Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

Related tags

Security related resourcestig
Overview

0x00 介绍

tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询:

  • 微步标签
  • IP 域名反查
  • ICP 备案查询
  • IP 存活检测
  • 开放端口查询
  • ……

后续将集成更多模块,如有好的建议或遇到 Bug 欢迎与我反馈,我的微信号:teamssix_com

0x01 安装

需要 python3 环境支持

pip3 install -r requirements.txt
python3 tig.py

0x02 使用

工具命令如下:

-h HELP			查看帮助信息
-i IP       目标 IP
-f FILE     IP 文本,一行一个
-c CONFIG   指定配置文件,默认 ./config.ini

在开始使用工具之前,需要对配置文件进行配置,默认配置文件如下:

[Threat Intelligence]

# 微步威胁情报查询,查看 api 地址:https://x.threatbook.cn/nodev4/vb4/myAPI(每天 50 次的免费额度)
ThreatBook_enable = true
ThreatBook_api = ''

[IP Passive Information]

# IP 反查,调用 http://api.webscan.cc/ 的 api
IP_reverse_enable = true

# ICP 备案信息查询,调用 https://api.vvhan.com/api/icp 的 api,如果目标 IP 没有反查到域名,该项即使开启也不会有输出
ICP_beian_enable = true

# Fofa ip 信息查询,查看 api 地址:https://fofa.so/user/users/detail(付费,普通会员每次100条,高级会员每次10000条)
Fofa_enable = true
Fofa_email = ''
Fofa_api = ''

[IP Active Information]

# 利用 ping 命令对 IP 进行存活检测
IP_survive_enable = true

在配置文件里添加自己的微步 API 和 Fofa API 才可使用相关模块,添加 API 后,就可以正常使用相关模块了。

例如这里获取某个 IP 的信息,直接使用 -i 命令即可。

0x03 最后

如果在工具使用的过程中发现存在 bug 等问题,欢迎与我反馈,我的微信号:teamssix_com

Comments
  • 是有BUG吗?

    是有BUG吗?

    python3 tig.py -i X.X.X.X +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5

    [18:18:48] 检测到您可能是第一次运行本程序,请根据程序提示输入您的API地 tig.py:71 址,如果没有直接回车即可,但在查询时将不会调用相关模块 请输入您的微步 Api:[填写的是正常的] 请输入您的Fofa邮箱:[填写的是正常的] 请输入您的Fofa Api:[填写的是正常的] Traceback (most recent call last): File "/Users/win/Downloads/tig-0.5/tig.py", line 508, in console.rule("[yellow]正在查询 %s 的情报信息" % ip, align='left', style="yellow") TypeError: rule() got an unexpected keyword argument 'align'

    bug 
    opened by Ew0x68 21
  • 关于tig 调用出现报错

    关于tig 调用出现报错 

    $ python tig.py -i 8.8.8.8

+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
|T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g|
+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
    团队:狼组安全团队   作者:TeamsSix    版本:0.5

正在查询 8.8.8.8 的情报信息 ───────────────────────────────────────────────────────────────────────────────────────────
Traceback (most recent call last):
  File "tig.py", line 509, in <module>
    main(ip, config_path, proxies)
  File "tig.py", line 288, in main
    ThreatBook_result = ThreatBook(ip, config_path)
  File "tig.py", line 149, in ThreatBook
    confidence_level = r_json['data']['%s' % ip]['confidence_level']  # 情报可信度
KeyError: 'data'
    enhancement 
    opened by Aliroe 5
  • 无法正常使用tig

    无法正常使用tig

    报错的内容

    Traceback (most recent call last):
  File ".\tig.py", line 655, in <module>
    main(i, config_path, proxies)
  File ".\tig.py", line 413, in main
    IP_reverse2_result = IP_reverse2(ip, proxies)
  File ".\tig.py", line 238, in IP_reverse2
    for ip in r.json():
  File "D:\python37\lib\site-packages\requests\models.py", line 898, in json
    return complexjson.loads(self.text, **kwargs)
  File "D:\python37\lib\json\__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "D:\python37\lib\json\decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "D:\python37\lib\json\decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    image

    opened by capjie 4
  • add

    add "python-whois" to requirements.txt

    fix ModuleNotFoundError

    [email protected]:~/tig# python3 tig.py
Traceback (most recent call last):
  File "tig.py", line 12, in <module>
    import whois
ModuleNotFoundError: No module named 'whois'
    opened by zhanglei0310 1
  • 功能优化,修复 bug,重构代码

