Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

Overview

0x00 介绍

tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询:

  • 微步标签
  • IP 域名反查
  • ICP 备案查询
  • IP 存活检测
  • 开放端口查询
  • ……

后续将集成更多模块,如有好的建议或遇到 Bug 欢迎与我反馈,我的微信号:teamssix_com

0x01 安装

需要 python3 环境支持

pip3 install -r requirements.txt
python3 tig.py

0x02 使用

工具命令如下:

-h HELP			查看帮助信息
-i IP       目标 IP
-f FILE     IP 文本,一行一个
-c CONFIG   指定配置文件,默认 ./config.ini

在开始使用工具之前,需要对配置文件进行配置,默认配置文件如下:

[Threat Intelligence]

# 微步威胁情报查询,查看 api 地址:https://x.threatbook.cn/nodev4/vb4/myAPI(每天 50 次的免费额度)
ThreatBook_enable = true
ThreatBook_api = ''

[IP Passive Information]

# IP 反查,调用 http://api.webscan.cc/ 的 api
IP_reverse_enable = true

# ICP 备案信息查询,调用 https://api.vvhan.com/api/icp 的 api,如果目标 IP 没有反查到域名,该项即使开启也不会有输出
ICP_beian_enable = true

# Fofa ip 信息查询,查看 api 地址:https://fofa.so/user/users/detail(付费,普通会员每次100条,高级会员每次10000条)
Fofa_enable = true
Fofa_email = ''
Fofa_api = ''

[IP Active Information]

# 利用 ping 命令对 IP 进行存活检测
IP_survive_enable = true

在配置文件里添加自己的微步 API 和 Fofa API 才可使用相关模块,添加 API 后,就可以正常使用相关模块了。

例如这里获取某个 IP 的信息,直接使用 -i 命令即可。

0x03 最后

如果在工具使用的过程中发现存在 bug 等问题,欢迎与我反馈,我的微信号:teamssix_com

Comments
  • 是有BUG吗?

    是有BUG吗?

    python3 tig.py -i X.X.X.X +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5

    [18:18:48] 检测到您可能是第一次运行本程序,请根据程序提示输入您的API地 tig.py:71 址,如果没有直接回车即可,但在查询时将不会调用相关模块 请输入您的微步 Api:[填写的是正常的] 请输入您的Fofa邮箱:[填写的是正常的] 请输入您的Fofa Api:[填写的是正常的] Traceback (most recent call last): File "/Users/win/Downloads/tig-0.5/tig.py", line 508, in console.rule("[yellow]正在查询 %s 的情报信息" % ip, align='left', style="yellow") TypeError: rule() got an unexpected keyword argument 'align'

    bug 
    opened by Ew0x68 21
  • 关于tig 调用出现报错

    关于tig 调用出现报错

    $ python tig.py -i 8.8.8.8
    
    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
    |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g|
    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+
        团队:狼组安全团队   作者:TeamsSix    版本:0.5
    
    正在查询 8.8.8.8 的情报信息 ───────────────────────────────────────────────────────────────────────────────────────────
    Traceback (most recent call last):
      File "tig.py", line 509, in <module>
        main(ip, config_path, proxies)
      File "tig.py", line 288, in main
        ThreatBook_result = ThreatBook(ip, config_path)
      File "tig.py", line 149, in ThreatBook
        confidence_level = r_json['data']['%s' % ip]['confidence_level']  # 情报可信度
    KeyError: 'data'
    
    enhancement 
    opened by Aliroe 5
  • 无法正常使用tig

    无法正常使用tig

    报错的内容

    Traceback (most recent call last):
      File ".\tig.py", line 655, in <module>
        main(i, config_path, proxies)
      File ".\tig.py", line 413, in main
        IP_reverse2_result = IP_reverse2(ip, proxies)
      File ".\tig.py", line 238, in IP_reverse2
        for ip in r.json():
      File "D:\python37\lib\site-packages\requests\models.py", line 898, in json
        return complexjson.loads(self.text, **kwargs)
      File "D:\python37\lib\json\__init__.py", line 348, in loads
        return _default_decoder.decode(s)
      File "D:\python37\lib\json\decoder.py", line 337, in decode
        obj, end = self.raw_decode(s, idx=_w(s, 0).end())
      File "D:\python37\lib\json\decoder.py", line 355, in raw_decode
        raise JSONDecodeError("Expecting value", s, err.value) from None
    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
    

