Presentation on Open Source Intelligence (OSINT) gathering for Attackers and Defenders given during the ISSA 10th Annual InfoSec Summit:

 

Code from Slides:

iptools.py Usage:

python iptools.py -h
Usage: iptools.py -r <file_with IPs> || -i <IP>

Options:
  -h, --help  show this help message and exit
  -r IPS      specify target file with IPs
  -i IP       specify a target IP address
####################################################
# iptools.py - Automate whois lookup               #
# Primal Security Podcast - www.primalsecurity.net #
####################################################

import sys, os, optparse
from cymruwhois import Client

def look(iplist):
	c=Client() # creates an instance of the Client class
	try:
		if ips != None:
			r = c.lookupmany_dict(iplist) # leverages the lookupmany_dict() function to pass in a list of IPs
			for ip in iplist: # Iterates over the ips in the list to use a key value in the dictionary from lookupman_dict()
				net = r[ip].prefix; owner = r[ip].owner; cc = r[ip].cc # gets the networking information from the dictionary
				line = '%-20s # - %15s (%s) - %s' % (net,ip,cc,owner) # formats the line to print cleanly
        			print line
	except:pass

def checkFile(ips): # Checks to ensure the file can be read
        if not os.path.isfile(ips):
                print '[-] ' + ips + ' does not exist.'
                sys.exit(0)
        if not os.access(ips, os.R_OK):
                print '[-] ' + ips + ' access denied.'
                sys.exit(0)
        print '[+] Querying from:  ' +ips

def main():
        parser = optparse.OptionParser('%prog '+ 
        '-r <file_with IPs> || -i <IP>')
        parser.add_option('-r', dest='ips', type='string', 
                help='specify target file with IPs')
	parser.add_option('-i', dest='ip', type='string', 
		help='specify a target IP address')
        (options, args) = parser.parse_args()
	ip = options.ip	  # Assigns a -i <IP> to variable 'ip'
	global ips; ips = options.ips # Assigns a -r <fileName> to variable 'ips'
        if (ips == None) and (ip == None): # If proper arguments aren't given print the script usage
                print parser.usage
                sys.exit(0)
        if ips != None:	# Execute if ips has a value
		checkFile(ips)	# Execute the function to check if the file can be read
		iplist = []	# create the ipslist list object
        	for line in open(ips, 'r'): # Parse File to create a list
			iplist.append(line.strip('n')) # Appends that line in the file to list and removes the new line char
		look(iplist)	# pass the iplist list object to the look() function

	else:	# Executes lookup() function for a single IP stored in variable 'ip'
		try:
			c=Client()
			r = c.lookup(ip)
                	net = r.prefix; owner = r.owner; cc = r.cc
                	line = '%-20s # - %15s (%s) - %s' % (net,ip,cc,owner)
                	print line
		except:pass

if __name__ == "__main__":
      main()

 

iplist.py Usage:

python iplist.py -h
Usage: iplist.py -r <file_with_ips> || -i <ip_addr>

Options:
  -h, --help  show this help message and exit
  -i IP       specify a target IP
  -r IPS      specify target file with IPs
####################################################
# iplist.py - Automate iplist.net Requests         #
# Curent URL format:                               #
# http://iplist.net/74.125.228.73/                 #
# Primal Security Podcast - www.primalsecurity.net #
####################################################
#!/usr/bin/env python

import os, urllib, sys, optparse, re

# Function to check file
def checkFile(cfile):
  	if not os.path.isfile(cfile):
    		print '[-] ' + cfile + ' does not exist.'
    		exit(0)

  	if not os.access(cfile, os.R_OK):
    		print '[-] ' + cfile + ' access denied.'
    		exit(0)

  	print '[+] Fetching URLs from  ' +cfile

# Function to perform the lookup
def iplook(ips):
	if iplist != None:
  		iFile = open(iplist, 'r')
  		for ip in iFile:
			ei = ip.split()
			i = ei[0]
    			httpR = urllib.urlopen("http://iplist.net/"+i+"/")
    			f = httpR.readlines()
			for line in f:
                		if "<h2" in line:
                        		if "</table" in line:
                                		# Formatting line for domain
                                		htm = line.split("<")
                                		html = htm[2]
                                		dom = html.split(">")
                                		domain = str(dom[1])
                                		# Formatting line for IP
                                		i = line.split("/")
                                		ip = str(i[4])
                        		else:
                                		htm = line.split("<")
                                		html = htm[1]
                                		dom = html.split(">")
                                		domain = str(dom[1])
                               			i = line.split("/")
                                		ip = str(i[3])
                        		l = '%-25s --> %20s' % (domain,ip)
                        		print l

	else:
		httpR = urllib.urlopen("http://iplist.net/"+ips+"/")
		f = httpR.readlines()
		for line in f:
			if "<h2" in line:
				if "</table" in line:
					# Formatting line for domain
					htm = line.split("<")
					html = htm[2]
					dom = html.split(">")
					domain = str(dom[1])
					# Formatting line for IP
					i = line.split("/")
					ip = str(i[4])
				else:
					htm = line.split("<")
					html = htm[1]
					dom = html.split(">")
					domain = str(dom[1])
					i = line.split("/")
					ip = str(i[3])
				l = '%-25s --> %20s' % (domain,ip)
				print l

def main():
  	parser = optparse.OptionParser(sys.argv[0] +
    		'-r <file_with_ips> || -i <ip_addr>')
	parser.add_option('-i', dest='ip', type='string', 
		help ='specify a target IP')
  	parser.add_option('-r', dest='ips', type='string', 
    		help='specify target file with IPs')
  	(options, args) = parser.parse_args()
	global iplist
	global ip
  	iplist = options.ips
	ip = options.ip

	if (iplist == None) and (ip == None):
		print parser.usage
		exit(0)

        if iplist != None:
		checkFile(iplist)
		iplook(iplist)

	else:
		iplook(ip)

if __name__ == "__main__":
      main()