    功能优化,修复 bug,重构代码

    Updata

    更新时间:2022 年 06 月 25 日

    1. 功能优化

    1. 添加了 Nsfocus 威胁情报解析结果,但 API 需要自行获取;

    2. 优化了配置文件,支持添加多个微步 API key,第一个到达上限后,继续读取下一个,突破了微步 API 每日 50 次的限制;

    3. 优化了配置文件,通过对 Nsfocus_enableFOFA_enableRevrse_IP_Lookup_enable 使能开关控制,自定义调整查询结果。

    4. 删除通过请求 api.hackertarget.com 来获取 ip 反查域名,由于请求次数每日免费仅 10 次,因此删除该链接;

    5. 删除 IP 存活判断。通过 ping 来判断 IP 存活的方式,可靠性不高,因此删除函数调用,但保留了该部分函数;

    6. Fofa 官网地址修改,修改了 fofa api 获取地址描述,修改了 fofa api 接口地址请求;

    7. 默认查询单一 IP 不保存文件。实际使用中发现查询单一 ip 威胁情报保存文件的情况并不多,因此修改为默认不保存,但可以通过指定保存文件名的方式来强制保存,示例 python3 tiv.py -i x.x.x.x -o yyyy(.xlsx)yyyy 为文件名,后缀名可加可不加;

    8. 修改批量查询 IP 读取文件内容筛选 ip 的方式,可以无需按照一行一个 ip 的格式进行书写。可随意书写,通过正则方式匹配 x.x.x.x 的格式筛选 ip。

    9. 修改批量查询 ip 默认保存输出文件名,不再以时间戳方式保存,修改为年月日时分秒+ip 个数的方式保存;如 tiv_2022 年 06 月 25 日_16 时 09 分 25 秒_2 个 IP.xlsx

    10. 重构代码逻辑,按照 PEP8 规范优化部分书写方式,添加注释,函数说明,返回正确值 demo,错误值 demo。

    2. bug 修复

    1. 修改了 ip 反查域名时,若包含多个域名列表时,域名信息(备案信息,注册人,注册商等)仅保存最后一个域名信息。域名相关信息保存至 sheet2(域名信息)中。

    2. 修复其他报错情况(如 json 解析异常,whois 返回值未考虑数组等问题),优化进度条被打断等问题。

    opened by m0cun 1
  • 求问,为什么使用fofa的api使用不了呢

    求问,为什么使用fofa的api使用不了呢

    [EROR] 访问 https://fofa.so/api/v1/search/all?email=(我的email)&key=20fa8e7bc14fee2487b42f368a70a8e2&qbase64
    =NDcuMjQwLjczLjc3&size=100 发生错误,错误信息: ReadTimeo
    ut(ReadTimeoutError("HTTPSConnectionPool(host='fofa.so',
    port=443): Read timed out. (read timeout=5)",),)
    [EROR] 查询 47.240.73.77 的 Fofa
    信息发生错误,错误信息:AttributeError("'str' object has
    no attribute 'json'",)

    opened by summernote5288 1
  • error

    error

    Traceback (most recent call last): File "tig.py", line 509, in main(ip, config_path, proxies) File "tig.py", line 288, in main ThreatBook_result = ThreatBook(ip, config_path) File "tig.py", line 149, in ThreatBook confidence_level = r_json['data']['%s' % ip]['confidence_level'] # 情报可信度 KeyError: 'data'

    duplicate enhancement 
    opened by lhr8015 1
  • add

    add "whois" to requirements.txt

    fix ModuleNotFoundError [email protected]:~/tig# python3 tig.py Traceback (most recent call last): File "tig.py", line 12, in import whois ModuleNotFoundError: No module named 'whois'

    opened by zhanglei0310 0
  • 🦋 添加 Linux / Mac tig 命令行快捷方式

    🦋 添加 Linux / Mac tig 命令行快捷方式

    UNIX 安装指南:

    cd /opt/
git clone https://github.com/wgpsec/tig.git
echo '#!/bin/bash
cd /opt/tig
python3 tig.py $@'  > /usr/bin/tig
chmod +x /usr/bin/tig
tig -v
    opened by Ran-Xing 0
  • 请问 更新到0.5.2后就出现这个

