------------------WhoIs history module---------------------
[*} Found 1 result(s)
[*] Domain example2.com was registered on 2017-01-24 in GoDaddy.com, LLC
[*] Contact: 
[REDACTED]
[*] Name servers:
ns47.domaincontrol.com
ns48.domaincontrol.com
---
[*] Saving output to Elasticsearch
[*] Saving graph to graph/20180920-185210-example.net.png
Press Enter to quit...

Outputs

Graph:

Generated graph which started from fximperium[.]net

Console

Report generated to console contains more information than saved files.
Additional information are Google results, username check and HaveIBeenPwned module.
The most important things are colored in console, which lets you better remember and associate findings.

Kibana

It creates index with name of each module contains specific information

JSON

The following structure is created.

Limitations

I tried to find as many free of charge services I could but nothing good is for free. Luckily, you need to create only two account to use this tool. First is VirusTotal, which is totally free but allows you to make only 4 request per minute.
Whoxy service provides you free credits at the beginning and it's enough to test it and gather all of the useful info.
It goes only 2-3 level down checking only 3 newest findings, the reason behind that is graph would be unreadable with lots of connections, but full information is saved into JSON files and/or ElasticSearch.

Golden rule

Don't jump to conclusions too fast.

danger-zone's People

Contributors

Stargazers

Watchers

Forkers

bronx205 rvaughan fo0nikens hapazores afudx w00t3k d3vil7 ajitgaddam rand338 prjpet bjyurkovich xsxsd 3453-315h devhttps c0dak 0xflotus npaulhus chubbymaggie totoroha gatarelib sathishdsgithub myke500 shaunstanislauslau crypt0b0y en3a cclauss batermj m00zh33 demarica netredo jithinraj killvxk localsavvy jayaramyalla wsygoogol tatsuryu goodot pabit gklinich nc9 fiuderazes rudrasingh99 lovebair2022 threatinteltest oneiroi jack51706 avaudioplayer olivierh59500 ashr clicknull 4n6strider jasonthename rabitw monkeym4ster raystyle ztencmcp h3ll0w0lrd tony32769 adaam sry309 idkwim sunnysidecruise andjames cr3m p3t3rp4rk3r 0ixit rathnadeep anon0ps jothatron smacksmack206 quagmire69 tyolab vikasvarshney 911steven modulexcite kingkarlito sophisticcitizen zer0trip coredamage icepaule robot-txt exctx porkin raghav-sec fadlaoui rakhithjk bigrayhicks aryanrtm arjuneng05 marciopocebon gnebbia skluthe sea-cpu admariner imuledx mshim03 johann-smith atavacron alessaggio samoo-7

danger-zone's Issues

HaveIbeenPwnded module issues

I kept getting "Connection Error" for the haveibeenpwned module. I found the was in the handling of the response.

Starting @ line 108 - should be checking req_haveibeenpwned.status_code.

also per the api docs, status_code of 404 means the account wasn't found in their database.

Here's how I fixed it:
if req_haveibeenpwned.status_code != 200: if req_haveibeenpwned.status_code == 404: print "account not pwned" return False print "Connection error " + str(req_haveibeenpwned.status_code) +" " + req_haveibeenpwned.text return False

Installed on mac, shows only the info, no requests.

Do i have to make open port to firewall or what?

ImportError: cannot import name emails

Hello,
Tried running the code and got the error noted in the subject line. Here's the full output:

Traceback (most recent call last): File "./danger-zone.py", line 5, in <module> import utils File "/mnt/c/Users/Ken/Documents/GitHub/Danger-zone/utils.py", line 2, in <module> import emails File "/mnt/c/Users/Ken/Documents/GitHub/Danger-zone/emails.py", line 5, in <module> from google import google ImportError: cannot import name google

Changing "import emails" to "import email" in utils.py stops this error but then new errors come up later in the process. My Python skills aren't good enough to figure it out from there.

print() is a function in Python 3

flake8 testing of https://github.com/woj-ciech/Danger-zone on Python 3.7.0

$ flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics

./tools.py:17:48: E999 SyntaxError: invalid syntax
        print "Unable to parse config file: {0}".format(e)
                                               ^
./domains.py:19:34: E999 SyntaxError: invalid syntax
            print "Unknown domain"
                                 ^
./utils.py:76:33: E999 SyntaxError: invalid syntax
            print "Nothing found"
                                ^
./danger-zone.py:44:30: E999 SyntaxError: invalid syntax
        print "Found domain: "
                             ^
./emails.py:18:21: E999 SyntaxError: invalid syntax
        print bcolors.UNDERLINE + "------------------Trumail module----------------" + bcolors.ENDC
                    ^
./elastictest.py:1228:10: E999 SyntaxError: invalid syntax
print json
         ^
./graph.py:47:11: E999 SyntaxError: invalid syntax
    print g.edges
          ^
./ip.py:18:68: E999 SyntaxError: invalid syntax
        print "-------------Geolocation module---------------------"
                                                                   ^
8     E999 SyntaxError: invalid syntax
8

problem

hej mam problem z uruchomieniem

mozesz pomoc?