    image

    opened by capjie 4
  • add

    add "python-whois" to requirements.txt

    fix ModuleNotFoundError

    root@debian:~/tig# python3 tig.py
    Traceback (most recent call last):
      File "tig.py", line 12, in <module>
        import whois
    ModuleNotFoundError: No module named 'whois'
    
    opened by zhanglei0310 1
  • 功能优化,修复 bug,重构代码

    功能优化,修复 bug,重构代码

    Updata

    更新时间:2022 年 06 月 25 日

    1. 功能优化

    1. 添加了 Nsfocus 威胁情报解析结果,但 API 需要自行获取;

    2. 优化了配置文件,支持添加多个微步 API key,第一个到达上限后,继续读取下一个,突破了微步 API 每日 50 次的限制;

    3. 优化了配置文件,通过对 Nsfocus_enableFOFA_enableRevrse_IP_Lookup_enable 使能开关控制,自定义调整查询结果。

    4. 删除通过请求 api.hackertarget.com 来获取 ip 反查域名,由于请求次数每日免费仅 10 次,因此删除该链接;

    5. 删除 IP 存活判断。通过 ping 来判断 IP 存活的方式,可靠性不高,因此删除函数调用,但保留了该部分函数;

    6. Fofa 官网地址修改,修改了 fofa api 获取地址描述,修改了 fofa api 接口地址请求;

    7. 默认查询单一 IP 不保存文件。实际使用中发现查询单一 ip 威胁情报保存文件的情况并不多,因此修改为默认不保存,但可以通过指定保存文件名的方式来强制保存,示例 python3 tiv.py -i x.x.x.x -o yyyy(.xlsx)yyyy 为文件名,后缀名可加可不加;

    8. 修改批量查询 IP 读取文件内容筛选 ip 的方式,可以无需按照一行一个 ip 的格式进行书写。可随意书写,通过正则方式匹配 x.x.x.x 的格式筛选 ip。

    9. 修改批量查询 ip 默认保存输出文件名,不再以时间戳方式保存,修改为年月日时分秒+ip 个数的方式保存;如 tiv_2022 年 06 月 25 日_16 时 09 分 25 秒_2 个 IP.xlsx

    10. 重构代码逻辑,按照 PEP8 规范优化部分书写方式,添加注释,函数说明,返回正确值 demo,错误值 demo。

    2. bug 修复

    1. 修改了 ip 反查域名时,若包含多个域名列表时,域名信息(备案信息,注册人,注册商等)仅保存最后一个域名信息。域名相关信息保存至 sheet2(域名信息)中。

    2. 修复其他报错情况(如 json 解析异常,whois 返回值未考虑数组等问题),优化进度条被打断等问题。

    opened by m0cun 1
  • 求问,为什么使用fofa的api使用不了呢

    求问,为什么使用fofa的api使用不了呢

    [EROR] 访问 https://fofa.so/api/v1/search/all?email=(我的email)&key=20fa8e7bc14fee2487b42f368a70a8e2&qbase64
    =NDcuMjQwLjczLjc3&size=100 发生错误,错误信息: ReadTimeo
    ut(ReadTimeoutError("HTTPSConnectionPool(host='fofa.so',
    port=443): Read timed out. (read timeout=5)",),)
    [EROR] 查询 47.240.73.77 的 Fofa
    信息发生错误,错误信息:AttributeError("'str' object has
    no attribute 'json'",)

    opened by summernote5288 1
  • error

    error

    Traceback (most recent call last): File "tig.py", line 509, in main(ip, config_path, proxies) File "tig.py", line 288, in main ThreatBook_result = ThreatBook(ip, config_path) File "tig.py", line 149, in ThreatBook confidence_level = r_json['data']['%s' % ip]['confidence_level'] # 情报可信度 KeyError: 'data'

