Knock analyzer (intelowlproject#2448)

g4ze · g4ze · Michalsus · commit a02214683ae2 · 2024-10-11T20:32:13.000+02:00
* knock

* migration

* knock but no deletion reqed

* t/o test

* rmv log

* timeout tests

* t/o

* mock

* mock

* tests

* tests

* t/o

* typo

* tlp

* pypi

* works now

* log

* mign

---------

Co-authored-by: g4ze &lt;bhaiyajionline@gmail.com&gt;
diff --git a/api_app/analyzers_manager/file_analyzers/polyswarm.py b/api_app/analyzers_manager/file_analyzers/polyswarm.py
@@ -67,9 +67,6 @@ def run(self):
 
         return result
 
-    def update(self):
-        pass
-
     @classmethod
     def _monkeypatch(cls):
         patches = [
diff --git a/api_app/analyzers_manager/migrations/0115_analyzer_config_knock.py b/api_app/analyzers_manager/migrations/0115_analyzer_config_knock.py
@@ -0,0 +1,229 @@
+from django.db import migrations
+from django.db.models.fields.related_descriptors import (
+    ForwardManyToOneDescriptor,
+    ForwardOneToOneDescriptor,
+    ManyToManyDescriptor,
+)
+
+plugin = {
+    "python_module": {
+        "health_check_schedule": None,
+        "update_schedule": None,
+        "module": "knockanalyzer.KnockAnalyzer",
+        "base_path": "api_app.analyzers_manager.observable_analyzers",
+    },
+    "name": "Knock",
+    "description": "[Knock](https://github.com/guelfoweb/knock) is a portable and modular python3 tool designed to quickly enumerate subdomains on a target domain through passive reconnaissance and dictionary scan.",
+    "disabled": False,
+    "soft_time_limit": 600,
+    "routing_key": "default",
+    "health_check_status": True,
+    "type": "observable",
+    "docker_based": False,
+    "maximum_tlp": "CLEAR",
+    "observable_supported": ["domain"],
+    "supported_filetypes": [],
+    "run_hash": False,
+    "run_hash_type": "",
+    "not_supported_filetypes": [],
+    "model": "analyzers_manager.AnalyzerConfig",
+}
+
+params = [
+    {
+        "python_module": {
+            "module": "knockanalyzer.KnockAnalyzer",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "useragent",
+        "type": "str",
+        "description": "custom useragent",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "knockanalyzer.KnockAnalyzer",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "timeout",
+        "type": "int",
+        "description": "custom timeout(s)",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "knockanalyzer.KnockAnalyzer",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "threads",
+        "type": "int",
+        "description": "custom threads",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "knockanalyzer.KnockAnalyzer",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "recon",
+        "type": "bool",
+        "description": "subdomain reconnaissance",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "knockanalyzer.KnockAnalyzer",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "bruteforce",
+        "type": "bool",
+        "description": "subdomain bruteforce",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "knockanalyzer.KnockAnalyzer",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "dns",
+        "type": "str",
+        "description": "dns for knockpy",
+        "is_secret": False,
+        "required": False,
+    },
+]
+
+values = [
+    {
+        "parameter": {
+            "python_module": {
+                "module": "knockanalyzer.KnockAnalyzer",
+                "base_path": "api_app.analyzers_manager.observable_analyzers",
+            },
+            "name": "recon",
+            "type": "bool",
+            "description": "subdomain reconnaissance",
+            "is_secret": False,
+            "required": False,
+        },
+        "analyzer_config": "Knock",
+        "connector_config": None,
+        "visualizer_config": None,
+        "ingestor_config": None,
+        "pivot_config": None,
+        "for_organization": False,
+        "value": True,
+        "updated_at": "2024-05-22T12:25:43.887022Z",
+        "owner": None,
+    },
+    {
+        "parameter": {
+            "python_module": {
+                "module": "knockanalyzer.KnockAnalyzer",
+                "base_path": "api_app.analyzers_manager.observable_analyzers",
+            },
+            "name": "bruteforce",
+            "type": "bool",
+            "description": "subdomain bruteforce",
+            "is_secret": False,
+            "required": False,
+        },
+        "analyzer_config": "Knock",
+        "connector_config": None,
+        "visualizer_config": None,
+        "ingestor_config": None,
+        "pivot_config": None,
+        "for_organization": False,
+        "value": True,
+        "updated_at": "2024-05-22T12:25:45.001333Z",
+        "owner": None,
+    },
+]
+
+
+def _get_real_obj(Model, field, value):
+    def _get_obj(Model, other_model, value):
+        if isinstance(value, dict):
+            real_vals = {}
+            for key, real_val in value.items():
+                real_vals[key] = _get_real_obj(other_model, key, real_val)
+            value = other_model.objects.get_or_create(**real_vals)[0]
+        # it is just the primary key serialized
+        else:
+            if isinstance(value, int):
+                if Model.__name__ == "PluginConfig":
+                    value = other_model.objects.get(name=plugin["name"])
+                else:
+                    value = other_model.objects.get(pk=value)
