ail-framework/bin/Credential.py

199 lines
7.5 KiB
Python
Raw Normal View History

2018-05-04 11:53:29 +00:00
#!/usr/bin/env python3
2016-02-05 15:15:09 +00:00
# -*-coding:UTF-8 -*
"""
The Credential Module
=====================
This module is consuming the Redis-list created by the Categ module.
2020-05-20 15:03:58 +00:00
It apply credential regexes on item content and warn if above a threshold.
2017-07-18 14:57:15 +00:00
It also split the username and store it into redis for searching purposes.
Redis organization:
uniqNumForUsername: unique number attached to unique username
uniqNumForPath: unique number attached to unique path
2017-07-20 08:24:48 +00:00
-> uniqNum are used to avoid string duplication
2017-07-18 14:57:15 +00:00
AllCredentials: hashed set where keys are username and value are their uniq number
AllCredentialsRev: the opposite of AllCredentials, uniqNum -> username
AllPath: hashed set where keys are path and value are their uniq number
AllPathRev: the opposite of AllPath, uniqNum -> path
CredToPathMapping_uniqNumForUsername -> (set) -> uniqNumForPath
2017-07-18 14:57:15 +00:00
"""
2016-02-05 15:15:09 +00:00
import time
2020-05-20 15:03:58 +00:00
import os
import sys
import datetime
2016-02-05 15:15:09 +00:00
import re
2017-07-18 14:57:15 +00:00
import redis
from pyfaup.faup import Faup
2016-02-05 15:15:09 +00:00
2020-05-20 15:03:58 +00:00
from pubsublogger import publisher
from Helper import Process
2020-05-04 09:02:24 +00:00
2020-05-20 15:03:58 +00:00
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))
import Item
2020-05-04 09:02:24 +00:00
2020-05-20 15:03:58 +00:00
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib/'))
import ConfigLoader
import regex_helper
## LOAD CONFIG ##
config_loader = ConfigLoader.ConfigLoader()
server_cred = config_loader.get_redis_conn("ARDB_TermCred")
server_statistics = config_loader.get_redis_conn("ARDB_Statistics")
minimumLengthThreshold = config_loader.get_config_int("Credential", "minimumLengthThreshold")
criticalNumberToAlert = config_loader.get_config_int("Credential", "criticalNumberToAlert")
minTopPassList = config_loader.get_config_int("Credential", "minTopPassList")
config_loader = None
## -- ##
import signal
2020-05-04 09:02:24 +00:00
max_execution_time = 30
2017-07-18 14:57:15 +00:00
#split username with spec. char or with upper case, distinguish start with upper
REGEX_CRED = "[a-z]+|[A-Z]{3,}|[A-Z]{1,2}[a-z]+|[0-9]+"
REDIS_KEY_NUM_USERNAME = 'uniqNumForUsername'
REDIS_KEY_NUM_PATH = 'uniqNumForUsername'
REDIS_KEY_ALL_CRED_SET = 'AllCredentials'
REDIS_KEY_ALL_CRED_SET_REV = 'AllCredentialsRev'
REDIS_KEY_ALL_PATH_SET = 'AllPath'
REDIS_KEY_ALL_PATH_SET_REV = 'AllPathRev'
REDIS_KEY_MAP_CRED_TO_PATH = 'CredToPathMapping'
if __name__ == "__main__":
publisher.port = 6380
publisher.channel = "Script"
config_section = "Credential"
2020-05-20 15:03:58 +00:00
module_name = "Credential"
p = Process(config_section)
publisher.info("Find credentials")
2018-04-16 12:50:04 +00:00
faup = Faup()
2020-05-20 15:03:58 +00:00
regex_web = "((?:https?:\/\/)[\.-_0-9a-zA-Z]+\.[0-9a-zA-Z]+)"
2018-04-16 12:50:04 +00:00
#regex_cred = "[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}:[a-zA-Z0-9\_\-]+"
regex_cred = "[a-zA-Z0-9\\._-]+@[a-zA-Z0-9\\.-]+\.[a-zA-Z]{2,6}[\\rn :\_\-]{1,10}[a-zA-Z0-9\_\-]+"
regex_site_for_stats = "@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}:"
2020-05-20 15:03:58 +00:00
redis_cache_key = regex_helper.generate_redis_cache_key(module_name)
while True:
message = p.get_from_set()
2020-05-20 15:03:58 +00:00
if message is None:
publisher.debug("Script Credential is Idling 10s")
2018-05-04 11:53:29 +00:00
time.sleep(10)
continue
2020-05-20 15:03:58 +00:00
item_id, count = message.split()
2020-05-20 15:03:58 +00:00
item_content = Item.get_item_content(item_id)
2020-05-04 09:02:24 +00:00
2020-05-20 15:03:58 +00:00
# Extract all credentials
all_credentials = regex_helper.regex_findall(module_name, redis_cache_key, regex_cred, item_content, max_time=max_execution_time)
2020-05-04 09:02:24 +00:00
2020-05-20 15:03:58 +00:00
if not all_credentials:
2020-05-04 09:02:24 +00:00
continue
2020-05-20 15:03:58 +00:00
