Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

Related tags

Security related resourcestig
Overview

0x00 介绍

tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询:

  • 微步标签
  • IP 域名反查
  • ICP 备案查询
  • IP 存活检测
  • 开放端口查询
  • ……

后续将集成更多模块,如有好的建议或遇到 Bug 欢迎与我反馈,我的微信号:teamssix_com

0x01 安装

需要 python3 环境支持

pip3 install -r requirements.txt
python3 tig.py

0x02 使用

工具命令如下:

-h HELP			查看帮助信息
-i IP       目标 IP
-f FILE     IP 文本,一行一个
-c CONFIG   指定配置文件,默认 ./config.ini

在开始使用工具之前,需要对配置文件进行配置,默认配置文件如下:

[Threat Intelligence]

# 微步威胁情报查询,查看 api 地址:https://x.threatbook.cn/nodev4/vb4/myAPI(每天 50 次的免费额度)
ThreatBook_enable = true
ThreatBook_api = ''

[IP Passive Information]

# IP 反查,调用 http://api.webscan.cc/ 的 api
IP_reverse_enable = true

# ICP 备案信息查询,调用 https://api.vvhan.com/api/icp 的 api,如果目标 IP 没有反查到域名,该项即使开启也不会有输出
ICP_beian_enable = true

# Fofa ip 信息查询,查看 api 地址:https://fofa.so/user/users/detail(付费,普通会员每次100条,高级会员每次10000条)
Fofa_enable = true
Fofa_email = ''
Fofa_api = ''

[IP Active Information]

# 利用 ping 命令对 IP 进行存活检测
IP_survive_enable = true

在配置文件里添加自己的微步 API 和 Fofa API 才可使用相关模块,添加 API 后,就可以正常使用相关模块了。

例如这里获取某个 IP 的信息,直接使用 -i 命令即可。

0x03 最后

如果在工具使用的过程中发现存在 bug 等问题,欢迎与我反馈,我的微信号:teamssix_com

Comments
  • 是有BUG吗?

    是有BUG吗?

    python3 tig.py -i X.X.X.X +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5

    [18:18:48] 检测到您可能是第一次运行本程序,请根据程序提示输入您的API地 tig.py:71 址,如果没有直接回车即可,但在查询时将不会调用相关模块 请输入您的微步 Api:[填写的是正常的] 请输入您的Fofa邮箱:[填写的是正常的] 请输入您的Fofa Api:[填写的是正常的] Traceback (most recent call last): File "/Users/win/Downloads/tig-0.5/tig.py", line 508, in console.rule("[yellow]正在查询 %s 的情报信息" % ip, align='left', style="yellow") TypeError: rule() got an unexpected keyword argument 'align'

    bug 
    opened by Ew0x68 21
  • 关于tig 调用出现报错

    关于tig 调用出现报错 

    $ python tig.py -i 8.8.8.8

+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
|T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g|
+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
    团队:狼组安全团队   作者:TeamsSix    版本:0.5

正在查询 8.8.8.8 的情报信息 ───────────────────────────────────────────────────────────────────────────────────────────
Traceback (most recent call last):
  File "tig.py", line 509, in <module>
    main(ip, config_path, proxies)
  File "tig.py", line 288, in main
    ThreatBook_result = ThreatBook(ip, config_path)
  File "tig.py", line 149, in ThreatBook
    confidence_level = r_json['data']['%s' % ip]['confidence_level']  # 情报可信度
KeyError: 'data'
    enhancement 
    opened by Aliroe 5
  • 无法正常使用tig

