Skip to content

Commit

Permalink
first commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@Qc-TX
Qc-TX committed Apr 18, 2021
0 parents commit 799adaf
Show file tree
Hide file tree
Showing 7 changed files with 297 additions and 0 deletions.
76 changes: 76 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@


## #TrackAttacker V1.1

### 前言 ###
```
拿到这个脚本我真的是太开心了,但发现没有微步的查询,于是去看了微步查询的api,参考了一些微步api开发的blog。
进行了简单的微步信息采集,判断是否为恶意IP,同时把微步标签打出来,这样更方便快速的对我们要进行溯源的IP划分优先级。
```

------
### 增加功能 ###

```
1:微步信息查询(恶意与否、标签、场景等)
```

### 目前满足的功能

```
1:IP批量
2:IP查域名
3:IP查地址
4:IP查端口
5:IP查主机名
6:域名查备案
7:域名查Whois
8:微步信息查询(恶意与否、标签、场景等)
```

### 前提要求 ###

1、到微步社区登陆,找到API管理,增加绑定IP

![image-20210417162542788](img/image-20210417162542788.png)

2、复制APIkey到代码中

![image-20210417165231903](img/image-20210417165231903.png)

3、备案查询cookie设置

```
域名查备案用的备案8的接口,该接口需在脚本里手动配置个cookie,so,如果想用该接口,
访问 https://www.beian88.com/, 抓取cookie:eid=b2d7c4b290e086176cdb0ccfbfc162ba,放入脚本中的header头,才可调用域名查备案接口
Why一定通过备案8来域名查备案呢,经过测试,目前发现备案8的接口数据库最广泛,考虑到精准性,最终使用了备案8的接口
```



### Install ###

```
python3 -m pip install -r requirements.txt
```

### 开始使用 ###

urls.txt放入需扫描ip

加all参数=加端口扫描(需要在系统环境中安装nmap)

```
python3 TrackAttacker.py3
python3 TrackAttacker.py3 all
```

### 备注

可惜的是每天只能进行50个ip的扫描,对于hvv每天的大量攻击,实用性说实话一下不高了,不过好在没了之后也还能用其他功能。



### 原地址:[TrackAttacker V1.0](https://github.com/Bywalks/TrackAttacker)

217 changes: 217 additions & 0 deletions TrackAttacker.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,217 @@
#!/usr/bin/env python3
# _*_ coding:utf-8 _*_

'''
Program:TrackAttacker
Function:help people track the attacker
Version:Python3
Time:2021/4/17
Author:Qc
Blog:https://www.qctx.xyz
V1.1 增加了微步部分信息的收集
调用微步api,每天有50次限制
'''

from traceback import print_list
import requests
import time
from requests.packages import urllib3
import re
import json
import nmap
import sys

urllib3.disable_warnings()

headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36',
'cookie' : 'Hm_lvt_d5e9e87de330d4ceb8f78059e5df3182=1618629170; eid=6ad557aa351d766e37d3463f089339d9; Hm_lpvt_d5e9e87de330d4ceb8f78059e5df3182=1618629980'
}


banner = '''
_______ _ _ _ _
|__ __| | | /\ | | | | | |
| |_ __ __ _ ___| | __ / \ | |_| |_ __ _ ___| | _____ _ __
| | '__/ _` |/ __| |/ / / /\ \| __| __/ _` |/ __| |/ / _ \ '__|
| | | | (_| | (__| < / ____ \ |_| || (_| | (__| < __/ |
|_|_| \__,_|\___|_|\_\/_/ \_\__|\__\__,_|\___|_|\_\___|_|
By Bywalks | V 1.1
'''

#通过IP获取网站域名
def get_site_by_ip(ip):
try:
url = "https://site.ip138.com/"+str(ip)+"/"
req = requests.get(url,timeout=3,headers=headers,verify=False)
req.encoding = "utf-8"
site=re.findall('<li><span\sclass="date">[\d\-\s]+</span><a\shref=".*?"\starget="_blank">(.*?)</a></li>',req.text)
if site != "":
print("[+]Site:"+site[0])
return site[0]
except:
pass

#通过IP获取地址
def get_address_by_ip(ip):
try:
url = "https://www.ip138.com/iplookup.asp?ip="+str(ip)+"&action=2"
req = requests.get(url,timeout=3,headers=headers,verify=False)
req.encoding = "gbk"
address=re.findall('"ASN归属地":"(.*?)",\s"iP段":',req.text)
if address != "":
print("[+]Address:"+address[0])
except:
pass

