博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
安全分析的几个好的工具网站的使用
阅读量:735 次
发布时间:2019-03-22

本文共 10393 字,大约阅读时间需要 34 分钟。

最近在工作中还是遇到了一些攻击者追查等等事情,结合自己过去做过一年的安全分析师的经验,对几款比较好的追踪溯源网站的使用做一个简介。

一、关联神器passivetotal

1、网址:https://community.riskiq.com/

2、简介:常用来搜索IP、Domain、URL、whois信息、ipwhois信息等,是一个存储数量比较全面,信息量较大,而且可以和时间关联分析。实现这些维度的互查反查是很重要的一个功能。需要注册哦。

3、截图:

二、样本神器virustotal

1、网址:https://www.virustotal.com/#/home/upload

2、简介:可以查询样本在多家杀毒引擎的扫描检测结果,另外可以查询IP、url、hash,这样可以关联下载downloadurl 、恶意域名、IP,以及恶意的样本hash。(注册之后可付费,在线样本可下载)

3、截图:

4、自己查看vt文档写的一个apilib库

1 #!/usr/bin/env python  2 #-*-coding:UTF-8-*-  3 #引入头文件  4 import os  5 import sys  6 import json  7 import urllib  8 import urllib2  9 import hashlib 10 import postfile 11 import simplejson 12  13 #全局变量 14 #APIKEY = None 15 APIKEY = '033e1a2ae071f8800d558a968717c2674f8eb728cfb6b470d4713dd744600fb7' 16 MYVTOBJ = None 17 CRONTOL_BIT = 0 18 #创建VirusTotal类 19 class VirusTotal: 20     def __init__(self,apikey): 21         self.virus_dict = {} 22         self.apikey = apikey 23          24     def get_virus_dict(self): 25         return self.virus_dict 26          27     def upload_one_check_file(self,check_file): 28         check_host = "www.virustotal.com" 29         selector = "https://www.virustotal.com/vtapi/v2/file/scan" 30         fields = [("apikey",self.apikey)] 31         file_name = os.path.basename(check_file) 32         try: 33             file_to_check = open(check_file,'rb').read() 34         except Exception,ex: 35             #log.log(ex,3,1) 36             return (-1,ex) 37         file_struct = [("file",file_name,file_to_check)] 38         try: 39             result_json = postfile.post_multipart(check_host,selector,fields,file_struct) 40         except Exception,ex: 41             #log.log(ex,3,2) 42             return (-1,ex) 43         return result_json 44          45     def upload_check_files(self,files_list): 46         result_json_list = [] 47         if len(files_list) <= 0: 48             return (-1,'files_list error') 49         for item in files_list: 50             ret = self.quick_check(item) 51             result_json_list.append(ret) 52         return result_json_list 53          54     def check_file_rescan(self,scanid): 55         url = "https://www.virustotal.com/vtapi/v2/file/rescan" 56         scanid_string = None 57         if type(scanid) is list: 58             for item in scanid: 59                 scanid_string += str(item)+',' 60             scanid_string = scanid_string[0:-1] 61             parameters = {"resource":scanid_string,"apikey":self.apikey} 62             try: 63                 data = urllib.urlencode(parameters) 64                 check_request = urllib2.Request(url,data)   65                 response = urllib2.urlopen(check_request)   66                 result_json = response.read() 67             except Exception,ex: 68                 ##log.log(ex,3,2) 69                 return (-1,ex) 70             return result_json 71         parameters = {"resource":scanid,"apikey":self.apikey} 72         try: 73             data = urllib.urlencode(parameters)   74             check_request = urllib2.Request(url,data)   75             response = urllib2.urlopen(check_request)   76             result_json = response.read() 77         except Exception,ex: 78             #log.log(ex,3,2) 79             return (-1,ex) 80         return result_json 81      82     def quick_check(self,check_file): 83         file_md5 = None 84         print str(check_file) 85         with open(str(check_file),'rb') as f: 86             file_md5 = hashlib.md5() 87             file_md5.update(f.read()) 88             file_md5 = file_md5.hexdigest() 89         ret = self.upload_one_check_file(check_file) 90         if ret.find('Error 400') >= 0: 91             ret = self.check_file_rescan(file_md5) 92         ret = simplejson.loads(ret) 93         return ret["sha256"] 94  95     def get_report(self,scanid): 96         url = "https://www.virustotal.com/vtapi/v2/file/report"   97         parameters = {"resource":scanid,"apikey":self.apikey} 98         try: 99             data = urllib.urlencode(parameters)  100             report_requset = urllib2.Request(url,data)  101             response = urllib2.urlopen(report_requset)  102             result_json = response.read()103         except Exception,ex:104             #log.log(ex,3,2)105             return (-1,ex)106         return result_json107 108     def get_report_from_designated_company(self,company,scanid):109         url = "https://www.virustotal.com/vtapi/v2/file/report"  110         parameters = {"resource":scanid,"apikey":self.apikey}111         try:112             data = urllib.urlencode(parameters)  113             report_request = urllib2.Request(url,data)  114             response = urllib2.urlopen(report_request)  115             result_json = response.read()    116             response_dict = simplejson.loads(result_json)117         except Exception,ex:118             #log.log(ex,3,2)119             return (-1,ex)120         return response_dict.get("scans",{}).get(company,{}).get("result")121         122     def url_check(self,check_url):123         url = "https://www.virustotal.com/vtapi/v2/url/scan"124         check_urls = None125         if type(check_url) is