Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

Related tags

Security related resourcestig
Overview

0x00 介绍

tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询:

  • 微步标签
  • IP 域名反查
  • ICP 备案查询
  • IP 存活检测
  • 开放端口查询
  • ……

后续将集成更多模块,如有好的建议或遇到 Bug 欢迎与我反馈,我的微信号:teamssix_com

0x01 安装

需要 python3 环境支持

pip3 install -r requirements.txt
python3 tig.py

0x02 使用

工具命令如下:

-h HELP			查看帮助信息
-i IP       目标 IP
-f FILE     IP 文本,一行一个
-c CONFIG   指定配置文件,默认 ./config.ini

在开始使用工具之前,需要对配置文件进行配置,默认配置文件如下:

[Threat Intelligence]

# 微步威胁情报查询,查看 api 地址:https://x.threatbook.cn/nodev4/vb4/myAPI(每天 50 次的免费额度)
ThreatBook_enable = true
ThreatBook_api = ''

[IP Passive Information]

# IP 反查,调用 http://api.webscan.cc/ 的 api
IP_reverse_enable = true

# ICP 备案信息查询,调用 https://api.vvhan.com/api/icp 的 api,如果目标 IP 没有反查到域名,该项即使开启也不会有输出
ICP_beian_enable = true

# Fofa ip 信息查询,查看 api 地址:https://fofa.so/user/users/detail(付费,普通会员每次100条,高级会员每次10000条)
Fofa_enable = true
Fofa_email = ''
Fofa_api = ''

[IP Active Information]

# 利用 ping 命令对 IP 进行存活检测
IP_survive_enable = true

在配置文件里添加自己的微步 API 和 Fofa API 才可使用相关模块,添加 API 后,就可以正常使用相关模块了。

例如这里获取某个 IP 的信息,直接使用 -i 命令即可。

0x03 最后

如果在工具使用的过程中发现存在 bug 等问题,欢迎与我反馈,我的微信号:teamssix_com

Comments
  • 是有BUG吗?

    是有BUG吗?

    python3 tig.py -i X.X.X.X +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5

    [18:18:48] 检测到您可能是第一次运行本程序,请根据程序提示输入您的API地 tig.py:71 址,如果没有直接回车即可,但在查询时将不会调用相关模块 请输入您的微步 Api:[填写的是正常的] 请输入您的Fofa邮箱:[填写的是正常的] 请输入您的Fofa Api:[填写的是正常的] Traceback (most recent call last): File "/Users/win/Downloads/tig-0.5/tig.py", line 508, in console.rule("[yellow]正在查询 %s 的情报信息" % ip, align='left', style="yellow") TypeError: rule() got an unexpected keyword argument 'align'

    bug 
    opened by Ew0x68 21
  • 关于tig 调用出现报错

    关于tig 调用出现报错 

    $ python tig.py -i 8.8.8.8

+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
|T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g|
+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
    团队:狼组安全团队   作者:TeamsSix    版本:0.5

正在查询 8.8.8.8 的情报信息 ───────────────────────────────────────────────────────────────────────────────────────────
Traceback (most recent call last):
  File "tig.py", line 509, in <module>
    main(ip, config_path, proxies)
  File "tig.py", line 288, in main
    ThreatBook_result = ThreatBook(ip, config_path)
  File "tig.py", line 149, in ThreatBook
    confidence_level = r_json['data']['%s' % ip]['confidence_level']  # 情报可信度
KeyError: 'data'
    enhancement 
    opened by Aliroe 5
  • 无法正常使用tig

    无法正常使用tig

    报错的内容

    Traceback (most recent call last):
  File ".\tig.py", line 655, in <module>
    main(i, config_path, proxies)
  File ".\tig.py", line 413, in main
    IP_reverse2_result = IP_reverse2(ip, proxies)
  File ".\tig.py", line 238, in IP_reverse2
    for ip in r.json():
  File "D:\python37\lib\site-packages\requests\models.py", line 898, in json
    return complexjson.loads(self.text, **kwargs)
  File "D:\python37\lib\json\__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "D:\python37\lib\json\decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "D:\python37\lib\json\decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    image

    opened by capjie 4
  • add

    add "python-whois" to requirements.txt

    fix ModuleNotFoundError

    [email protected]:~/tig# python3 tig.py
Traceback (most recent call last):
  File "tig.py", line 12, in <module>
    import whois
ModuleNotFoundError: No module named 'whois'
    opened by zhanglei0310 1
  • 功能优化,修复 bug,重构代码

    功能优化,修复 bug,重构代码

    Updata

    更新时间:2022 年 06 月 25 日

    1. 功能优化

    1. 添加了 Nsfocus 威胁情报解析结果,但 API 需要自行获取;

    2. 优化了配置文件,支持添加多个微步 API key,第一个到达上限后,继续读取下一个,突破了微步 API 每日 50 次的限制;