    无法正常使用tig

    报错的内容

    Traceback (most recent call last):
  File ".\tig.py", line 655, in <module>
    main(i, config_path, proxies)
  File ".\tig.py", line 413, in main
    IP_reverse2_result = IP_reverse2(ip, proxies)
  File ".\tig.py", line 238, in IP_reverse2
    for ip in r.json():
  File "D:\python37\lib\site-packages\requests\models.py", line 898, in json
    return complexjson.loads(self.text, **kwargs)
  File "D:\python37\lib\json\__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "D:\python37\lib\json\decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "D:\python37\lib\json\decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    image

    opened by capjie 4
  • add

    add "python-whois" to requirements.txt

    fix ModuleNotFoundError

    [email protected]:~/tig# python3 tig.py
Traceback (most recent call last):
  File "tig.py", line 12, in <module>
    import whois
ModuleNotFoundError: No module named 'whois'
    opened by zhanglei0310 1
  • 功能优化,修复 bug,重构代码

    功能优化,修复 bug,重构代码

    Updata

    更新时间:2022 年 06 月 25 日

    1. 功能优化

    1. 添加了 Nsfocus 威胁情报解析结果,但 API 需要自行获取;

    2. 优化了配置文件,支持添加多个微步 API key,第一个到达上限后,继续读取下一个,突破了微步 API 每日 50 次的限制;

    3. 优化了配置文件,通过对 Nsfocus_enableFOFA_enableRevrse_IP_Lookup_enable 使能开关控制,自定义调整查询结果。

    4. 删除通过请求 api.hackertarget.com 来获取 ip 反查域名,由于请求次数每日免费仅 10 次,因此删除该链接;

    5. 删除 IP 存活判断。通过 ping 来判断 IP 存活的方式,可靠性不高,因此删除函数调用,但保留了该部分函数;

    6. Fofa 官网地址修改,修改了 fofa api 获取地址描述,修改了 fofa api 接口地址请求;

    7. 默认查询单一 IP 不保存文件。实际使用中发现查询单一 ip 威胁情报保存文件的情况并不多,因此修改为默认不保存,但可以通过指定保存文件名的方式来强制保存,示例 python3 tiv.py -i x.x.x.x -o yyyy(.xlsx)yyyy 为文件名,后缀名可加可不加;

    8. 修改批量查询 IP 读取文件内容筛选 ip 的方式,可以无需按照一行一个 ip 的格式进行书写。可随意书写,通过正则方式匹配 x.x.x.x 的格式筛选 ip。

    9. 修改批量查询 ip 默认保存输出文件名,不再以时间戳方式保存,修改为年月日时分秒+ip 个数的方式保存;如 tiv_2022 年 06 月 25 日_16 时 09 分 25 秒_2 个 IP.xlsx

    10. 重构代码逻辑,按照 PEP8 规范优化部分书写方式,添加注释,函数说明,返回正确值 demo,错误值 demo。

    2. bug 修复

    1. 修改了 ip 反查域名时,若包含多个域名列表时,域名信息(备案信息,注册人,注册商等)仅保存最后一个域名信息。域名相关信息保存至 sheet2(域名信息)中。

    2. 修复其他报错情况(如 json 解析异常,whois 返回值未考虑数组等问题),优化进度条被打断等问题。

    opened by m0cun 1
  • 求问,为什么使用fofa的api使用不了呢

    求问,为什么使用fofa的api使用不了呢

    [EROR] 访问 https://fofa.so/api/v1/search/all?email=(我的email)&key=20fa8e7bc14fee2487b42f368a70a8e2&qbase64
    =NDcuMjQwLjczLjc3&size=100 发生错误,错误信息: ReadTimeo
    ut(ReadTimeoutError("HTTPSConnectionPool(host='fofa.so',
    port=443): Read timed out. (read timeout=5)",),)
    [EROR] 查询 47.240.73.77 的 Fofa
    信息发生错误,错误信息:AttributeError("'str' object has
    no attribute 'json'",)

    opened by summernote5288 1
  • error

    error

    Traceback (most recent call last): File "tig.py", line 509, in main(ip, config_path, proxies) File "tig.py", line 288, in main ThreatBook_result = ThreatBook(ip, config_path) File "tig.py", line 149, in ThreatBook confidence_level = r_json['data']['%s' % ip]['confidence_level'] # 情报可信度 KeyError: 'data'

