diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..25f9637 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019 ecstatic-nobel + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..983907a --- /dev/null +++ b/README.md @@ -0,0 +1,80 @@ +# [pOSINTâ„¢] +##### Request Open-Source Intelligence using PowerShell. + +### Usage +Import the module: +```powershell +Import-Module pOSINT.psm1 +``` + +View module details: +```powershell +Get-Module pOSINT +``` + +Review module help page: +```powershell +Get-Help Request-OSINT +``` + +Module Help Page: + + NAME + Request-Osint + + SYNOPSIS + Request Open-Source Intelligence using PowerShell. + + + SYNTAX + Request-Osint -Crtsh [-Wildcard] -QueryString [] + + Request-Osint -Cymon -QueryString -CyQueryType [] + + Request-Osint -GreyNoise [-QueryString ] -GnQueryType [] + + Request-Osint -PhishingKitTracker [] + + Request-Osint -Threatcrowd -QueryString -TcQueryType [] + + Request-Osint -Urlhaus -QueryString -UhQueryType [] + + Request-Osint -Urlscan -QueryString [] + + + DESCRIPTION + Request Open-Source Intelligence using PowerShell. The response is a + PowerShell object which can be formatted in many different ways. + + + RELATED LINKS + https://github.com/ecstatic-nobel/pOSINT/ + + REMARKS + To see the examples, type: "get-help Request-Osint -examples". + For more information, type: "get-help Request-Osint -detailed". + For technical information, type: "get-help Request-Osint -full". + For online help, type: "get-help Request-Osint -online" + +Show Cmd-let examples: +```powershell +Get-Help Request-OSINT -Examples +``` + +EXAMPLE: +```powershell +Request-Osint -GreyNoise -QueryString adb_worm -GnQueryType tag | Select-Object -ExpandProperty records +``` +![pOSINT](https://raw.githubusercontent.com/ecstatic-nobel/pOSINT/master/static/assets/pOSINT.gif) + +Remove the module: +```powershell +Remove-Module pOSINT +``` + +### Coming Soon +- Alienvault +- Censys +- Hybrid-Analysis +- Malshare +- PulseDive \ No newline at end of file diff --git a/pOSINT.psm1 b/pOSINT.psm1 new file mode 100644 index 0000000..c78afbe --- /dev/null +++ b/pOSINT.psm1 @@ -0,0 +1,259 @@ +<# + .SYNOPSIS + Request Open-Source Intelligence using PowerShell. + + .DESCRIPTION + Request Open-Source Intelligence using PowerShell. The response is a + PowerShell object which can be formatted in many different ways. + + .EXAMPLE + Request-Osint -Crtsh -QueryString jotugaedorm.com -Wildcard | Format-List + + issuer_ca_id : 12922 + issuer_name : C=US, ST=TX, L=Houston, O="cPanel, Inc.", CN="cPanel, Inc. Certification Authority" + name_value : cpanel.jotugaedorm.com + min_cert_id : 1179646010 + min_entry_timestamp : 2/6/19 9:46:22 PM + not_before : 2/6/19 12:00:00 AM + not_after : 5/7/19 11:59:59 PM + + ... + + .EXAMPLE + Request-Osint -Cymon -QueryString 195.123.237.120 -CyQueryType ip | Format-List + + total : 1 + from : 0 + size : 10 + hits : {@{title=Malware email submission; link=http://www.senderbase.org/lookup/?search_string=195.123.237.120; reported_by=cymon; feed=senderbase.org; feed_id=AVsGXxCjVjrVcoBZyoh-; timestamp=12/10/18 6:00:02 AM; tags=System.Object[]; ioc=; id=7d33126e4f3e1acb8ea770cda0452fb641617f798aa6302b025dc2d148ec84f8}} + + .EXAMPLE + Request-Osint -GreyNoise -GnQueryType list | Format-List + + status : ok + tags : {VNC_SCANNER_HIGH, PING_SCANNER_LOW, BINGBOT, IIS_WEBDAV_REMOTE_CODE_EXECUTION_CVE_2017_7269...