Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

Related tags

Security related resourcestig
Overview

0x00 介绍

tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询:

  • 微步标签
  • IP 域名反查
  • ICP 备案查询
  • IP 存活检测
  • 开放端口查询
  • ……

后续将集成更多模块,如有好的建议或遇到 Bug 欢迎与我反馈,我的微信号:teamssix_com

0x01 安装

需要 python3 环境支持

pip3 install -r requirements.txt
python3 tig.py

0x02 使用

工具命令如下:

-h HELP			查看帮助信息
-i IP       目标 IP
-f FILE     IP 文本,一行一个
-c CONFIG   指定配置文件,默认 ./config.ini

在开始使用工具之前,需要对配置文件进行配置,默认配置文件如下:

[Threat Intelligence]

# 微步威胁情报查询,查看 api 地址:https://x.threatbook.cn/nodev4/vb4/myAPI(每天 50 次的免费额度)
ThreatBook_enable = true
ThreatBook_api = ''

[IP Passive Information]

# IP 反查,调用 http://api.webscan.cc/ 的 api
IP_reverse_enable = true

# ICP 备案信息查询,调用 https://api.vvhan.com/api/icp 的 api,如果目标 IP 没有反查到域名,该项即使开启也不会有输出
ICP_beian_enable = true

# Fofa ip 信息查询,查看 api 地址:https://fofa.so/user/users/detail(付费,普通会员每次100条,高级会员每次10000条)
Fofa_enable = true
Fofa_email = ''
Fofa_api = ''

[IP Active Information]

# 利用 ping 命令对 IP 进行存活检测
IP_survive_enable = true

在配置文件里添加自己的微步 API 和 Fofa API 才可使用相关模块,添加 API 后,就可以正常使用相关模块了。

例如这里获取某个 IP 的信息,直接使用 -i 命令即可。

0x03 最后

如果在工具使用的过程中发现存在 bug 等问题,欢迎与我反馈,我的微信号:teamssix_com

Comments
  • 是有BUG吗?

    是有BUG吗?

    python3 tig.py -i X.X.X.X +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5

    [18:18:48] 检测到您可能是第一次运行本程序,请根据程序提示输入您的API地 tig.py:71 址,如果没有直接回车即可,但在查询时将不会调用相关模块 请输入您的微步 Api:[填写的是正常的] 请输入您的Fofa邮箱:[填写的是正常的] 请输入您的Fofa Api:[填写的是正常的] Traceback (most recent call last): File "/Users/win/Downloads/tig-0.5/tig.py", line 508, in console.rule("[yellow]正在查询 %s 的情报信息" % ip, align='left', style="yellow") TypeError: rule() got an unexpected keyword argument 'align'

    bug 
    opened by Ew0x68 21
  • 关于tig 调用出现报错

    关于tig 调用出现报错 

    $ python tig.py -i 8.8.8.8

+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
|T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g|
+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
    团队:狼组安全团队   作者:TeamsSix    版本:0.5

正在查询 8.8.8.8 的情报信息 ───────────────────────────────────────────────────────────────────────────────────────────
Traceback (most recent call last):
  File "tig.py", line 509, in <module>
    main(ip, config_path, proxies)
  File "tig.py", line 288, in main
    ThreatBook_result = ThreatBook(ip, config_path)
  File "tig.py", line 149, in ThreatBook
    confidence_level = r_json['data']['%s' % ip]['confidence_level']  # 情报可信度
KeyError: 'data'
    enhancement 
    opened by Aliroe 5
  • 无法正常使用tig

    无法正常使用tig

    报错的内容

    Traceback (most recent call last):
  File ".\tig.py", line 655, in <module>
    main(i, config_path, proxies)
  File ".\tig.py", line 413, in main
    IP_reverse2_result = IP_reverse2(ip, proxies)
  File ".\tig.py", line 238, in IP_reverse2
    for ip in r.json():
  File "D:\python37\lib\site-packages\requests\models.py", line 898, in json
    return complexjson.loads(self.text, **kwargs)
  File "D:\python37\lib\json\__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "D:\python37\lib\json\decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "D:\python37\lib\json\decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

    image

    opened by capjie 4
  • add

    add "python-whois" to requirements.txt

    fix ModuleNotFoundError

    [email protected]:~/tig# python3 tig.py
Traceback (most recent call last):
  File "tig.py", line 12, in <module>
    import whois
ModuleNotFoundError: No module named 'whois'
    opened by zhanglei0310 1
  • 功能优化,修复 bug,重构代码

    功能优化,修复 bug,重构代码

    Updata

    更新时间:2022 年 06 月 25 日

    1. 功能优化

    1. 添加了 Nsfocus 威胁情报解析结果,但 API 需要自行获取;

    2. 优化了配置文件,支持添加多个微步 API key,第一个到达上限后,继续读取下一个,突破了微步 API 每日 50 次的限制;

    3. 优化了配置文件,通过对 Nsfocus_enableFOFA_enableRevrse_IP_Lookup_enable 使能开关控制,自定义调整查询结果。

    4. 删除通过请求 api.hackertarget.com 来获取 ip 反查域名,由于请求次数每日免费仅 10 次,因此删除该链接;