+            else:
+                value = other_model.objects.get(name=value)
+        return value
+
+    if (
+        type(getattr(Model, field))
+        in [ForwardManyToOneDescriptor, ForwardOneToOneDescriptor]
+        and value
+    ):
+        other_model = getattr(Model, field).get_queryset().model
+        value = _get_obj(Model, other_model, value)
+    elif type(getattr(Model, field)) in [ManyToManyDescriptor] and value:
+        other_model = getattr(Model, field).rel.model
+        value = [_get_obj(Model, other_model, val) for val in value]
+    return value
+
+
+def _create_object(Model, data):
+    mtm, no_mtm = {}, {}
+    for field, value in data.items():
+        value = _get_real_obj(Model, field, value)
+        if type(getattr(Model, field)) is ManyToManyDescriptor:
+            mtm[field] = value
+        else:
+            no_mtm[field] = value
+    try:
+        o = Model.objects.get(**no_mtm)
+    except Model.DoesNotExist:
+        o = Model(**no_mtm)
+        o.full_clean()
+        o.save()
+        for field, value in mtm.items():
+            attribute = getattr(o, field)
+            if value is not None:
+                attribute.set(value)
+        return False
+    return True
+
+
+def migrate(apps, schema_editor):
+    Parameter = apps.get_model("api_app", "Parameter")
+    PluginConfig = apps.get_model("api_app", "PluginConfig")
+    python_path = plugin.pop("model")
+    Model = apps.get_model(*python_path.split("."))
+    if not Model.objects.filter(name=plugin["name"]).exists():
+        exists = _create_object(Model, plugin)
+        if not exists:
+            for param in params:
+                _create_object(Parameter, param)
+            for value in values:
+                _create_object(PluginConfig, value)
+
+
+def reverse_migrate(apps, schema_editor):
+    python_path = plugin.pop("model")
+    Model = apps.get_model(*python_path.split("."))
+    Model.objects.get(name=plugin["name"]).delete()
+
+
+class Migration(migrations.Migration):
+    atomic = False
+    dependencies = [
+        ("api_app", "0062_alter_parameter_python_module"),
+        ("analyzers_manager", "0114_analyzer_config_polyswarmobs"),
+    ]
+
+    operations = [migrations.RunPython(migrate, reverse_migrate)]
diff --git a/api_app/analyzers_manager/observable_analyzers/knockanalyzer.py b/api_app/analyzers_manager/observable_analyzers/knockanalyzer.py
@@ -0,0 +1,49 @@
+import json
+import logging
+
+from knock import knockpy
+
+from api_app.analyzers_manager import classes
+from tests.mock_utils import if_mock_connections, patch
+
+logger = logging.getLogger(__name__)
+
+
+class KnockAnalyzer(classes.ObservableAnalyzer):
+    """
+    This analyzer is a wrapper for the knockpy project.
+    """
+
+    dns: str = None
+    useragent: str = None
+    timeout: int = None
+    threads: int = None
+    recon: bool = True
+    bruteforce: bool = True
+
+    def update(self) -> bool:
+        pass
+
+    def run(self):
+        logger.info(f"Running KnockAnalyzer for {self.observable_name}")
+        results = knockpy.KNOCKPY(
+            domain=self.observable_name,
+            dns=self.dns,
+            useragent=self.useragent,
+            timeout=self.timeout,
+            threads=self.threads,
+            recon=self.recon,
+            bruteforce=self.bruteforce,
+        )
+
+        results = json.dumps(results)
+        return results
+
+    @classmethod
+    def _monkeypatch(cls):
+        patches = [
+            if_mock_connections(
+                patch.object(knockpy, "KNOCKPY", return_value=None),
+            )
+        ]
+        return super()._monkeypatch(patches=patches)
diff --git a/docs/source/Usage.md b/docs/source/Usage.md
@@ -276,6 +276,7 @@ threat prevention, reducing and automating the manual work of security analysts.
 * `CriminalIp`: [Criminal IP](https://www.criminalip.io/) is an OSINT search engine specialized in attack surface assessment and threat hunting. It offers extensive cyber threat intelligence, including device reputation, geolocation, IP reputation for C2 or scanners, domain safety, malicious link detection, and APT attack vectors via search and API.
 * `CriminalIp_Scan`:CriminalIp_Scan is an implementation of scan APIs provided by [CriminalIp](https://www.criminalip.io/) specifically for domains. Criminal IP is an OSINT search engine specialized in attack surface assessment and threat hunting. It offers extensive cyber threat intelligence, including device reputation, geolocation, IP reputation for C2 or scanners, domain safety, malicious link detection, and APT attack vectors via search and API.
 * `PolyswarmObs`: Scan an observable using [Polyswarm](https://docs.polyswarm.io/) API. Paid plan is required for IP and Domain scans. Hash scan is free.
+* `Knock`:[Knock](https://github.com/guelfoweb/knock) or Knockpy is a portable and modular python3 tool designed to quickly enumerate subdomains on a target domain through passive reconnaissance and dictionary scan.         
 
 ##### Generic analyzers (email, phone number, etc.; anything really)
 
diff --git a/requirements/project-requirements.txt b/requirements/project-requirements.txt
@@ -82,6 +82,7 @@ ail_typo_squatting==2.7.4
 iocextract==1.16.1
 ioc-finder==7.0.0
 polyswarm-api==3.8.0
+knock-subdomains==7.0.1
 
 # this is required because XLMMacroDeobfuscator does not pin the following packages
 pyxlsb2==0.0.8
