Work in progress

.gitignore

@@ -0,0 +1,163 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# VSCode
+.vscode/

README.md

@@ -0,0 +1,3 @@
+# WTFis
+
+Passive domain lookup tool

pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["setuptools"]
+build-backend = "setuptools.build_meta"

setup.cfg

@@ -0,0 +1,17 @@
+[metadata]
+name = wtfis
+version = 0.0.1
+
+[options]
+packages = find:
+install_requires =
+    pydantic
+    requests
+    tldextract
+
+[options.entry_points]
+console_scripts =
+    wtfis = wtfis.main:main
+
+[flake8]
+max-line-length = 120

wtfis/clients/passivetotal.py

@@ -0,0 +1,46 @@
+import json
+import requests
+
+from requests.exceptions import HTTPError, JSONDecodeError
+# from pydantic import ValidationError
+from typing import Optional
+
+from wtfis.models.passivetotal import Whois
+
+
+class PTClient:
+    """
+    Passivetotal client
+    """
+    baseurl = "https://api.riskiq.net/pt/v2"
+
+    def __init__(self, api_user: str, api_key: str) -> None:
+        self.s = requests.Session()
+        self.s.auth = (api_user, api_key)
+
+    def _get(self, request: str, params: Optional[dict] = None) -> Optional[dict]:
+        try:
+            resp = self.s.get(self.baseurl + request, params=params)
+            resp.raise_for_status()
+
+            return json.loads(json.dumps((resp.json())))
+        except (HTTPError, JSONDecodeError):
+            raise
+
+    def passive(self, domain: str) -> dict:
+        return self._get(
+            "/dns/passive",
+            params={
+                "query": domain,
+            },
+        )
+
+    def get_whois(self, domain: str) -> Optional[Whois]:
+        return Whois.parse_obj(
+            self._get(
+                "/whois",
+                params={
+                    "query": domain
+                }
+            )
+        )

wtfis/clients/virustotal.py

@@ -0,0 +1,34 @@
+import json
+import requests
+
+from requests.exceptions import HTTPError, JSONDecodeError
+# from pydantic import ValidationError
+from typing import Optional
+
+from wtfis.models.virustotal import Domain
+
+
+class VTClient:
+    """
+    Virustotal client
+    """
+    baseurl = "https://www.virustotal.com/api/v3"
+
+    def __init__(self, api_key: str) -> None:
+        self.s = requests.Session()
+        self.s.headers = {
+            "x-apikey": api_key,
+            "Accept": "application/json",
+        }
+
+    def _get(self, request: str) -> Optional[dict]:
+        try:
+            resp = self.s.get(self.baseurl + request)
+            resp.raise_for_status()
+
+            return json.loads(json.dumps((resp.json())))["data"]["attributes"]
+        except (HTTPError, JSONDecodeError):
+            raise
+
+    def get_domain(self, domain: str) -> Domain:
+        return Domain.parse_obj(self._get(f"/domains/{domain}"))

wtfis/main.py

@@ -0,0 +1,32 @@
+import datetime
+import os
+import sys
+
+from dotenv import load_dotenv
+from prompt_toolkit import HTML, print_formatted_text as print
+
+from wtfis.clients.passivetotal import PTClient
+from wtfis.clients.virustotal import VTClient
+from wtfis.models.virustotal import Domain
+
+
+def iso_date(unix_time: int) -> str:
+    return datetime.datetime.utcfromtimestamp(unix_time).isoformat()
+
+
+def main():
+    # Load environment variables
+    load_dotenv()
+
+    # Run
+    vt = VTClient(os.environ.get("VT_API_KEY"))
+    domain = Domain.parse_obj(vt.get_domain(sys.argv[1]))
+
+    print(HTML(f"<b>Reputation:</b> {domain.reputation}"))
+    print(HTML(f"<b>Registrar:</b> {domain.registrar}"))
+    print(HTML(f"<b>Last DNS Records Date:</b> {iso_date(domain.last_dns_records_date)}"))
+
+    pt = PTClient(os.environ.get("PT_API_USER"), os.environ.get("PT_API_KEY"))
+    passive = pt.get_whois(sys.argv[1])
+
+    print(passive)

wtfis/models/passivetotal.py

@@ -0,0 +1,21 @@
+from pydantic import BaseModel
+from typing import List
+
+
+class Registrant(BaseModel):
+    organization: str
+    email: str
+    name: str
+    telephone: str
+
+
+class Whois(BaseModel):
+    contactEmail: str
+    expiresAt: str
+    name: str
+    nameServers: List[str]
+    organization: str
+    registered: str
+    registrant: Registrant
+    registrar: str
+    registryUpdatedAt: str

wtfis/models/virustotal.py

@@ -0,0 +1,50 @@
+from pydantic import BaseModel
+from typing import Dict, List, Optional
+
+
+class AnalysisResult(BaseModel):
+    category: str
+    engine_name: str
+    method: str
+    result: str
+
+
+class LastAnalysisResults(BaseModel):
+    __root__: Dict[str, AnalysisResult]
+
+
+class LastAnalysisStats(BaseModel):
+    harmless: int
+    malicious: int
+    suspicious: int
+    timeout: int
+    undetected: int
+
+
+class Popularity(BaseModel):
+    rank: int
+    timestamp: int
+
+
+class PopularityRanks(BaseModel):
+    __root__: Dict[str, Popularity]
+
+
+class Domain(BaseModel):
+    """
+    Essential VT domain fields
+    """
+    creation_date: int
+    jarm: str
+    last_analysis_results: LastAnalysisResults
+    last_analysis_stats: LastAnalysisStats
+    last_dns_records_date: int
+    last_https_certificate_date: int
+    last_modification_date: int
+    last_update_date: int
+    popularity_ranks: PopularityRanks
+    registrar: str
+    reputation: int
+    tags: List[str]
+    whois: str
+    whois_date: Optional[int]