    duplicate enhancement 
    opened by lhr8015 1
  • add

    add "whois" to requirements.txt

    fix ModuleNotFoundError root@debian:~/tig# python3 tig.py Traceback (most recent call last): File "tig.py", line 12, in import whois ModuleNotFoundError: No module named 'whois'

    opened by zhanglei0310 0
  • 🦋 添加 Linux / Mac tig 命令行快捷方式

    🦋 添加 Linux / Mac tig 命令行快捷方式

    UNIX 安装指南:

    cd /opt/
    git clone https://github.com/wgpsec/tig.git
    echo '#!/bin/bash
    cd /opt/tig
    python3 tig.py $@'  > /usr/bin/tig
    chmod +x /usr/bin/tig
    tig -v
    
    opened by Ran-Xing 0
  • 请问 更新到0.5.2后就出现这个

    请问 更新到0.5.2后就出现这个

    PS D:\测试工具\蓝队溯源\tig-0.4.2> python3 .\tig.py -i 45.79.1.146

    +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ |T|h|r|e|a|t| |I|n|t|e|l|l|i|g|e|n|c|e| |G|a|t|h|e|r|i|n|g| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+ 团队:狼组安全团队 作者:TeamsSix 版本:0.5.2

    ────────────────────────────────────────────────────────────────────── 正在查询 45.79.1.146 的情报信息 ─────────────────────────────────────────────────────────────────────── Traceback (most recent call last): File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 789, in get value = d[option] File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 891, in getitem return self.missing(key) # support subclasses that define missing File "C:\Program Files\path\Python\Python3.8\lib\collections_init_.py", line 883, in missing raise KeyError(key) KeyError: 'ti360_cookie'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File ".\tig.py", line 579, in main(ip, config_path, proxies) File ".\tig.py", line 341, in main init_360ti(config_path) File ".\tig.py", line 308, in init_360ti ti_portal = cfg.get('Api Config', 'ti360_cookie').strip("'").strip() File "C:\Program Files\path\Python\Python3.8\lib\configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'ti360_cookie' in section: 'Api Config' image-20210430103433246

    opened by Crazy-FuQing 0
  • IP Passive Information

    IP Passive Information

    Exception in thread Thread-5: Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 789, in get value = d[option] File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 941, in getitem return self.missing(key) # support subclasses that define missing File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/collections/init.py", line 933, in missing raise KeyError(key) KeyError: 'whois_enable'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 892, in run self._target(*self._args, **self._kwargs) File "/Users/sodme/tools/1.information/tig/tig.py", line 524, in IP_reverse_print IP_reverse_print(ip, config_path, proxies) File "/Users/sodme/tools/1.information/tig/tig.py", line 302, in IP_reverse_print Whois_enable = cfg.get('IP Passive Information', 'Whois_enable') File "/usr/local/Cellar/[email protected]/3.9.2_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/configparser.py", line 792, in get raise NoOptionError(option, section) configparser.NoOptionError: No option 'whois_enable' in section: 'IP Passive Information' ➜ tig

    invalid 
    opened by aa506 0
Releases(v0.5.4)
  • v0.5.4(Mar 4, 2022)

  • v0.5.3(Dec 13, 2021)

  • v0.5.2(Apr 21, 2021)

    • 增加微步API获取信息异常的提示
    • 增加针对备案、Whois 查询时的异常处理
    • 增加针对 Fofa 信息查询的异常处理
    Source code(tar.gz)
    Source code(zip)
  • v0.5.1(Apr 21, 2021)

  • v0.5(Apr 20, 2021)

    • 输出格式全面改版
    • 增加导出结果功能
    • 对代码进行大幅度简化

    该版本及后续版本均无需修改配置文件 考虑到微步API对域名查询功能的限制,故未加入域名查询功能

    Source code(tar.gz)
    Source code(zip)
  • v0.4.2(Apr 9, 2021)

  • v0.4.1(Mar 18, 2021)