    3. 优化了配置文件,通过对 Nsfocus_enableFOFA_enableRevrse_IP_Lookup_enable 使能开关控制,自定义调整查询结果。

    4. 删除通过请求 api.hackertarget.com 来获取 ip 反查域名,由于请求次数每日免费仅 10 次,因此删除该链接;

    5. 删除 IP 存活判断。通过 ping 来判断 IP 存活的方式,可靠性不高,因此删除函数调用,但保留了该部分函数;

    6. Fofa 官网地址修改,修改了 fofa api 获取地址描述,修改了 fofa api 接口地址请求;

    7. 默认查询单一 IP 不保存文件。实际使用中发现查询单一 ip 威胁情报保存文件的情况并不多,因此修改为默认不保存,但可以通过指定保存文件名的方式来强制保存,示例 python3 tiv.py -i x.x.x.x -o yyyy(.xlsx)yyyy 为文件名,后缀名可加可不加;

    8. 修改批量查询 IP 读取文件内容筛选 ip 的方式,可以无需按照一行一个 ip 的格式进行书写。可随意书写,通过正则方式匹配 x.x.x.x 的格式筛选 ip。

    9. 修改批量查询 ip 默认保存输出文件名,不再以时间戳方式保存,修改为年月日时分秒+ip 个数的方式保存;如 tiv_2022 年 06 月 25 日_16 时 09 分 25 秒_2 个 IP.xlsx

    10. 重构代码逻辑,按照 PEP8 规范优化部分书写方式,添加注释,函数说明,返回正确值 demo,错误值 demo。

    2. bug 修复

    1. 修改了 ip 反查域名时,若包含多个域名列表时,域名信息(备案信息,注册人,注册商等)仅保存最后一个域名信息。域名相关信息保存至 sheet2(域名信息)中。

    2. 修复其他报错情况(如 json 解析异常,whois 返回值未考虑数组等问题),优化进度条被打断等问题。

    opened by m0cun 1
  • 求问,为什么使用fofa的api使用不了呢

    求问,为什么使用fofa的api使用不了呢

    [EROR] 访问 https://fofa.so/api/v1/search/all?email=(我的email)&key=20fa8e7bc14fee2487b42f368a70a8e2&qbase64
    =NDcuMjQwLjczLjc3&size=100 发生错误,错误信息: ReadTimeo
    ut(ReadTimeoutError("HTTPSConnectionPool(host='fofa.so',
    port=443): Read timed out. (read timeout=5)",),)
    [EROR] 查询 47.240.73.77 的 Fofa
    信息发生错误,错误信息:AttributeError("'str' object has
    no attribute 'json'",)

    opened by summernote5288 1
  • error

    error

    Traceback (most recent call last): File "tig.py", line 509, in main(ip, config_path, proxies) File "tig.py", line 288, in main ThreatBook_result = ThreatBook(ip, config_path) File "tig.py", line 149, in ThreatBook confidence_level = r_json['data']['%s' % ip]['confidence_level'] # 情报可信度 KeyError: 'data'

    duplicate enhancement 
    opened by lhr8015 1
  • add

    add "whois" to requirements.txt

    fix ModuleNotFoundError [email protected]:~/tig# python3 tig.py Traceback (most recent call last): File "tig.py", line 12, in import whois ModuleNotFoundError: No module named 'whois'

    opened by zhanglei0310 0
  • 🦋 添加 Linux / Mac tig 命令行快捷方式

    🦋 添加 Linux / Mac tig 命令行快捷方式

    UNIX 安装指南:

    cd /opt/
git clone https://github.com/wgpsec/tig.git
echo '#!/bin/bash
cd /opt/tig
python3 tig.py $@'  > /usr/bin/tig
chmod +x /usr/bin/tig
tig -v
    opened by Ran-Xing 0
  • 请问 更新到0.5.2后就出现这个

    请问 更新到0.5.2后就出现这个

    PS D:\测试工具\蓝队溯源\tig-0.4.2> python3 .\tig.py -i 45.79.1.146

    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5.2

    ────────────────────────────────────────────────────────────────────── 正在查询 45.79.1.146 的情报信息 ─────────────────────────────────────────────────────────────────────── Traceback (most recent call last): File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 789, in get value = d[option] File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 891, in getitem return self.missing(key) # support subclasses that define missing File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 883, in missing raise KeyError(key) KeyError: 'ti360_cookie'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File ".\tig.py", line 579, in main(ip, config_path, proxies) File ".\tig.py", line 341, in main init_360ti(config_path) File ".\tig.py", line 308, in init_360ti ti_portal = cfg.get('Api Config', 'ti360_cookie').strip("'").strip() File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'ti360_cookie' in section: 'Api Config' image-20210430103433246

    opened by Crazy-FuQing 0
  • IP Passive Information

    IP Passive Information

    Exception in thread Thread-5: Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 789, in get value = d[option] File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 941, in getitem return self.missing(key) # support subclasses that define missing File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 933, in missing raise KeyError(key) KeyError: 'whois_enable'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 892, in run self._target(*self._args, **self._kwargs) File "/Users/sodme/tools/1.information/tig/tig.py", line 524, in IP_reverse_print IP_reverse_print(ip, config_path, proxies) File "/Users/sodme/tools/1.information/tig/tig.py", line 302, in IP_reverse_print Whois_enable = cfg.get('IP Passive Information', 'Whois_enable') File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'whois_enable' in section: 'IP Passive Information' ➜ tig

    invalid 
    opened by aa506 0
Releases(v0.5.4)