    duplicate enhancement 
    opened by lhr8015 1
  • add

    add "whois" to requirements.txt

    fix ModuleNotFoundError [email protected]:~/tig# python3 tig.py Traceback (most recent call last): File "tig.py", line 12, in import whois ModuleNotFoundError: No module named 'whois'

    opened by zhanglei0310 0
  • 🦋 添加 Linux / Mac tig 命令行快捷方式

    🦋 添加 Linux / Mac tig 命令行快捷方式

    UNIX 安装指南:

    cd /opt/
git clone https://github.com/wgpsec/tig.git
echo '#!/bin/bash
cd /opt/tig
python3 tig.py $@'  > /usr/bin/tig
chmod +x /usr/bin/tig
tig -v
    opened by Ran-Xing 0
  • 请问 更新到0.5.2后就出现这个

    请问 更新到0.5.2后就出现这个

    PS D:\测试工具\蓝队溯源\tig-0.4.2> python3 .\tig.py -i 45.79.1.146

    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5.2

    ────────────────────────────────────────────────────────────────────── 正在查询 45.79.1.146 的情报信息 ─────────────────────────────────────────────────────────────────────── Traceback (most recent call last): File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 789, in get value = d[option] File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 891, in getitem return self.missing(key) # support subclasses that define missing File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 883, in missing raise KeyError(key) KeyError: 'ti360_cookie'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File ".\tig.py", line 579, in main(ip, config_path, proxies) File ".\tig.py", line 341, in main init_360ti(config_path) File ".\tig.py", line 308, in init_360ti ti_portal = cfg.get('Api Config', 'ti360_cookie').strip("'").strip() File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'ti360_cookie' in section: 'Api Config' image-20210430103433246

    opened by Crazy-FuQing 0
  • IP Passive Information

    IP Passive Information

    Exception in thread Thread-5: Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 789, in get value = d[option] File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 941, in getitem return self.missing(key) # support subclasses that define missing File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 933, in missing raise KeyError(key) KeyError: 'whois_enable'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 892, in run self._target(*self._args, **self._kwargs) File "/Users/sodme/tools/1.information/tig/tig.py", line 524, in IP_reverse_print IP_reverse_print(ip, config_path, proxies) File "/Users/sodme/tools/1.information/tig/tig.py", line 302, in IP_reverse_print Whois_enable = cfg.get('IP Passive Information', 'Whois_enable') File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'whois_enable' in section: 'IP Passive Information' ➜ tig

    invalid 
    opened by aa506 0
Releases(v0.5.4)

  • v0.5.4(Mar 4, 2022)

  • v0.5.3(Dec 13, 2021)

  • v0.5.2(Apr 21, 2021)

    • 增加微步API获取信息异常的提示
    • 增加针对备案、Whois 查询时的异常处理
    • 增加针对 Fofa 信息查询的异常处理
    Source code(tar.gz)
    Source code(zip)

  • v0.5.1(Apr 21, 2021)

  • v0.5(Apr 20, 2021)

    • 输出格式全面改版
    • 增加导出结果功能
    • 对代码进行大幅度简化

    该版本及后续版本均无需修改配置文件 考虑到微步API对域名查询功能的限制,故未加入域名查询功能

    Source code(tar.gz)
    Source code(zip)

  • v0.4.2(Apr 9, 2021)

  • v0.4.1(Mar 18, 2021)

    • 修复了 Windows 下的一个 Bug
    • 修复了 Fofa 信息提取中的一个 Bug
    • 修复了因为网络问题导致获取随机 User-Agent 报错的问题

    该版本不用重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.4(Mar 16, 2021)

    • 增加多个 IP 反查域名来源,避免接口失效与无法访问的问题
    • 将 Fofa 收集到的域名加入到备案查询中,使输出内容更加全面
    • 增加 whois 信息查询

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.3(Mar 15, 2021)

    • 修复了原 IP 反查域名的 API 接口失效的问题
    • 增加了代理设置,防止频繁使用被封IP
    • 增加了多线程,运行速度更快
    • 优化了输出显示

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.2(Mar 11, 2021)

    • 增加 IP 存活检测
    • 增加 ICP 备案信息查询
    • 优化输出显示,将部分英文输出更改为中文输出

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.1(Mar 10, 2021)

Owner
Wolf Group Security Team
Wolf Group Security Team 狼组安全团队
Wolf Group Security Team
GitHub Repository
This repo created for bypassing Widevine L3 DRM and obtaining keys.

