How to create own threat intelligence platform with PHP, cURL and API
Uladzislau Murashka
Posted on September 5, 2018
Few years ago, when information security was not so popular as a commercial direction there were not so many useful services which may help you detect technical problems, security issues and vulnerabilities on your infrastructure or website.
Actually, the problem was not only in tools availability and quality but also in technologies used, people qualification and if speak about human factor - there was lack of information regarding how to make your code secure, availability of best practice patterns etc which aggregates with time from previous experience and innovative technologies.
As a good developer you had to check the code yourself on the vulnerabilities, as good admin you were need to securely configure your Windows or Linux machines/servers and again, everything was based on the experience of how to find and determine those problems/vulnerabilities and not many developers could do this properly. Here also we don't speak about penetration testing as it was not so popular and poorly promoted while not in trends.
From old news for past 5-7 years you can find many interesting hacks and exposures: Sony, international banks and many others, but how did that happen ?
Somebody forgot about test/staging server with default/simple/demo credentials, somebody used simple and popular passwords, didn't update after critical vulnerability was disclosed and all this led to serious leaks of confidential information as a result.
Today there are many ready to use, tested by time and community solutions on the basis of which, in order not to reinvent the whole bike - you can try to build and adjust the system for your needs. Yeah, many systems from this niche cost money but if combine them, correlate and analyze information from several such sources - you can have nearly the same output as from payed subscription from one of those systems ( just as an example, of course not for 100% the same :) )
Here the list of platforms which you can easily integrate through API:
- Shodan
- VirusTotal
- Phishtank
- Vulners
- Open Bug Bounty
Let's he how does it work:
- Through native PHP function we can find IP address of the domain name which we need to start our analysis
- We sending IP/domain name than to Shodan and other platforms to receive all required data regarding IP blacklisting for spam activity and malware activity, can see IP addresses changing history (can help detect IP hidden behind WAF/CDN/Anti-DDoS services)
- It may help you find possible vulnerabilities disclosed by bug hunters through OpenBugBounty project
- Vulners will show you all available vulnerabilities for detect and outdated software installed on your server
In my case I also have added such services like "have i been pwned" and "IBM X-Force" to get more actual data regarding the target:
As you can understand there no need to be professional security engineer or developer to find out this data and make basic security check of the project, few things we need to do:
- Find applicable services
- Read API docs
- Basically know php with curl
Below 2 functions, one for shodan and another for virustotal:
function shodanHost($host) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.shodan.io/shodan/host/".$host."?key=<YourApiKey");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$shodanResponse = curl_exec($ch);
curl_close ($ch);
return json_decode($shodanResponse);
}
function virustotalCheck($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YourApiKey&domain=".$url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$virustotalResponse = curl_exec($ch);
curl_close ($ch);
return json_decode($virustotalResponse);
}
All responses you will get in easy to understand structured formats decoded from JSON which you can than just output as you wish. Based on such approach you can work with received data and develop possible attack or research vector.
P.S. Using of such services like shodan or virustotal for information gathering is not violation and you don't need to execute real scans against systems and services but you can obtain very informative data to find out possible security issues.
Posted on September 5, 2018
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
September 5, 2018