forked from gh0std4ncer/web2intel
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathweb2intel.rb
executable file
·262 lines (239 loc) · 7.23 KB
/
web2intel.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
#!/usr/bin/env ruby
require 'rss'
require 'open-uri'
require 'optparse'
require 'nokogiri'
require 'twitter'
require 'json'
require './lib/creds.rb'
require './lib/urls.rb'
require './lib/regex.rb'
require './lib/msg.rb'
require 'public_suffix'
#require './lib/local_creds.rb'
time = Time.new
zray = []
result = []
commands = []
ARGV.each {|arg| commands << arg}
if ARGV[0] =~ Regex.sslbl
if ARGV[1] != nil
puts Msg.url_option
else open(Urls.sslbl_url) do |rss|
feed = RSS::Parser.parse(rss)
puts "#Title: #{feed.channel.description}"
puts Msg.time_head
feed.items.each do |item|
if "#{item.description}" =~ (Regex.common_name && Regex.reg) && "#{item.description}" !~ (Regex.lhost || Regex.c_quals)
puts Regex.reg.match("#{item.description}")
end
end
end
end
elsif ARGV[0] =~ Regex.mta ####WORKING####
if ARGV[1] != nil
puts Msg.url_option
else open(Urls.malware_ta) do |rss|
feed = RSS::Parser.parse(rss)
puts "#Title: #{feed.channel.description}"
puts Msg.time_head
feed.items.each do |item|
page = Nokogiri::HTML(open(item.link))
page.xpath('//ul//li').each do |cell|
if PublicSuffix.valid?("#{cell.text.strip}") && "#{cell.text.strip}" !~ /\.zip/ && "#{cell.text.strip}" !~ /\.google\.com/
zray << Regex.reg.match("#{cell.text.strip}").to_s
end
end
end
end
puts zray.uniq.reject &:empty?
end
elsif ARGV[0] =~ Regex.qmal ####WORKING####
page = Nokogiri::HTML(open(Urls.quttera_mal_url))
puts "#Title: Quttera Malicious Domains Database"
puts Msg.time_head
page.xpath('//table[1]').each do |cell|
if ARGV[1] =~ Regex.url_option
puts Regex.reg_url.match("#{cell.text.strip}").to_s.gsub(Regex.domain, "")
elsif ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
else puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.qsus ####WORKING####
page = Nokogiri::HTML(open(Urls.quttera_sus_url))
puts "#Title: Quttera Suspicious Domains Database"
puts Msg.time_head
page.xpath('//table[1]').each do |cell|
if ARGV[1] =~ Regex.url_option
puts Regex.reg_url.match("#{cell.text.strip}").to_s.gsub(Regex.domain, "")
elsif ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
else puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.qpot ####WORKING####
page = Nokogiri::HTML(open(Urls.quttera_potsus_url))
puts "#Title: Quttera Potentially Suspicious Domains Database"
puts Msg.time_head
page.xpath('//table[1]').each do |cell|
if ARGV[1] =~ Regex.url_option
puts Regex.reg_url.match("#{cell.text.strip}").to_s.gsub(Regex.domain, "")
elsif ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
else puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.goz ####WORKING####
page = Nokogiri::HTML(open(Urls.goz))
puts "#Gameover Zeus Domain List"
puts Msg.time_head
page.xpath('//p').each do |cell|
if ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
else "#{cell.text.strip}" != "\#"
puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.mwdoms ####WORKING####
puts "#DNS-BH – Malware Domain Blocklist"
puts Msg.time_head
open(Urls.mwdoms) {|f|
f.each_line {|line| puts Regex.reg.match("#{line}")}}
elsif ARGV[0] =~ Regex.isc_low
puts "#SANS Internet Storm Center LOW confidence block list"
puts Msg.time_head
page = open(Urls.isc_low_url)
page.each do |f|
f.each_line do |line|
unless line =~ /\#/
unless line =~ /Site/
puts line
end
end
end