} + + .EXAMPLE + Request-Osint -GreyNoise -QueryString shodan -GnQueryType tag | Format-List + + tag : SHODAN + status : ok + returned_count : 297 + records : {@{ip=107.6.151.194; name=SHODAN; first_seen=2/24/19 12:53:40 PM; last_updated...}...} + + .EXAMPLE + Request-Osint -PhishingKitTracker | Format-List + + DateFound : 2/26/2019 + ReferenceLink : https://twitter.com/covertshell/status/1100574595902451712 + ThreatActorEmail : vioilla86@gmail.com + EmailType : gmail + KitMailer : auth.php + Target : + PhishingDomain : jotugaedorm.com + KitName : order_pdf2019.zip + ThreatActor : + KitHash : 04ae2a48f6d55e63d8ca9f3784d4fe8e + KitUrl : http://jotugaedorm.com/import/order_pdf2019.zip + + ... + + .EXAMPLE + Request-Osint -Threatcrowd -QueryString 188.40.75.132 -TcQueryType ip | Format-List + + response_code : 1 + resolutions : {@{last_resolved=2015-02-17; domain=tvgate.rocks}, @{last_resolved=2015-02-17; domain=nice-mobiles.com}, @{last_resolved=2015-02-17; domain=nauss-lab.com}, @{last_resolved=2015-02-17; + domain=iwork-sys.com}...} + hashes : {003f0ed24b5f70ddc7c6e80f9c4dac73, 027fc90c13f6d87e1f68d25b0d0ec4a7, 088420b7e56c73d3d495230d42e0cb95, 1e52a293838464e4cd6c1c6d94a55793...} + references : {} + votes : -1 + permalink : https://www.threatcrowd.org/ip.php?ip=188.40.75.132 + + .EXAMPLE + Request-Osint -Urlhaus -QueryString 4ef1c08fe44a8d1e1c8ef214e7ed63a318663e926860702076bc6234fd3b1d11 -UhQueryType payload | Format-List + + query_status : ok + md5_hash : fbd9ea8ffe773b85a603665c44a86502 + sha256_hash : 4ef1c08fe44a8d1e1c8ef214e7ed63a318663e926860702076bc6234fd3b1d11 + content_type : exe + file_size : 339968 + signature : + firstseen : 2019-03-01 16:50:06 + lastseen : 2019-03-01 20:40:07 + url_count : 1 + urlhaus_download : https://api.urlhaus.abuse.ch/v1/download/4ef1c08fe44a8d1e1c8ef214e7ed63a318663e926860702076bc6234fd3b1d11/ + virustotal : + urls : {@{url_id=149696; url=http://195.123.237.120/tin.png; url_status=offline; urlhaus_reference=https://urlhaus.abuse.ch/url/149696/; filename=; firstseen=2019-03-01; lastseen=2019-03-01}} + + .EXAMPLE + Request-Osint -Urlscan -QueryString 4ef1c08fe44a8d1e1c8ef214e7ed63a318663e926860702076bc6234fd3b1d11 | Format-List + + task : @{visibility=public; method=automatic; time=3/1/19 5:03:35 PM; source=urlhaus; url=http://195.123.237.120/tin.png} + stats : @{uniqIPs=1; consoleMsgs=0; dataLength=339968; encodedDataLength=340210; requests=1} + page : @{country=UA; server=nginx/1.6.2; city=; domain=195.123.237.120; ip=195.123.237.120; asnname=LAYER6, UA; asn=AS204957; url=http://195.123.237.120/tin.png; ptr=sweetdrem.biz} + uniq_countries : 1 + _id : 5524d559-9d34-4147-8c05-e434756d6a41 + result : https://urlscan.io/api/v1/result/5524d559-9d34-4147-8c05-e434756d6a41 + + .LINK + https://github.com/ecstatic-nobel/pOSINT/ +#> +function Request-Osint { + [CmdletBinding()] + param( + [parameter(ParameterSetName="crtsh", + Mandatory=$true)] + [Switch]$Crtsh, + [parameter(ParameterSetName="cymon", + Mandatory=$true)] + [Switch]$Cymon, + [parameter(ParameterSetName="greynoise", + Mandatory=$true)] + [Switch]$GreyNoise, + [parameter(ParameterSetName="phishingkittracker", + Mandatory=$true)] + [Switch]$PhishingKitTracker, + [parameter(ParameterSetName="threatcrowd", + Mandatory=$true)] + [Switch]$Threatcrowd, + [parameter(ParameterSetName="urlhaus", + Mandatory=$true)] + [Switch]$Urlhaus, + [parameter(ParameterSetName="urlscan.io", + Mandatory=$true)] + [Switch]$Urlscan, + + [parameter(ParameterSetName="crtsh", + Mandatory=$false)] + [Switch]$Wildcard, + + [parameter(ParameterSetName="crtsh", + Mandatory=$true)] + [parameter(ParameterSetName="cymon", + Mandatory=$true)] + [parameter(ParameterSetName="greynoise", + Mandatory=$false)] + [parameter(ParameterSetName="threatcrowd", + Mandatory=$true)] + [parameter(ParameterSetName="urlhaus", + Mandatory=$true)] + [parameter(ParameterSetName="urlscan.io", + Mandatory=$true)] + [String]$QueryString, + + [parameter(ParameterSetName="cymon", + Mandatory=$true)] + [ValidateSet("ip", "domain", "hostname", "md5", "sha256", "ssdeep", "term")] + $CyQueryType, + [parameter(ParameterSetName="greynoise", + Mandatory=$true)] + [ValidateSet("list", "ip", "tag")] + $GnQueryType, + [parameter(ParameterSetName="threatcrowd", + Mandatory=$true)] + [ValidateSet("email", "domain", "ip", "resource")] + $TcQueryType, + [parameter(ParameterSetName="urlhaus", + Mandatory=$true)] + [ValidateSet("url", "host", "payload")] + $UhQueryType + ) + + Begin { + $Method = "GET" + $Body = $Null + $Timeout = 30 + + Switch ($PSCmdlet.ParameterSetName) { + "crtsh" { + if ($Wildcard) { + $QueryString = "%25.$QueryString" + } + + [String]$Uri = "https://crt.sh/?q=$QueryString&output=json" + Break + } + "cymon" { + $QueryType = $CyQueryType.ToLower() + [String]$Uri = "https://api.cymon.io/v2/ioc/search/$QueryType/$QueryString" + Break + } + "greynoise" { + $QueryType = $GnQueryType.ToLower() + + if ($QueryType -in @("ip", "tag")) { + $Method = "POST" + $Body = "$QueryType=$($QueryString.ToUpper())" + } + + [String]$Uri = "https://api.greynoise.io/v1/query/$QueryType" + Break + } + "phishingkittracker" { + [String]$Uri = "https://raw.githubusercontent.com/neonprimetime/PhishingKitTracker/master/PhishingKitTracker.csv" + $ReponseType = "CSV" + Break + } + "threatcrowd" { + $QueryType = $TcQueryType.ToLower() + [String]$BaseUri = "https://www.threatcrowd.org/searchApi/v2/$QueryType" + + if ($TcQueryType -eq "resource") { + [String]$BaseUri = "https://www.threatcrowd.org/searchApi/v2/file" + } + + [String]$Uri = "$BaseUri/report/?$QueryType=$QueryString" + Break + } + "urlhaus" { + $QueryType = $UhQueryType.ToLower() + $Method = "POST" + $Body = "$QueryType=$QueryString" + + Switch($QueryType) { + "payload" { + if ($QueryString.Length -eq 32) { + $Body = "md5_hash=$QueryString" + } elseif ($QueryString.Length -eq 64) { + $Body = "sha256_hash=$QueryString" + } + } + } + + [String]$Uri = "https://urlhaus-api.abuse.ch/v1/$QueryType/" + Break + } + "urlscan.io" { + [String]$Uri = "https://urlscan.io/api/v1/search/?q=$QueryString&size=10000" + $ReponseType = "OBJ" + Break + } + } + } + + Process { + Write-Verbose "`nMethod : $Method" + Write-Verbose "Body : $Body" + Write-Verbose "URI : $Uri" + Write-Verbose "Timeout: $Timeout" + $Response = Invoke-RestMethod -Method $Method -Body $Body -Uri $Uri -TimeoutSec $Timeout + + if ($ReponseType -eq "CSV") { + $Response | + ConvertFrom-Csv + } elseif ($ReponseType -eq "JSON") { + $Response | + Select-Object -ExpandProperty Content | + ConvertFrom-Json + } elseif ($ReponseType -eq "OBJ") { + $Response | + Select-Object -ExpandProperty Results + } else { + $Response + } + } + + End { + Write-Verbose "`nComplete" + } +} diff --git a/static/assets/help.png b/static/assets/help.png new file mode 100644 index 0000000..7fae42e Binary files /dev/null and b/static/assets/help.png differ diff --git a/static/assets/pOSINT.gif b/static/assets/pOSINT.gif new file mode 100644 index 0000000..b8d56e6 Binary files /dev/null and b/static/assets/pOSINT.gif differ