theresafewconors / sooty Goto Github PK

Saw the Check if the IP is a Tor exit node looked at the code. You would be amazed at how many people don't know about that, good job! https://github.com/TheresAFewConors/Sooty/blob/master/Sooty.py#L204

Tracking case for PR35

• Introduces Github workflow with linting_check.yaml
• Bugfix for problems with certain packeges.

Sadly, instead of just tying the API requests to tokens issued on an account like everyone else is doing, Troy has added a monthly cost to it's use. (Which paired with the recent announcement to sell HIBP hints towards a total cash-in on his end)

I suppose the necessary change here would be adding the token field like you've done with the others.

/Sooty-master/Sooty.py", line 10, in
from unfurl import core ModuleNotFoundError: No module named 'unfurl'
MacOS Catalina

What is the feature that you are requesting?
.eml support for the _ Analyze an Email_ feature. As .msg is Windows only.

What is the feature that you are requesting?
The feature will automatically create a TxT file with the name of the URL, IP provided for reputation check and save the output of the reputation check feature to that file with proper formatting.

Additional information
If further / more specific details are required, feel free to list them here.

• ... This feature will allow users to maintain a report of all the IOCs been analyzed.
• ... Good for documentation for sending / sharing with team members.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. If not related to an existing problem this can be left blank or removed.

Additional context
Add any other context, screenshots or information about the feature request here.

What is the feature that you are requesting?
1.) The BadIP API returns "IP Not Found" even for some IPs present in the BadIP DB, i would work on the code to make it full-proof.

Additional information

• ...
• ...

Is your feature request related to a problem? Please describe.
BadIP is making decision based on just 1 category listed for the IOC.
Customize the code to consider all the categories marked and display result.

Additional context

What is the feature that you are requesting?
Update email rep checker to utilize API key for extended requests

Additional information
No

Is your feature request related to a problem? Please describe.
Currently limited with very few requests that can be used, using an API key gives two options depending on the key:

• Free: 50 queries per day
• Enterprise: Unlimited

Still allows for Sooty to make requests without a key, just provides further functionality.

#7 https://www.phishtank.com/api_info.php - Verify if a URL has been used in a phishing attack

Issue
Issue caused by Python not releasing the email files.

Effect
Emails cannot be opened twice during the same instance.

Using Office365.com as an example, the WhoIs and VT check work fine, but the next two don't:

 Checking BadIP's... 
  Error reaching BadIPs

 ABUSEIPDB Report:
   Error Reaching ABUSE IPDB

Whereas when using the IP that was resolved through the WhoIS check (52.165.129.203):

 Checking BadIP's... 
  IP not found

 ABUSEIPDB Report:
   IP:          52.165.129.203
   Reports:     0
   Abuse Score: 0%
   Last Report: None

Can the script not be tweaked to just use the IP resolved through the WhoIS check to perform those final two checks?

requirements.txt file specifies pywin32 as a requirement, however this only applies if you are using windows. It will fail if you are not. Changing to pywin32==224; sys_platform == ‘windows’ will fix issue.

This is not a bug, I think this is just me being a rusher, but I am trying to debug my own issue trying to install this,

I have run the requirments.txt against pip and install all the features, I am now in the process of running the sooty.py file

Traceback (most recent call last):
  File "Sooty.py", line 17, in <module>
    import strictyaml
ModuleNotFoundError: No module named 'strictyaml

But when checking

root@kali:/home/kali/Desktop# pip install strictyaml
Requirement already satisfied: strictyaml in /usr/local/lib/python2.7/dist-packages (1.0.6)
Requirement already satisfied: python-dateutil>=2.6.0 in /usr/local/lib/python2.7/dist-packages (from strictyaml) (2.8.1)
Requirement already satisfied: ruamel.yaml>=0.14.2 in /usr/local/lib/python2.7/dist-packages (from strictyaml) (0.16.7)
Requirement already satisfied: six>=1.5 in /usr/local/lib/python2.7/dist-packages (from python-dateutil>=2.6.0->strictyaml) (1.12.0)
Requirement already satisfied: ruamel.yaml.clib>=0.1.2; platform_python_implementation == "CPython" and python_version < "3.8" in /usr/local/lib/python2.7/dist-packages (from ruamel.yaml>=0.14.2->strictyaml) (0.2.0)
Requirement already satisfied: ruamel.ordereddict; platform_python_implementation == "CPython" and python_version <= "2.7" in /usr/local/lib/python2.7/dist-packages (from ruamel.yaml>=0.14.2->strictyaml) (0.4.14)

Looks like I already have it installed?