NameError: global name 'google' is not defined

input as follows:
python danger-zone.py --email [email protected]

Error:
Traceback (most recent call last): File "danger-zone.py", line 41, in <module> domains_from_email = util.get_domain_from_email(email, elastic_output) File "/Danger-zone-master/utils.py", line 46, in get_domain_from_email email1.google() File "/Danger-zone-master/emails.py", line 146, in google search_results = google.search("\"" + self.email_address + "\"", 1) NameError: global name 'google' is not defined

Had earlier error
ImportError: cannot import name google
so changed import in emails.py to:
from google import *

Suggestion for user accounts

Just trying out your tool and have a suggestion. I maintain the https://github.com/webbreacher/whatsmyname project that has a JSON file for figuring out if a user name account exists on over 140 different sites. It may be useful to pull that and use it in your tool.

VirusTotal module hangs, errors

Loving this tool. However, running a --domain search it got to where it hit the VirusTotal API limit and went to sleep for 70 seconds. It hung there indefinitely. I hit the space bar and got the following error:

----------------VirusTotal module--------------------------- API limitation, putting into sleep for 70 sec [*] Domain was resolved to following IPs: 207.210.240.140 on 2015-09-04 00:00:00 -------------------WhoIs history module--------------------- [*} Found 0 result(s) Traceback (most recent call last): File "./Danger-zone.py", line 230, in <module> tools.save_graph(G, domain) File "/mnt/c/users/ken/Documents/GitHub/Danger-zone/tools.py", line 74, in save_graph nx.draw(G, with_labels=True) # ,edge_colors=colors) File "/usr/local/lib/python2.7/dist-packages/networkx/drawing/nx_pylab.py", line 112, in draw cf = plt.gcf() File "/usr/local/lib/python2.7/dist-packages/matplotlib/pyplot.py", line 586, in gcf return figure() File "/usr/local/lib/python2.7/dist-packages/matplotlib/pyplot.py", line 535, in figure **kwargs) File "/usr/local/lib/python2.7/dist-packages/matplotlib/backends/backend_tkagg.py", line 81, in new_figure_manager return new_figure_manager_given_figure(num, figure) File "/usr/local/lib/python2.7/dist-packages/matplotlib/backends/backend_tkagg.py", line 89, in new_figure_manager_given_figure window = Tk.Tk() File "/usr/lib/python2.7/lib-tk/Tkinter.py", line 1818, in __init__ self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use) _tkinter.TclError: no display name and no $DISPLAY environment variable

Domaintools support

Hi,
because i already have an domaintools account, i would like to know if there is a way to implement this.

HTTP calls to several apis that have TLS

I would prefer TLS when available

error when generate graphics

this error is when it is finishing..

SO:
Kali GNU/Linux Rolling \n \l
Linux kali 4.17.0-kali1-amd64 #1 SMP Debian 4.17.8-1kali1 (2018-07-24) x86_64 GNU/Linux

ERROR:

Traceback (most recent call last):
File "danger-zone.py", line 230, in
tools.save_graph(G, domain)
File "/root/Danger-zone/tools.py", line 74, in save_graph
nx.draw(G, with_labels=True) # ,edge_colors=colors)
File "/usr/local/lib/python2.7/dist-packages/networkx/drawing/nx_pylab.py", line 112, in draw
cf = plt.gcf()
File "/usr/local/lib/python2.7/dist-packages/matplotlib/pyplot.py", line 586, in gcf
return figure()
File "/usr/local/lib/python2.7/dist-packages/matplotlib/pyplot.py", line 535, in figure
**kwargs)
File "/usr/local/lib/python2.7/dist-packages/matplotlib/backends/backend_tkagg.py", line 81, in new_figure_manager
return new_figure_manager_given_figure(num, figure)
File "/usr/local/lib/python2.7/dist-packages/matplotlib/backends/backend_tkagg.py", line 89, in new_figure_manager_given_figure
window = Tk.Tk()
File "/usr/lib/python2.7/lib-tk/Tkinter.py", line 1822, in init
self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use)
_tkinter.TclError: no display name and no $DISPLAY environment variable

email format

so trying to run this on powershell on windows, and passing the email as '@mail.com' and get wrong email format, if i use it without quotes The splatting operator '@' cannot be used to reference variables in an expression.

what is the correct way to format email?

Add demo gif to README

Disclaimer: This is a bot

It looks like your repo is trending. The github_trending_videos Instgram account automatically shows the demo gifs of trending repos in Github.

Your README doesn't seem to have any demo gifs. Add one and the next time the parser runs it will pick it up and post it on its Instagram feed. If you don't want to just close this issue we won't bother you again.