list:126             for item in check_url:127                 check_urls += str(item)+'\n'128             check_urls = check_urls[0:-1]129             parameters = {"url":check_urls,"apikey":self.apikey} 130             try:131                 data = urllib.urlencode(parameters)  132                 url_check_request = urllib2.Request(url,data)  133                 response = urllib2.urlopen(url_check_request)  134                 result_json = response.read() 135             except Exception,ex:136                 #log.log(ex,3,2)137                 return (-1,ex)138             return result_json139         check_urls = str(check_url)140         parameters = {"url":check_urls,"apikey":self.apikey}  141         try:142             data = urllib.urlencode(parameters)  143             url_check_request = urllib2.Request(url,data)  144             response = urllib2.urlopen(url_check_request)  145             result_json = response.read()  146         except Exception,ex:147             #log.log(ex,3,2)148             return (-1,ex)149         return result_json  150         151     def get_url_report(self,check_url):152         url = "https://www.virustotal.com/vtapi/v2/url/report"153         check_urls = None154         if type(check_url) is list:155             for item in check_url:156                 check_urls += str(item)+','157             check_urls = check_urls[0:-1]158             parameters = {"resource": "http://www.sohu.com","apikey":self.apikey,"scan":"1"}  159             try:160                 data = urllib.urlencode(parameters)  161                 url_check_request = urllib2.Request(url,data)  162                 response = urllib2.urlopen(url_check_request)  163                 result_json = response.read()164             except Exception,ex:165                 #log.log(ex,3,2)166                 return (-1,ex)167             return result_json168         check_urls = str(check_url)169         parameters = {"resource":check_urls,"apikey":self.apikey}  170         try:171             data = urllib.urlencode(parameters)  172             url_check_request = urllib2.Request(url,data)  173             response = urllib2.urlopen(url_check_request)  174             result_json = response.read()175         except Exception,ex:176             #log.log(ex,3,2)177             return (-1,ex)178         return result_json179 180     def get_url_report_from_designated_company(self,check_url,company):181         url = "https://www.virustotal.com/vtapi/v2/url/report"182         check_urls = str(check_url)183         parameters = {"resource":check_urls,"apikey":self.apikey}  184         try:185             data = urllib.urlencode(parameters)  186             url_check_request = urllib2.Request(url,data)  187             response = urllib2.urlopen(url_check_request)  188             result_json = response.read()189         except Exception,ex:190             #log.log(ex,3,2)191             return (-1,ex)192         response_dict = simplejson.loads(result_json)  193         return response_dict.get('scans',{}).get(company).get('result')194     195     def ip_check(self,ip):196         url = 'https://www.virustotal.com/vtapi/v2/ip-address/report'  197         parameters = {'ip':ip,'apikey':self.apikey}  198         try:199             response = urllib.urlopen('%s?%s'%(url,urllib.urlencode(parameters))).read()  200             response_dict = json.loads(response)201         except Exception,ex:202             #log.log(ex,3,2)203             return (-1,ex)204         return response_dict 205         206     def domain_check(self,domain):207         url = 'https://www.virustotal.com/vtapi/v2/domain/report'  208         parameters = {'domain':domain,'apikey':self.apikey}209         try:210             response = urllib.urlopen('%s?%s'%(url,urllib.urlencode(parameters))).read()  211             response_dict = json.loads(response)  212         except Exception,ex:213             #log.log(ex,3,2)214             return (-1,ex)215         return  response_dict 216 217 218 #快速使用函数219 def vtocq():220     global APIKEY221     global MYVTOBJ222     global CRONTOL_BIT223     if CRONTOL_BIT != 0:224         return ('-2','ERROR')225     if APIKEY != None:226         MYVTOBJ = VirusTotal(APIKEY)227     else:228         return ('-1','APIKEY information set error!')229     CRONTOL_BIT = 1230     return MYVTOBJ231     232 def fcq(file_check,hash_sha1):233     global MYVTOBJ234     ret = MYVTOBJ.quick_check(file_check)235     ret = MYVTOBJ.get_report(hash_sha1) 236     ret = simplejson.loads(ret)237     vtnumber = ret['positives']238     av_macfee = ret['scans']['McAfee']['result']239     av_bkav = ret['scans']['Bkav']['result']240     av_360 = ret['scans']['Qihoo-360']['result']241     ret = { 242         "vtnumber":vtnumber,243         "av_360":av_360,244         "av_bkav":av_bkav,245         "av_macfee":av_macfee246     }247     return ret248     249 def vt_check(filecheck,hash_sha1):250     vtocq()251     ret = fcq(filecheck,hash_sha1)252     print ret253     return ret254     255 #vt_check('C://PuTTY//plink.exe')256 MYVTOBJ = VirusTotal(APIKEY)257 print MYVTOBJ.domain_check("lx.com")

三、其他工具:

1、站长之家--站长工具:做一些域名、IP、注册邮箱等信息的关联查询。

2、www.ipip.net:做一些IP地理信息查询。

转载地址:http://txuwk.baihongyu.com/

你可能感兴趣的文章