    5. 删除 IP 存活判断。通过 ping 来判断 IP 存活的方式,可靠性不高,因此删除函数调用,但保留了该部分函数;

    6. Fofa 官网地址修改,修改了 fofa api 获取地址描述,修改了 fofa api 接口地址请求;

    7. 默认查询单一 IP 不保存文件。实际使用中发现查询单一 ip 威胁情报保存文件的情况并不多,因此修改为默认不保存,但可以通过指定保存文件名的方式来强制保存,示例 python3 tiv.py -i x.x.x.x -o yyyy(.xlsx)yyyy 为文件名,后缀名可加可不加;

    8. 修改批量查询 IP 读取文件内容筛选 ip 的方式,可以无需按照一行一个 ip 的格式进行书写。可随意书写,通过正则方式匹配 x.x.x.x 的格式筛选 ip。

    9. 修改批量查询 ip 默认保存输出文件名,不再以时间戳方式保存,修改为年月日时分秒+ip 个数的方式保存;如 tiv_2022 年 06 月 25 日_16 时 09 分 25 秒_2 个 IP.xlsx

    10. 重构代码逻辑,按照 PEP8 规范优化部分书写方式,添加注释,函数说明,返回正确值 demo,错误值 demo。

    2. bug 修复

    1. 修改了 ip 反查域名时,若包含多个域名列表时,域名信息(备案信息,注册人,注册商等)仅保存最后一个域名信息。域名相关信息保存至 sheet2(域名信息)中。

    2. 修复其他报错情况(如 json 解析异常,whois 返回值未考虑数组等问题),优化进度条被打断等问题。

    opened by m0cun 1
  • 求问,为什么使用fofa的api使用不了呢

    求问,为什么使用fofa的api使用不了呢

    [EROR] 访问 https://fofa.so/api/v1/search/all?email=(我的email)&key=20fa8e7bc14fee2487b42f368a70a8e2&qbase64
    =NDcuMjQwLjczLjc3&size=100 发生错误,错误信息: ReadTimeo
    ut(ReadTimeoutError("HTTPSConnectionPool(host='fofa.so',
    port=443): Read timed out. (read timeout=5)",),)
    [EROR] 查询 47.240.73.77 的 Fofa
    信息发生错误,错误信息:AttributeError("'str' object has
    no attribute 'json'",)

    opened by summernote5288 1
  • error

    error

    Traceback (most recent call last): File "tig.py", line 509, in main(ip, config_path, proxies) File "tig.py", line 288, in main ThreatBook_result = ThreatBook(ip, config_path) File "tig.py", line 149, in ThreatBook confidence_level = r_json['data']['%s' % ip]['confidence_level'] # 情报可信度 KeyError: 'data'

    duplicate enhancement 
    opened by lhr8015 1
  • add

    add "whois" to requirements.txt

    fix ModuleNotFoundError [email protected]:~/tig# python3 tig.py Traceback (most recent call last): File "tig.py", line 12, in import whois ModuleNotFoundError: No module named 'whois'

    opened by zhanglei0310 0
  • 🦋 添加 Linux / Mac tig 命令行快捷方式

    🦋 添加 Linux / Mac tig 命令行快捷方式

    UNIX 安装指南:

    cd /opt/
git clone https://github.com/wgpsec/tig.git
echo '#!/bin/bash
cd /opt/tig
python3 tig.py $@'  > /usr/bin/tig
chmod +x /usr/bin/tig
tig -v
    opened by Ran-Xing 0
  • 请问 更新到0.5.2后就出现这个

    请问 更新到0.5.2后就出现这个

    PS D:\测试工具\蓝队溯源\tig-0.4.2> python3 .\tig.py -i 45.79.1.146

    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5.2

    ────────────────────────────────────────────────────────────────────── 正在查询 45.79.1.146 的情报信息 ─────────────────────────────────────────────────────────────────────── Traceback (most recent call last): File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 789, in get value = d[option] File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 891, in getitem return self.missing(key) # support subclasses that define missing File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 883, in missing raise KeyError(key) KeyError: 'ti360_cookie'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File ".\tig.py", line 579, in main(ip, config_path, proxies) File ".\tig.py", line 341, in main init_360ti(config_path) File ".\tig.py", line 308, in init_360ti ti_portal = cfg.get('Api Config', 'ti360_cookie').strip("'").strip() File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'ti360_cookie' in section: 'Api Config' image-20210430103433246

    opened by Crazy-FuQing 0
  • IP Passive Information

    IP Passive Information

    Exception in thread Thread-5: Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 789, in get value = d[option] File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 941, in getitem return self.missing(key) # support subclasses that define missing File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 933, in missing raise KeyError(key) KeyError: 'whois_enable'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 892, in run self._target(*self._args, **self._kwargs) File "/Users/sodme/tools/1.information/tig/tig.py", line 524, in IP_reverse_print IP_reverse_print(ip, config_path, proxies) File "/Users/sodme/tools/1.information/tig/tig.py", line 302, in IP_reverse_print Whois_enable = cfg.get('IP Passive Information', 'Whois_enable') File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'whois_enable' in section: 'IP Passive Information' ➜ tig

    invalid 
    opened by aa506 0
Releases(v0.5.4)