I wonder if you know how I could look at resolving this! in the mean time

Kind Regards,

Jay,

What is the feature that you are requesting?
I'm thinking of redoing the menus to clean up the code. By putting the contents in dictionaries, we could generate the menus more consistently. It would allow us to take a lot of the printing code out. I haven't counted lines, but it might be quite a lot.
Another advantage: adding a new function only requires an edit in one part of the document - the dictionary.

What's your take?

Additional information
An example is listed below. I do need to really think about this carefully as it won't be entirely as easy as the example code below.

Is your feature request related to a problem? Please describe.
N/A

Additional context
Current code example for the phishing menu:

def phishingMenu():
    print("\n --------------------------------- ")
    print("          P H I S H I N G          ")
    print(" --------------------------------- ")
    print(" What would you like to do? ")
    print(" OPTION 1: Analyze an Email ")
    print(" OPTION 2: Analyze an Email Address for Known Activity")
    print(" OPTION 3: Generate an Email Template based on Analysis")
    print(" OPTION 4: Analyze an URL with Phishtank")
    print(" OPTION 9: HaveIBeenPwned")
    print(" OPTION 0: Exit to Main Menu")
    phishingSwitch(input())

def phishingSwitch(choice):
    if choice == '1':
        analyzePhish()
    if choice == '2':
        analyzeEmailInput()
    if choice == '3':
        emailTemplateGen()
    if choice == '4':
        phishtankModule()
    if choice == '9':
        haveIBeenPwned()
    else:
        mainMenu()

We could shorten this to the following dict:

phishingMenuDict = {
    # Number is the keyboard shortcut, name is the functionname, desc is what the users see as menu option
    0: {"name":"exit", "desc":"back to main menu"},
    1: {"name":"analyzePhish", "desc":"Analyze an Email"},
    2: {"name":"analyzeEmailInput", "desc":"Analyze an Email Address for Known Activity"},
    3: {"name":"emailTemplateGen", "desc":"Generate an Email Template based on Analysis"},
    4: {"name":"phishtankModule", "desc":"Analyze an URL with Phishtank"}
    9: {"name":"haveIBeenPwned", "desc":"HaveIBeenPwned"}
}

Then we need to write 1 function to generate a menu so that we could throw multiple of these dicts to that function. some semi code:

def menuGenerator(menuName):
    print(20 * "-")
    if menu = "main":
        print(mainMenuDict["title"])
    else:
        print(someOtherMenuDictName)
    print((20 * "-") + "\n")

    # That's the printing covered, below is the menu selection
    for menuItem in someOtherMenuDict:
        # Prints something like    Option 1: Analyze an Email
        print("  Option " + menuItem + ": " + someOtherMenuDictName["desc"])
    
    userChoice = input()
    # Check user input
    if userChoice in someOtherMenuDict:
        someOtherMenuDict(userChoice)
    else:
        print("Invalid option, please choose again")

fixed, no probs. was something with the python version

Describe the bug
Traceback

I've installed this tool many times and have only been able to get it working once and the last 4 times always fails. I work in a SOC and would love to be able to use this for my workflow.

Reproduction Steps
Steps to reproduce the behavior:

Traceback (most recent call last):
  File "Sooty.py", line 17, in <module>
    import strictyaml
ModuleNotFoundError: No module named 'strictyaml'

Desktop Operating System:

• OS: Ubuntu 18.04, Ubuntu 20.04, Windows Subsystem for Linux

Describe the bug
When utilizing the function hashRating(), as soon it hits:
if value['detected'] == True:
it moves to the except statement.

Reproduction Steps
Steps to reproduce the behavior:

1. removed function to isolate the code
2. add print statements before and after if and for lines
3. used known bad hash: e428cee7a89bf236f43c1ef30de2e58d96ce7763b658cb1dfae3cfc246933713
4. adding print(result) after:
   result = response.json()
   shows the full results, but the counting for total hits is off and not needed due to totals listed in the response.