  • v0.5.4(Mar 4, 2022)

  • v0.5.3(Dec 13, 2021)

  • v0.5.2(Apr 21, 2021)

    • 增加微步API获取信息异常的提示
    • 增加针对备案、Whois 查询时的异常处理
    • 增加针对 Fofa 信息查询的异常处理
    Source code(tar.gz)
    Source code(zip)

  • v0.5.1(Apr 21, 2021)

  • v0.5(Apr 20, 2021)

    • 输出格式全面改版
    • 增加导出结果功能
    • 对代码进行大幅度简化

    该版本及后续版本均无需修改配置文件 考虑到微步API对域名查询功能的限制,故未加入域名查询功能

    Source code(tar.gz)
    Source code(zip)

  • v0.4.2(Apr 9, 2021)

  • v0.4.1(Mar 18, 2021)

    • 修复了 Windows 下的一个 Bug
    • 修复了 Fofa 信息提取中的一个 Bug
    • 修复了因为网络问题导致获取随机 User-Agent 报错的问题

    该版本不用重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.4(Mar 16, 2021)

    • 增加多个 IP 反查域名来源,避免接口失效与无法访问的问题
    • 将 Fofa 收集到的域名加入到备案查询中,使输出内容更加全面
    • 增加 whois 信息查询

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.3(Mar 15, 2021)

    • 修复了原 IP 反查域名的 API 接口失效的问题
    • 增加了代理设置,防止频繁使用被封IP
    • 增加了多线程,运行速度更快
    • 优化了输出显示

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.2(Mar 11, 2021)

    • 增加 IP 存活检测
    • 增加 ICP 备案信息查询
    • 优化输出显示,将部分英文输出更改为中文输出

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.1(Mar 10, 2021)

Owner
Wolf Group Security Team
Wolf Group Security Team 狼组安全团队
Wolf Group Security Team
GitHub Repository
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

1 Dec 11, 2021
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
ShoLister - a tool that collects all available subdomains for specific hostname or organization from Shodan

ShoLister is a tool that collects all available subdomains for specific hostname or organization from Shodan. The tool is designed to be used from Penetration Tester and Bug Bounty Hunters.

Eslam Akl 45 Dec 28, 2022
Official repository for Pyew.

pyew Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE

Joxean 362 Nov 28, 2022
An auxiliary tool for iot vulnerability hunter

firmeye - IoT固件漏洞挖掘工具 firmeye 是一个 IDA 插件,基于敏感函数参数回溯来辅助漏洞挖掘。我们知道,在固件漏洞挖掘中,从敏感/危险函数出发,寻找其参数来源,是一种很有效的漏洞挖掘方法,但程序中调用敏感函数的地方非常多,人工分析耗时费力,通过该插件,可以帮助排除大部分的安全

Firmy Yang 171 Nov 28, 2022
An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic lights, Refridgerators, Smart TVs etc.

An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic

Richard Mwewa 48 Nov 20, 2022
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

NVISO 116 Dec 29, 2022
Flutter Reverse Engineering Framework

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization p

PT SWARM 910 Jan 01, 2023
A security system to warn you when people enter your room 🎥

Get Out My Room v0.1 I hate people coming in my room when i'm not there. Get Out My Room is a simple security system that sends notifications with vid

ScriptLine 1 Jan 11, 2022
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

Hashpic Hashpic creates an image from the MD5 hash of your input. Since v0.2.0 i

0xflotus 15 Nov 23, 2022
A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

3 Sep 26, 2022
A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

Zhe 1 Dec 28, 2021
An easy-to-use wrapper for NTFS-3G on macOS

ezNTFS ezNTFS is an easy-to-use wrapper for NTFS-3G on macOS. ezNTFS can be used as a menu bar app, or via the CLI in the terminal. Installation To us

Matthew Go 34 Dec 01, 2022
Brute force attack tool for Azure AD Autologon/Seamless SSO

Brute force attack tool for Azure AD Autologon

nyxgeek 89 Jan 02, 2023
Privilege escalation with polkit - CVE-2021-3560

Polkit-exploit - CVE-2021-3560 Privilege escalation with polkit - CVE-2021-3560 Summary CVE-2021-3560 is an authentication bypass on polkit, which all

Ahmad Almorabea 95 Dec 27, 2022
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts.

🕷️ Scarecrow 🕷️ Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts. It looks for processes with specific names to v

Billy 33 Sep 28, 2022