#通过网站获取备案信息
def get_beian_by_site(site):
try:
url = "https://www.beian88.com/home/Search"
post_site = {'d': site}
req = requests.post(url,data=post_site,timeout=3,headers=headers,verify=False)
req.encoding = "utf-8"
key=re.findall('"key":"(.*?)"}',req.text)
url1 = "https://www.beian88.com/d/" + key[0]
requ = requests.get(url1,timeout=3,headers=headers,verify=False)
requ.encoding = "utf-8"
name=re.findall('<span class="field-value" id="ba_Name">(.*?)</span>',requ.text)
if name[0] != "":
#print("备案信息")
webname=re.findall('<span class="field-value" id="ba_WebName">(.*?)</span>',requ.text)
print("[+]网站名称:"+webname[0])
print("[+]主办单位名称:"+name[0])
type=re.findall('<span class="field-value" id="ba_Type">(.*?)</span>',requ.text)
print("[+]主办单位性质:"+type[0])
license=re.findall('<span class="field-value" id="ba_License">(.*?)</span>',requ.text)
print("[+]网站备案/许可证号:"+license[0])

except:
pass

#通过微步情报信息
def get_ThreatBook_by_site(ip):
try:
url = 'https://api.threatbook.cn/v3/scene/ip_reputation'
query = {
"apikey": "xxxxxxx",#替换成自己的APIkey
"resource": "%s" % ip,
"lang":"zh"
}
r = requests.request("GET", url, params=query)


r_json = r.json()
if r_json['response_code'] != 0:
if r_json['verbose_msg'] == 'Beyond Daily Limitation':
print('\n[-] 微步 API 已超出当日使用次数')
else:
print('\n[-] 微步 API 调用失败,错误信息:%s' % r_json['verbose_msg'])
else:
# 微步标签
tag_original = r_json['data']['%s' % ip]['judgments']

# 标签类别
tags_classes = r_json['data']['%s' % ip]['tags_classes']

# 场景
scene = r_json['data']['%s' % ip]['scene']

#是否恶意ip
if r_json['data']['%s' % ip]['is_malicious'] == False:
is_malicious = '否'
else:
is_malicious = '是'

#端口信息(目前还存在一些json传输问题,判断是数据格式的问题,稍后再改)
#ports = r_json['data']['%s' % ip]['ports']

print('[+] 是否为恶意IP:%s' % is_malicious)
#print('[+]端口信息:%s' % ports)
if len(tag_original) != 0:
print('[+] 微步标签:', end='')
for i in tag_original:
if i != tag_original[-1]:
print(i, end=',')
else:
print(i)
if len(tags_classes) > 0:
print('[+] 标签类别:', end='')
print(print_list(tags_classes[0]['tags']))
print('[+] 安全事件标签:%s' % tags_classes[0]['tags_type'])
if scene != '':
print('[+] 应用场景:%s' % scene)
except:
pass

#通过网站获取whois信息
def get_whois_by_site(site):
try:
url = "http://whois.4.cn/api/main"
post_site = {'domain': site}
req = requests.post(url,data=post_site,headers=headers,verify=False)
json_data = json.loads(req.text)
if json_data['data']['owner_name'] !="":
#print("Whois信息")
print("[+]域名所有者:"+json_data['data']['owner_name'])
print("[+]域名所有者邮箱:"+json_data['data']['owner_email'])
print("[+]域名所有者注册:"+json_data['data']['registrars'])
except:
pass

#通过ip查端口
def nmap_port(ip):
n = nmap.PortScanner()
ip = "\""+ip+"\""
n.scan(hosts=ip,arguments="-sV -p 22,80,90,443,1433,1521,3306,3389,6379,7001,7002,8000,8080,9090,9043,9080,9300")
for x in n.all_hosts():
if n[x].hostname() != "":
print("[+]HostName: " + n[x].hostname())
for y in n[x].all_protocols():
print("[+]Protocols: " + y)
for z in n[x][y].keys():
if n[x][y][z]["state"] == "open":
print("[+]port: " + str(z) + " | name: " + n[x][y][z]["name"] + " | state: " + n[x][y][z]["state"])


def deal_url(url):
print(url)
get_address_by_ip(url)
site = get_site_by_ip(url)
if site != None:
get_beian_by_site(site)
get_whois_by_site(site)
nmap_port(url)
print("=========================================")

def main():
print(banner)
print("[+]帮助小伙伴追踪Attacker的小工具")
print("[+]使用方法1:python3 TrackAttacker.py")
print("[+]使用方法2:python3 TrackAttacker.py all")
print("[+]如果你第一次使用该工具,请看README.md")
print("=========================================")
url = "urls.txt"

with open(url) as f:
for url in f:
url = url.replace('\n','')
print(url)
get_address_by_ip(url)
site = get_site_by_ip(url)
get_ThreatBook_by_site(url)
if site != None:
get_beian_by_site(site)
get_whois_by_site(site)
if len(sys.argv)>1:
if sys.argv[1]=="all":
nmap_port(url)
print("=========================================")

if __name__=="__main__":
#判断程序运行时间
start = time.time()
main()
end = time.time()
print("The program spend time is %.3f seconds" %(end-start))
Binary file added img/.DS_Store
Binary file not shown.
Binary file added img/image-20210417162542788.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added img/image-20210417165231903.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
python-nmap
requests
2 changes: 2 additions & 0 deletions urls.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
209.141.45.200
59.63.206.206

0 comments on commit 799adaf

Please sign in to comment.