Expected behavior
A clear and concise description of what was expected to happen.
Expect to get a total number of hits from VirusTotal or a not found.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop Operating System:

• OS: Win10

Additional context
Working on on modifying the function and will post when done.

Another good tool, may overlap with current options but worth mentioning since its had a few additions. The API is mentioned on the contact page.

Some suggestions:

More IP reputation sources, maybe operating individually but have 'scoring' option that weights them based on total results?

• https://docs.abuseipdb.com/#introduction
• https://www.apivoid.com/api/ip-reputation/

Bitcon address reputation checker:

• https://www.bitcoinabuse.com/api-docs

Some kind of phone number reputation checker:

• https://ekata.com/solutions/identity-check/

URL Scanner tool, for browsing to a suspect site:

• https://urlscan.io/about-api/

Office Safelinks Stripper, like:

• http://www.o365atp.com/

Host scanning with Nessus or Nmap, or both?

What is the Issue you are experiencing?
Give a description of what issue you are facing? eg. issue installing from requirements file, etc.
Cannot get past PEP 517 during cryptography install

What Operating System are you using?
The OS of the device that Sooty is running on.
--Windows 10 Pro 2004
--Python 3.8 via Windows Store (Tried 3.9 from Python website as well)

Additional Information
Any additional information that may benefit this case. (apologies for the bold section of the log; I'm done frustrating myself trying to figure out why it's doing that)
--Log entry:

Building wheels for collected packages: cffi, cryptography
Building wheel for cffi (setup.py) ... error
ERROR: Command errored out with exit status 1:
command: 'C:\Users\cpi\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\cpi\AppData\Local\Temp\pip-install-48xku_ov\cffi\setup.py'"'"'; file='"'"'C:\Users\cpi\AppData\Local\Temp\pip-install-48xku_ov\cffi\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' bdist_wheel -d 'C:\Users\cpi\AppData\Local\Temp\pip-wheel-jvlszf95'
cwd: C:\Users\cpi\AppData\Local\Temp\pip-install-48xku_ov\cffi
Complete output (37 lines):
configtest.c
running bdist_wheel
running build
running build_py
creating build
creating build\lib.win-amd64-3.8
creating build\lib.win-amd64-3.8\cffi
copying cffi\api.py -> build\lib.win-amd64-3.8\cffi
copying cffi\backend_ctypes.py -> build\lib.win-amd64-3.8\cffi
copying cffi\cffi_opcode.py -> build\lib.win-amd64-3.8\cffi
copying cffi\commontypes.py -> build\lib.win-amd64-3.8\cffi
copying cffi\cparser.py -> build\lib.win-amd64-3.8\cffi
copying cffi\error.py -> build\lib.win-amd64-3.8\cffi
copying cffi\ffiplatform.py -> build\lib.win-amd64-3.8\cffi
copying cffi\lock.py -> build\lib.win-amd64-3.8\cffi
copying cffi\model.py -> build\lib.win-amd64-3.8\cffi
copying cffi\pkgconfig.py -> build\lib.win-amd64-3.8\cffi
copying cffi\recompiler.py -> build\lib.win-amd64-3.8\cffi
copying cffi\setuptools_ext.py -> build\lib.win-amd64-3.8\cffi
copying cffi\vengine_cpy.py -> build\lib.win-amd64-3.8\cffi
copying cffi\vengine_gen.py -> build\lib.win-amd64-3.8\cffi
copying cffi\verifier.py -> build\lib.win-amd64-3.8\cffi
copying cffi_init.py -> build\lib.win-amd64-3.8\cffi
copying cffi_cffi_include.h -> build\lib.win-amd64-3.8\cffi
copying cffi\parse_c_type.h -> build\lib.win-amd64-3.8\cffi
copying cffi_embedding.h -> build\lib.win-amd64-3.8\cffi
copying cffi_cffi_errors.h -> build\lib.win-amd64-3.8\cffi
running build_ext
building '_cffi_backend' extension
creating build\temp.win-amd64-3.8
creating build\temp.win-amd64-3.8\Release
creating build\temp.win-amd64-3.8\Release\c
creating build\temp.win-amd64-3.8\Release\c\libffi_msvc
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\x86_amd64\cl.exe /c /nologo /Ox /W3 /GL /DNDEBUG /MD -Ic/libffi_msvc "-IC:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1776.0_x64__qbz5n2kfra8p0\include" "-IC:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1776.0_x64__qbz5n2kfra8p0\include" "-IC:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE" "-IC:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\ATLMFC\INCLUDE" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\ucrt" /Tcc/_cffi_backend.c /Fobuild\temp.win-amd64-3.8\Release\c/_cffi_backend.obj
_cffi_backend.c
c:\program files\windowsapps\pythonsoftwarefoundation.python.3.8_3.8.1776.0_x64__qbz5n2kfra8p0\include\pyconfig.h(206): fatal error C1083: Cannot open include file: 'basetsd.h': No such file or directory
error: command 'C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\x86_amd64\cl.exe' failed with exit status 2

