-
Notifications
You must be signed in to change notification settings - Fork 22
/
vt_domain.py
171 lines (159 loc) · 4.38 KB
/
vt_domain.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#############################################
# VirusTotal Public API v2.0 domain lookup.
#
# Author: @michael_yip
# Email: [email protected]
# Date: 08/03/2015
#############################################
import json
import urllib
import datetime
from vt_util import API_KEY, load_cache, dump_cache
domain_query_url = 'https://www.virustotal.com/vtapi/v2/domain/report'
def domain_lookup(domain):
''' Lookup domain information VirusTotal. '''
# Query
response_dict = ""
try:
# Check cache
cache = load_cache(domain)
if cache:
return cache
# Query VT
domain_parameters = {'domain': domain, 'apikey': API_KEY}
response = urllib.urlopen('%s?%s' % (domain_query_url, urllib.urlencode(domain_parameters))).read()
response_dict = json.loads(response)
# Cache results
dump_cache(domain, response_dict)
except Exception as e:
exit(e)
return response_dict
def whois(domain):
''' WHOIS Lookup.
NOTE: this returns the original JSON reponse from VT to save query.
'''
# Get VT response
vt_response = domain_lookup(domain)
whois_dict = {}
try:
# WHOIS
whois_string = vt_response['whois']
whois_lines = whois_string.split("\n")
for line in whois_lines:
if line.find(":") > -1:
line_s = line.split(":")
k = line_s[0].strip()
v = line_s[1].strip().upper()
if k in whois_dict.keys():
values = whois_dict[k]
values.append(v)
whois_dict[k] = values
else:
whois_dict[k] = [v]
except:
return {}, {}
return whois_dict, vt_response
def get_registrant_email(domain):
''' Get WHOIS registrant email. '''
# Prettify string for VT
if len(domain) > 0:
domain = domain.strip().lower()
# Get VT response
whois_dict, vt_response = whois(domain)
whois_timestamp = ""
registrant_email = ""
try:
for k,v in whois_dict.items():
k = k.lower().strip()
if k.find("registrant") > -1 and k.find("email") > -1:
registrant_email = v[0]
break
if 'whois_timestamp' in vt_response.keys():
whois_timestamp = vt_response['whois_timestamp']
whois_timestamp = __get_timestamp(whois_timestamp)
except:
return "",""
if len(registrant_email) == 0:
return ""
return registrant_email.lower(), whois_timestamp
def get_name_servers(domain):
''' Get name servers. '''
# Get VT response
whois_dict, vt_response = whois(domain)
whois_timestamp = ""
name_servers = []
try:
for k,v in whois_dict.items():
k = k.lower().strip()
if k.find("name server") > -1:
name_servers = v
break
# Get WHOIS resolution timestamp
if 'whois_timestamp' in vt_response.keys():
whois_timestamp = vt_response['whois_timestamp']
whois_timestamp = __get_timestamp(whois_timestamp)
except:
return []
if len(name_servers) == 0:
return [],""
return name_servers, whois_timestamp
def get_registrar(domain):
''' Get WHOIS registrant email. '''
# Get VT response
whois_dict, vt_response = whois(domain)
registrar = ""
whois_timestamp = ""
try:
for k,v in whois_dict.items():
k = k.lower().strip()
if k == 'registrar':
registrar = v[0].upper()
break
if 'whois_timestamp' in vt_response.keys():
whois_timestamp = vt_response['whois_timestamp']
whois_timestamp = __get_timestamp(whois_timestamp)
except:
return "",""
if len(registrar) == 0:
return "",""
return registrar, whois_timestamp
def get_subdomains(domain):
''' Get subdomains. '''
# Get VT response
vt_response = domain_lookup(domain)
subdomains = []
try:
subdomains = vt_response['subdomains']
except:
return []
# WHOIS
return subdomains
def get_ip_resolutions(domain):
''' Get passive DNS data. '''
# Get VT response
vt_response = domain_lookup(domain)
resolution_pairs = []
try:
resolutions = vt_response['resolutions']
resolution_pairs = []
for resolution in resolutions:
resolution_pairs.append( (resolution['ip_address'], resolution['last_resolved']) )
except:
return []
return resolution_pairs
def get_detected_urls_domain(domain):
''' Get detected urls. '''
# Get VT response
vt_response = domain_lookup(domain)
detected_url_list = []
try:
detected_urls = vt_response['detected_urls']
for detected_url in detected_urls:
detected_url_list.append( (detected_url['url'], detected_url['scan_date'], detected_url['positives']) )
except:
return []
return detected_url_list
def __get_timestamp(seconds):
''' Convert seconds into timestamp. '''
s = seconds
return datetime.datetime.fromtimestamp(s).strftime('%Y-%m-%d %H:%M:%S')