    请问 更新到0.5.2后就出现这个

    PS D:\测试工具\蓝队溯源\tig-0.4.2> python3 .\tig.py -i 45.79.1.146

    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5.2

    ────────────────────────────────────────────────────────────────────── 正在查询 45.79.1.146 的情报信息 ─────────────────────────────────────────────────────────────────────── Traceback (most recent call last): File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 789, in get value = d[option] File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 891, in getitem return self.missing(key) # support subclasses that define missing File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 883, in missing raise KeyError(key) KeyError: 'ti360_cookie'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File ".\tig.py", line 579, in main(ip, config_path, proxies) File ".\tig.py", line 341, in main init_360ti(config_path) File ".\tig.py", line 308, in init_360ti ti_portal = cfg.get('Api Config', 'ti360_cookie').strip("'").strip() File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'ti360_cookie' in section: 'Api Config' image-20210430103433246

    opened by Crazy-FuQing 0
  • IP Passive Information

    IP Passive Information

    Exception in thread Thread-5: Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 789, in get value = d[option] File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 941, in getitem return self.missing(key) # support subclasses that define missing File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 933, in missing raise KeyError(key) KeyError: 'whois_enable'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 892, in run self._target(*self._args, **self._kwargs) File "/Users/sodme/tools/1.information/tig/tig.py", line 524, in IP_reverse_print IP_reverse_print(ip, config_path, proxies) File "/Users/sodme/tools/1.information/tig/tig.py", line 302, in IP_reverse_print Whois_enable = cfg.get('IP Passive Information', 'Whois_enable') File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'whois_enable' in section: 'IP Passive Information' ➜ tig

    invalid 
    opened by aa506 0
Releases(v0.5.4)

  • v0.5.4(Mar 4, 2022)

  • v0.5.3(Dec 13, 2021)

  • v0.5.2(Apr 21, 2021)

    • 增加微步API获取信息异常的提示
    • 增加针对备案、Whois 查询时的异常处理
    • 增加针对 Fofa 信息查询的异常处理
    Source code(tar.gz)
    Source code(zip)

  • v0.5.1(Apr 21, 2021)

  • v0.5(Apr 20, 2021)

    • 输出格式全面改版
    • 增加导出结果功能
    • 对代码进行大幅度简化

    该版本及后续版本均无需修改配置文件 考虑到微步API对域名查询功能的限制,故未加入域名查询功能

    Source code(tar.gz)
    Source code(zip)

  • v0.4.2(Apr 9, 2021)

  • v0.4.1(Mar 18, 2021)

    • 修复了 Windows 下的一个 Bug
    • 修复了 Fofa 信息提取中的一个 Bug
    • 修复了因为网络问题导致获取随机 User-Agent 报错的问题

    该版本不用重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.4(Mar 16, 2021)

    • 增加多个 IP 反查域名来源,避免接口失效与无法访问的问题
    • 将 Fofa 收集到的域名加入到备案查询中,使输出内容更加全面
    • 增加 whois 信息查询

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.3(Mar 15, 2021)

    • 修复了原 IP 反查域名的 API 接口失效的问题
    • 增加了代理设置,防止频繁使用被封IP
    • 增加了多线程,运行速度更快
    • 优化了输出显示

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.2(Mar 11, 2021)

    • 增加 IP 存活检测
    • 增加 ICP 备案信息查询
    • 优化输出显示,将部分英文输出更改为中文输出

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.1(Mar 10, 2021)

Owner
Wolf Group Security Team
Wolf Group Security Team 狼组安全团队
Wolf Group Security Team
GitHub Repository
Discord-keylogger - Discord keylogger With Python