ERROR: Failed building wheel for cffi
Running setup.py clean for cffi
Building wheel for cryptography (PEP 517) ... error
ERROR: Command errored out with exit status 1:
command: 'C:\Users\cpi\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\python.exe' 'C:\Users\cpi\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\pip_vendor\pep517_in_process.py' build_wheel 'C:\Users\cpi\AppData\Local\Temp\tmptrr7hwl8'
cwd: C:\Users\cpi\AppData\Local\Temp\pip-install-48xku_ov\cryptography
Complete output (136 lines):
running bdist_wheel
running build
running build_py
creating build
creating build\lib.win-amd64-3.8
creating build\lib.win-amd64-3.8\cryptography
copying src\cryptography\exceptions.py -> build\lib.win-amd64-3.8\cryptography
copying src\cryptography\fernet.py -> build\lib.win-amd64-3.8\cryptography
copying src\cryptography\utils.py -> build\lib.win-amd64-3.8\cryptography
copying src\cryptography_about_.py -> build\lib.win-amd64-3.8\cryptography
copying src\cryptography_init_.py -> build\lib.win-amd64-3.8\cryptography
creating build\lib.win-amd64-3.8\cryptography\hazmat
copying src\cryptography\hazmat_oid.py -> build\lib.win-amd64-3.8\cryptography\hazmat
copying src\cryptography\hazmat_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat
creating build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\base.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\certificate_transparency.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\extensions.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\general_name.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\name.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\ocsp.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509\oid.py -> build\lib.win-amd64-3.8\cryptography\x509
copying src\cryptography\x509_init_.py -> build\lib.win-amd64-3.8\cryptography\x509
creating build\lib.win-amd64-3.8\cryptography\hazmat\backends
copying src\cryptography\hazmat\backends\interfaces.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends
copying src\cryptography\hazmat\backends_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends
creating build\lib.win-amd64-3.8\cryptography\hazmat\bindings
copying src\cryptography\hazmat\bindings_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\bindings
creating build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\cmac.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\constant_time.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\hashes.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\hmac.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\keywrap.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\padding.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives\poly1305.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
copying src\cryptography\hazmat\primitives_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives
creating build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\aead.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\backend.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\ciphers.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\cmac.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\decode_asn1.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\dh.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\dsa.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\ec.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\ed25519.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\ed448.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\encode_asn1.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\hashes.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\hmac.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\ocsp.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\poly1305.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\rsa.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\utils.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\x25519.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\x448.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl\x509.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
copying src\cryptography\hazmat\backends\openssl_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\backends\openssl
creating build\lib.win-amd64-3.8\cryptography\hazmat\bindings\openssl
copying src\cryptography\hazmat\bindings\openssl\binding.py -> build\lib.win-amd64-3.8\cryptography\hazmat\bindings\openssl
copying src\cryptography\hazmat\bindings\openssl_conditional.py -> build\lib.win-amd64-3.8\cryptography\hazmat\bindings\openssl
copying src\cryptography\hazmat\bindings\openssl_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\bindings\openssl
creating build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\dh.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\dsa.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\ec.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\ed25519.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\ed448.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\padding.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\rsa.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\utils.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\x25519.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric\x448.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
copying src\cryptography\hazmat\primitives\asymmetric_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\asymmetric