First run: Copy headers (with cookies) of POST license request from browser to headers.py like dictionary. pip install -r requirements.txt # if doesn'

Mikhail 263 Jan 07, 2023
Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

rzx. 1 Dec 29, 2021
Apache Solr SSRF(CVE-2021-27905)

Solr-SSRF Apache Solr SSRF #Use [-] Apache Solr SSRF漏洞 (CVE-2021-27905) [-] Options: -h or --help : 方法说明 -u or --url

Henry4E36 70 Nov 09, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
logmap: Log4j2 jndi injection fuzz tool

logmap - Log4j2 jndi injection fuzz tool Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path Use http

之乎者也 67 Oct 25, 2022
script that pulls cve collections from NVD.NIST.GOV.

# cvepull.py #script that pulls cve collections from NVD.NIST.GOV. #edit line 17 (timedelta) number to change the amount of days to search backwards

Aaron W 1 Dec 18, 2021
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Take Note! With the exception of issues and PRs regarding changes to hosts/data/StevenBlack/hosts, all other issues regarding the content of the produ

Steven Black 22.1k Jan 02, 2023
Threat research and reporting from IronNet's Threat Research Teams

IronNet Threat Research 🕵️ Overview This repository contains IronNet's Threat Research. Research & Reporting 📝 Project Description Cobalt Strike Res

36 Dec 02, 2022
A Fast Broken Link Hijacker Tool written in Python

Broken Link Hijacker BrokenLinkHijacker(BLH) is a Fast Broken Link Hijacker Tool written in Python.

Mayank Pandey 70 Nov 30, 2022
Use scrapli to retrieve security zone information from a Juniper SRX firewall

Get Security Zones with Scrapli Overview This example will show how to retrieve security zone information on Juniper's SRX firewalls. In addition to t

Calvin Remsburg 2 Jun 19, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
Remote control your Greenbone Vulnerability Manager (GVM)

Greenbone Vulnerability Management Tools The Greenbone Vulnerability Management Tools gvm-tools are a collection of tools that help with remote contro

Greenbone 130 Dec 17, 2022
OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

omigood (OM I GOOD?) This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threa

Marco Simioni 13 Jul 13, 2022
A terminal based web shell controller

shell-hack Tribute to Chinese ant sword; A Powerful terminal based webshell controller; Usage : Usage : python3 shell-hack.py --url [URL] --w

s1mple 10 Dec 28, 2021
CVE 2020-14871 Solaris exploit

CVE 2020-14871 Solaris exploit This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems. The act

Robin Massink 2 Oct 25, 2022
RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

RapiDAST RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API. Its core engine is OWASP Z

Red Hat Product Security 17 Nov 11, 2022
A simple Log4Shell Scan with python

🐞 Log4Scan 🔧 Log4Shell 简单的主动和被动扫描脚本 Log4scan 针对header头和fuzz参数的主动批量扫描,用于大批量黑盒检测

nul1 6 Aug 04, 2022
Program that mathematically generates and validates CPF numbers

✔️ Gerador e Validador de CPF Programa que gera e valida números de CPF Requisitos • Como usar • Capturas de Tela Requisitos Antes de começar, você va

João Victor Vilela dos Santos 1 Nov 07, 2021
A Python 3 script that uploads a tasks.pickle file that enables RCE in MotionEye

MotionEye/MotionEyeOS Authenticated RCE A Python 3 script that uploads a tasks.pickle file that enables RCE in MotionEye. You need administrator crede

Matt 1 Apr 18, 2022