    • 修复了 Windows 下的一个 Bug
    • 修复了 Fofa 信息提取中的一个 Bug
    • 修复了因为网络问题导致获取随机 User-Agent 报错的问题

    该版本不用重新生成配置文件

    Source code(tar.gz)
    Source code(zip)
  • v0.4(Mar 16, 2021)

    • 增加多个 IP 反查域名来源,避免接口失效与无法访问的问题
    • 将 Fofa 收集到的域名加入到备案查询中,使输出内容更加全面
    • 增加 whois 信息查询

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)
  • v0.3(Mar 15, 2021)

    • 修复了原 IP 反查域名的 API 接口失效的问题
    • 增加了代理设置,防止频繁使用被封IP
    • 增加了多线程,运行速度更快
    • 优化了输出显示

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)
  • v0.2(Mar 11, 2021)

    • 增加 IP 存活检测
    • 增加 ICP 备案信息查询
    • 优化输出显示,将部分英文输出更改为中文输出

    注意:该版本需要重新生成配置文件

    Source code(tar.gz)
    Source code(zip)
  • v0.1(Mar 10, 2021)

Owner
Wolf Group Security Team
Wolf Group Security Team 狼组安全团队
Wolf Group Security Team
Agile Threat Modeling Toolkit

Threagile is an open-source toolkit for agile threat modeling:

Threagile 425 Jan 7, 2023
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022
Threat Intel Platform for T-POTs

GreedyBear The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to p

The Honeynet Project 72 Jan 1, 2023
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
Mr.Holmes is a information gathering tool (OSINT)

?? Mr.Holmes Mr.Holmes is a information gathering tool (OSINT). Is main purpose is to gain information about domains,username and phone numbers with t

null 534 Jan 8, 2023
Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source

Infoga - Email OSINT Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pg

m4ll0k (mallok) 1.8k Jan 4, 2023
🔍 IRIS: An open-source intelligence framework

IRIS is an open-source OSINT framework, consisting of modules to find information about a target by scraping sites and fetching data from APIs.

IRIS 79 Dec 20, 2022
A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Curated Intel 172 Nov 17, 2022
This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.

Vacuum-Cleaner Python3 This is a Python3 agent that implements a simulator for a vacuum cleaner and it is introduction to Artificial Intelligence. A s

Abdultawwab Safarji 6 Nov 14, 2022
An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data.

ARTIF is a new advanced real time threat intelligence framework built that adds another abstraction layer on the top of MISP to identify threats and malicious web traffic on the basis of IP reputation and historical data. It also performs automatic enrichment and threat scoring by collecting, processing and correlating observables based on different factors.

CRED 225 Dec 31, 2022
The Malware Open-source Threat Intelligence Family dataset contains 3,095 disarmed PE malware samples from 454 families

MOTIF Dataset The Malware Open-source Threat Intelligence Family (MOTIF) dataset contains 3,095 disarmed PE malware samples from 454 families, labeled

Booz Allen Hamilton 112 Dec 13, 2022
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

null 2.4k Jan 7, 2023
School of Artificial Intelligence at the Nanjing University (NJU)School of Artificial Intelligence at the Nanjing University (NJU)

F-Principle This is an exercise problem of the digital signal processing (DSP) course at School of Artificial Intelligence at the Nanjing University (

Thyrix 5 Nov 23, 2022
APT-Hunter is Threat Hunting tool for windows event logs

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

null 824 Jan 8, 2023
Kestrel Threat Hunting Language

Kestrel Threat Hunting Language What is Kestrel? Why we need it? How to hunt with XDR support? What is the science behind it? You can find all the ans

Open Cybersecurity Alliance 201 Dec 16, 2022
A Pythonic framework for threat modeling

pytm: A Pythonic framework for threat modeling Introduction Traditional threat modeling too often comes late to the party, or sometimes not at all. In

Izar Tarandach 644 Dec 20, 2022
Agile Threat Modeling Toolkit

Threagile is an open-source toolkit for agile threat modeling:

Threagile 425 Jan 7, 2023
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022