  • v0.5.4(Mar 4, 2022)

  • v0.5.3(Dec 13, 2021)

  • v0.5.2(Apr 21, 2021)

    • 增加微步API获取信息异常的提示
    • 增加针对备案、Whois 查询时的异常处理
    • 增加针对 Fofa 信息查询的异常处理
    Source code(tar.gz)
    Source code(zip)

  • v0.5.1(Apr 21, 2021)

  • v0.5(Apr 20, 2021)

    • 输出格式全面改版
    • 增加导出结果功能
    • 对代码进行大幅度简化

    该版本及后续版本均无需修改配置文件 考虑到微步API对域名查询功能的限制,故未加入域名查询功能

    Source code(tar.gz)
    Source code(zip)

  • v0.4.2(Apr 9, 2021)

  • v0.4.1(Mar 18, 2021)

    • 修复了 Windows 下的一个 Bug
    • 修复了 Fofa 信息提取中的一个 Bug
    • 修复了因为网络问题导致获取随机 User-Agent 报错的问题

    该版本不用重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.4(Mar 16, 2021)

    • 增加多个 IP 反查域名来源,避免接口失效与无法访问的问题
    • 将 Fofa 收集到的域名加入到备案查询中,使输出内容更加全面
    • 增加 whois 信息查询

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.3(Mar 15, 2021)

    • 修复了原 IP 反查域名的 API 接口失效的问题
    • 增加了代理设置,防止频繁使用被封IP
    • 增加了多线程,运行速度更快
    • 优化了输出显示

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.2(Mar 11, 2021)

    • 增加 IP 存活检测
    • 增加 ICP 备案信息查询
    • 优化输出显示,将部分英文输出更改为中文输出

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)

  • v0.1(Mar 10, 2021)

Owner
Wolf Group Security Team
Wolf Group Security Team 狼组安全团队
Wolf Group Security Team
GitHub Repository
Recon is a script to perform a full recon on a target with the main tools to search for vulnerabilities.

👑 Recon 👑 The step of recognizing a target in both Bug Bounties and Pentest can be very time-consuming. Thinking about it, I decided to create my ow

Dirso 171 Dec 31, 2022
test application for the licence key web app.

licence_software_test_app Make sure you set your database values in a .env file to the folder. Install MYSQL connector: pip install mysql-connector-py

Carl Beattie 1 Oct 28, 2021
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly

136 Dec 13, 2022
Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container

Home Assistant LDAP Auth Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container. Usage Deploy NGINX's l

Erik 1 Sep 21, 2022
CVE-2022-22963 PoC

CVE-2022-22963 CVE-2022-22963 PoC Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-R

Nicolas Krassas 104 Dec 08, 2022
OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

omigood (OM I GOOD?) This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threa

Marco Simioni 13 Jul 13, 2022
Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are

96 Dec 14, 2022
A Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

Karim 3 Mar 24, 2022
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
xp_CAPTCHA(白嫖版) burp 验证码 识别 burp插件

xp_CAPTCHA(白嫖版) 说明 xp_CAPTCHA (白嫖版) 验证码识别 burp插件 安装 需要python3 小于3.7的版本 安装 muggle_ocr 模块(大概400M左右) python3 -m pip install -i http://mirrors.aliyun.com/

算命縖子 588 Jan 09, 2023
This program will brute force any Instagram account you send it its way given a list of proxies.

Instagram Bruter This program will brute force any Instagram account you send it its way given a list of proxies. NOTICE I'm no longer maintaining thi

1 Nov 15, 2021
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

1 Jan 09, 2022
A fast sub domain brute tool for pentesters

subDomainsBrute 1.4 A fast sub domain brute tool for pentesters. It works with P

Oliver 2 Oct 18, 2022
Script Crack Facebook Premium 🚶‍♂

premium Script Crack Facebook Premium 🚶‍♂ In Script Install Script $ pkg update && pkg upgrade $ termux-setup-storage $ pkg install python $ pkg inst

Yumasaa 2 Dec 19, 2021
Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

Unauthenticated Sqlinjection that leads to dump database but this one impersonated Admin and drops a interactive shell

sam 16 Nov 09, 2022
Script Crack Facebook Elite 🚶‍♂

elite Script Crack Facebook Elite 🚶‍♂ Install Script $ pkg update && pkg upgrade $ termux-setup-storage $ pkg install git $ pkg install python $ pip

Yumasaa 1 Jan 02, 2022
macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

Leo Pitt 206 Dec 31, 2022
Colin O'Flynn's Hacakday talk at Remoticon 2021 support repo.

Hardware Hacking Resources This repo holds some of the examples used in Colin's Hardware Hacking talk at Remoticon 2021. You can see the very sketchy

Colin O'Flynn 19 Sep 12, 2022
An forensics tool to help aid in the investigation of spoofed emails based off the email headers.

A forensic tool to make analysis of email headers easy to aid in the quick discovery of the attacker. Table of Contents About mailMeta Installation Us

Syed Modassir Ali 59 Nov 26, 2022