Discord-keylogger Usage python dlogger.py -t [Time interval in sec] if not speci

Satwik Sinha 1 Jan 30, 2022
Simple script for looping a Denial Of Service (DoS) attack over one single mac address in range

Bluetooth Simple Denial Of Service (DoS) Legal Note This project is made only for educational purposes and for helping in Proofs of Concept. The autho

1 Jan 09, 2022
Find existing email addresses by nickname using API/SMTP checking methods without user notification. Please, don't hesitate to improve cat's job! 🐱🔎 📬

mailcat The only cat who can find existing email addresses by nickname. Usage First install requirements: pip3 install -r requirements.txt Then just

282 Dec 30, 2022
FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

2 Jul 20, 2022
Malware arcane - Scripts and notes on my malware analysis journey

Malware Arcane Repository of notes and scripts I use when doing malware analysis

9 Jun 01, 2022
A Telegram Bot to force users to join a specific channel before sending messages in a group.

Promoter A Telegram Bot to force users to join a specific channel before sending messages in a group. Introduction A Telegram Bot to force users to jo

Mr. Dynamic 1 Jan 27, 2022
🍉一款基于Python-Django的多功能Web安全渗透测试工具,包含漏洞扫描,端口扫描,指纹识别,目录扫描,旁站扫描,域名扫描等功能。

Sec-Tools 项目介绍 系统简介 本项目命名为Sec-Tools,是一款基于 Python-Django 的在线多功能 Web 应用渗透测试系统,包含漏洞检测、目录识别、端口扫描、指纹识别、域名探测、旁站探测、信息泄露检测等功能。本系统通过旁站探测和域名探测功能对待检测网站进行资产收集,通过端

简简 300 Jan 07, 2023
This tool ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information that allows them to know in advance if this library complies with processes.

This tool gives developers, researchers and companies the ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information

Telefónica 66 Nov 08, 2022
The RDT protocol (RDT3.0,GBN,SR) implementation and performance evaluation code using socket

소켓을 이용한 RDT protocols (RDT3.0,GBN,SR) 구현 및 성능 평가 코드 입니다. 코드를 실행할때 리시버를 먼저 실행하세요. 성능 평가 코드는 패킷 전송 과정을 제외하고 시간당 전송률을 출력합니다. RDT3.0 GBN SR(버그 발견으로 구현중 입니

kimtaeyong98 0 Dec 20, 2021
Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules

About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an

Ayoub 861 Feb 18, 2021
Bypass ReCaptcha: A Python script for dealing with recaptcha

Bypass ReCaptcha Bypass ReCaptcha is a Python script for dealing with recaptcha.

Marcos Camargo 1 Jan 11, 2022
This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks.

This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks. The goal is to successfully use this notebook project below with Security Onion for beacon detection

4 Jun 08, 2022
Tools for converting Nintendo DS binaries to an ELF file for Ghidra/IDA

nds2elf Requirements nds2elf.py uses LIEF and template.elf to form a new binary. LIEF is available via pip: pip3 install lief Usage DSi and DSi-enhan

Max Thomas 17 Aug 14, 2022
vulnerable APIs

vulnerable-apis vulnerable APIs inspired by https://github.com/mattvaldes/vulnerable-api Setup Docker If, Out of the box docker pull kmmanoj/vulnerabl

9 Jun 01, 2022
A honey token manager and alert system for AWS.

SpaceSiren SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey token

287 Nov 09, 2022
An Advanced Local Network IP Scanner, made in python of course!

██╗██████╗    ██████╗ █████╗ █████╗ ███╗ ██╗███╗ ██╗███████╗██████╗ ██║██╔══██╗  ██╔════╝██╔══██╗██╔══██╗████╗ ██║████╗ ██║██╔════╝██╔══██

Polsulpicien 2 Dec 18, 2021
A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities

Shodan Quick Recon A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities Configuration You must edit the python code, and in

Black Hat Ethical Hacking 5 Aug 09, 2022
Mips script decompiles MIPS assembly instructions & bot functionality

mips mips is a python-based script that decodes MIPS instructions. Usage cd into mips and run python decode.py command or open decode.py to run the sc

Anthony Tedja 0 Mar 30, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to ex

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 231 Nov 12, 2022