end
elsif ARGV[0] =~ Regex.isc_med ####WORKING####
puts "#SANS Internet Storm Center MEDIUM confidence block list"
puts Msg.time_head
page = open(Urls.isc_med_url)
page.each do |f|
f.each_line do |line|
unless line =~ /\#/
unless line =~ /Site/
puts line
end
end
end
end
elsif ARGV[0] =~ Regex.isc_high ####WORKING####
puts "#SANS Internet Storm Center HIGH confidence block list"
puts Msg.time_head
page = open(Urls.isc_high_url)
page.each do |f|
f.each_line do |line|
unless line =~ /\#/
unless line =~ /Site/
puts line
end
end
end
end
elsif ARGV[0] =~ Regex.sucuri_iframe ####WORKING####
page = Nokogiri::HTML(open(Urls.sucuri_url))
puts "#Title: Sucuri Research Labs Hidden iframes list"
puts Msg.time_head
page.xpath('//table[1]//tr').each do |cell|
if ARGV[1] =~ Regex.url_option
if Regex.reg.match("#{cell.text.strip}") != nil
puts Regex.reg_if.match("#{cell.text.strip}").to_s.gsub("iframe", "")
end
elsif ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
elsif Regex.reg_if.match("#{cell.text.strip}") != nil
rep = Regex.reg_if.match("#{cell.text.strip}").to_s.gsub("iframehttp://", "")
unless rep =~ /index/
puts Regex.reg.match(rep)
end
end
end
elsif ARGV[0] =~ Regex.sucuri_redirect ####WORKING####
page = Nokogiri::HTML(open(Urls.sucuri_url))
puts "#Title: Sucuri Research Labs Redirect list"
puts Msg.time_head
page.xpath('//table[2]//tr').each do |cell|
if ARGV[1] =~ Regex.url_option
if Regex.reg_redir.match("#{cell.text.strip}") != nil
puts Regex.reg_redir.match("#{cell.text.strip}").to_s.gsub("redirections", "")
end
elsif ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
elsif Regex.reg.match("#{cell.text.strip}") != nil
puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.sucuri_js ####WORKING####
page = Nokogiri::HTML(open(Urls.sucuri_url))
puts "#Title: Sucuri Research Labs JavaScript list"
puts Msg.time_head
page.xpath('//table[3]//tr').each do |cell|
if ARGV[1] =~ Regex.url_option
if Regex.reg_js.match("#{cell.text.strip}") != nil
puts Regex.reg_js.match("#{cell.text.strip}").to_s.gsub(Regex.leading_js, "")#.gsub(Regex.trailing, "")
end
elsif ARGV[1] =~ Regex.details
puts "#{cell.text.strip}"
elsif Regex.reg.match("#{cell.text.strip}") != nil
puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.webins ####WORKING####
page = Nokogiri::HTML(open(Urls.webins_url))
puts "#Title: Web Inspector Unsafe Site list"
puts Msg.time_head
page.xpath('//table[1]//tr').each do |cell|
if Regex.reg.match("#{cell.text.strip}") != nil
puts Regex.reg.match("#{cell.text.strip}")
end
end
elsif ARGV[0] =~ Regex.tweet ####WORKING####
if ARGV[1] != nil
puts "#Title: Twitter-based intel from twitter.com/#{ARGV[1]}"
puts Msg.time_head
if ARGV[2] =~ Regex.details
Tweets.client.user_timeline("#{ARGV[1]}").each do |t|
if "#{t.text}" != nil
puts "#{t.text}"
end
end
else
Tweets.client.user_timeline("#{ARGV[1]}").each do |t|
if Regex.reg_ip.match("#{t.text}") != nil
puts Regex.reg_ip.match("#{t.text}")
end
end
end
end
####NOT WORKING YET####
elsif ARGV[0] =~ Regex.ptank
puts "#Title: OpenDNS PhishTank Domains"
puts Msg.time_head
buffer = open(Urls.phishtank)
buffer.each do |x|
parsed = JSON.parse(x)
if parsed["url"] != nil
ap parsed["url"]
end
end
#puts result.uniq.reject &:empty?
#result = JSON.parse(buffer)
#puts result.inspect
#trends = result['url']
#trends.each do |subject|
# puts subject['url']
#end
####NOT WORKING YET####
elsif ARGV[0] =~ Regex.all ####WORKING####
puts "Not yet implemented..."
else puts Msg.invalid
end