all_sites = regex_helper.regex_findall(module_name, redis_cache_key, regex_web, item_content, max_time=max_execution_time)
2020-05-20 15:03:58 +00:00
message = 'Checked {} credentials found.'.format(len(all_credentials))
if all_sites:
message += ' Related websites: {}'.format( (', '.join(all_sites)) )
print(message)
2020-05-20 15:03:58 +00:00
to_print = 'Credential;{};{};{};{};{}'.format(Item.get_source(item_id), Item.get_item_date(item_id), Item.get_item_basename(item_id), message, item_id)
2017-07-18 14:57:15 +00:00
#num of creds above tresh, publish an alert
2020-05-20 15:03:58 +00:00
if len(all_credentials) > criticalNumberToAlert:
print("========> Found more than 10 credentials in this file : {}".format( item_id ))
publisher.warning(to_print)
#Send to duplicate
2020-05-20 15:03:58 +00:00
p.populate_set_out(item_id, 'Duplicate')
2018-04-16 12:50:04 +00:00
2020-05-20 15:03:58 +00:00
msg = 'infoleak:automatic-detection="credential";{}'.format(item_id)
2018-05-16 12:39:01 +00:00
p.populate_set_out(msg, 'Tags')
2020-05-20 15:03:58 +00:00
site_occurence = regex_helper.regex_findall(module_name, redis_cache_key, regex_site_for_stats, item_content, max_time=max_execution_time, r_set=False)
2020-05-04 09:11:35 +00:00
creds_sites = {}
2020-05-04 09:11:35 +00:00
for site in site_occurence:
site_domain = site[1:-1].lower()
2018-05-04 11:53:29 +00:00
if site_domain in creds_sites.keys():
creds_sites[site_domain] += 1
else:
creds_sites[site_domain] = 1
2020-05-20 15:03:58 +00:00
for url in all_sites:
faup.decode(url)
domain = faup.get()['domain']
## TODO: # FIXME: remove me
try:
domain = domain.decode()
except:
pass
if domain in creds_sites.keys():
creds_sites[domain] += 1
else:
creds_sites[domain] = 1
2018-04-16 12:50:04 +00:00
for site, num in creds_sites.items(): # Send for each different site to moduleStats
2018-04-26 12:42:39 +00:00
2020-05-20 15:03:58 +00:00
mssg = 'credential;{};{};{}'.format(num, site, Item.get_item_date(item_id))
2018-04-16 12:50:04 +00:00
print(mssg)
p.populate_set_out(mssg, 'ModuleStats')
2020-05-20 15:03:58 +00:00
if all_sites:
print("=======> Probably on : {}".format(', '.join(all_sites)))
date = datetime.datetime.now().strftime("%Y%m")
2020-05-20 15:03:58 +00:00
for cred in all_credentials:
maildomains = re.findall("@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,20}", cred.lower())[0]
faup.decode(maildomains)
tld = faup.get()['tld']
## TODO: # FIXME: remove me
try:
tld = tld.decode()
except:
pass
server_statistics.hincrby('credential_by_tld:'+date, tld, 1)
else:
publisher.info(to_print)
2020-05-20 15:03:58 +00:00
print('found {} credentials'.format(len(all_credentials)))
2017-07-18 14:57:15 +00:00
2017-07-20 08:24:48 +00:00
#for searching credential in termFreq
2020-05-20 15:03:58 +00:00
for cred in all_credentials:
2017-07-20 08:24:48 +00:00
cred = cred.split('@')[0] #Split to ignore mail address
2017-07-18 14:57:15 +00:00
#unique number attached to unique path
uniq_num_path = server_cred.incr(REDIS_KEY_NUM_PATH)
2020-05-20 15:03:58 +00:00
server_cred.hmset(REDIS_KEY_ALL_PATH_SET, {item_id: uniq_num_path})
server_cred.hmset(REDIS_KEY_ALL_PATH_SET_REV, {uniq_num_path: item_id})
2017-07-18 14:57:15 +00:00
#unique number attached to unique username
uniq_num_cred = server_cred.hget(REDIS_KEY_ALL_CRED_SET, cred)
if uniq_num_cred is None: #cred do not exist, create new entries
uniq_num_cred = server_cred.incr(REDIS_KEY_NUM_USERNAME)
server_cred.hmset(REDIS_KEY_ALL_CRED_SET, {cred: uniq_num_cred})
server_cred.hmset(REDIS_KEY_ALL_CRED_SET_REV, {uniq_num_cred: cred})
2018-04-16 12:50:04 +00:00
2017-07-20 08:24:48 +00:00
#Add the mapping between the credential and the path
server_cred.sadd(REDIS_KEY_MAP_CRED_TO_PATH+'_'+str(uniq_num_cred), uniq_num_path)
2017-07-18 14:57:15 +00:00
2017-07-20 08:24:48 +00:00
#Split credentials on capital letters, numbers, dots and so on
#Add the split to redis, each split point towards its initial credential unique number
2017-07-18 14:57:15 +00:00
splitedCred = re.findall(REGEX_CRED, cred)
for partCred in splitedCred:
if len(partCred) > minimumLengthThreshold:
server_cred.sadd(partCred, uniq_num_cred)