creating build\lib.win-amd64-3.8\cryptography\hazmat\primitives\ciphers
copying src\cryptography\hazmat\primitives\ciphers\aead.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\ciphers
copying src\cryptography\hazmat\primitives\ciphers\algorithms.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\ciphers
copying src\cryptography\hazmat\primitives\ciphers\base.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\ciphers
copying src\cryptography\hazmat\primitives\ciphers\modes.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\ciphers
copying src\cryptography\hazmat\primitives\ciphers_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\ciphers
creating build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf\concatkdf.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf\hkdf.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf\kbkdf.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf\pbkdf2.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf\scrypt.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf\x963kdf.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
copying src\cryptography\hazmat\primitives\kdf_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\kdf
creating build\lib.win-amd64-3.8\cryptography\hazmat\primitives\serialization
copying src\cryptography\hazmat\primitives\serialization\base.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\serialization
copying src\cryptography\hazmat\primitives\serialization\pkcs12.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\serialization
copying src\cryptography\hazmat\primitives\serialization\ssh.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\serialization
copying src\cryptography\hazmat\primitives\serialization_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\serialization
creating build\lib.win-amd64-3.8\cryptography\hazmat\primitives\twofactor
copying src\cryptography\hazmat\primitives\twofactor\hotp.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\twofactor
copying src\cryptography\hazmat\primitives\twofactor\totp.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\twofactor
copying src\cryptography\hazmat\primitives\twofactor\utils.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\twofactor
copying src\cryptography\hazmat\primitives\twofactor_init_.py -> build\lib.win-amd64-3.8\cryptography\hazmat\primitives\twofactor
running egg_info
writing src\cryptography.egg-info\PKG-INFO
writing dependency_links to src\cryptography.egg-info\dependency_links.txt
writing requirements to src\cryptography.egg-info\requires.txt
writing top-level names to src\cryptography.egg-info\top_level.txt
reading manifest file 'src\cryptography.egg-info\SOURCES.txt'
reading manifest template 'MANIFEST.in'
no previously-included directories found matching 'docs_build'
warning: no previously-included files found matching 'vectors'
warning: no previously-included files matching '' found under directory 'vectors'
warning: no previously-included files found matching 'azure-pipelines.yml'
warning: no previously-included files found matching '.azure-pipelines'
warning: no previously-included files found matching '.travis.yml'
warning: no previously-included files found matching '.travis'
warning: no previously-included files matching '' found under directory '.azure-pipelines'
warning: no previously-included files matching '*' found under directory '.travis'
warning: no previously-included files found matching 'release.py'
warning: no previously-included files found matching '.coveragerc'
warning: no previously-included files found matching 'codecov.yml'
warning: no previously-included files found matching 'dev-requirements.txt'
warning: no previously-included files found matching 'rtd-requirements.txt'
warning: no previously-included files found matching 'tox.ini'
writing manifest file 'src\cryptography.egg-info\SOURCES.txt'
running build_ext
generating cffi module 'build\temp.win-amd64-3.8\Release\_padding.c'
creating build\temp.win-amd64-3.8
creating build\temp.win-amd64-3.8\Release
generating cffi module 'build\temp.win-amd64-3.8\Release\_constant_time.c'
generating cffi module 'build\temp.win-amd64-3.8\Release\_openssl.c'
building '_openssl' extension
creating build\temp.win-amd64-3.8\Release\build
creating build\temp.win-amd64-3.8\Release\build\temp.win-amd64-3.8
creating build\temp.win-amd64-3.8\Release\build\temp.win-amd64-3.8\Release
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\x86_amd64\cl.exe /c /nologo /Ox /W3 /GL /DNDEBUG /MD "-IC:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1776.0_x64__qbz5n2kfra8p0\include" "-IC:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1776.0_x64__qbz5n2kfra8p0\include" "-IC:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE" "-IC:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\ATLMFC\INCLUDE" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.10240.0\ucrt" /Tcbuild\temp.win-amd64-3.8\Release_openssl.c /Fobuild\temp.win-amd64-3.8\Release\build\temp.win-amd64-3.8\Release_openssl.obj
_openssl.c
C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1776.0_x64__qbz5n2kfra8p0\include\pyconfig.h(206): fatal error C1083: Cannot open include file: 'basetsd.h': No such file or directory
error: command 'C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\x86_amd64\cl.exe' failed with exit status 2

ERROR: Failed building wheel for cryptography
Failed to build cffi cryptography
ERROR: Could not build wheels for cryptography which use PEP 517 and cannot be installed directly

Hey,

I was testing out Sooty today, but I ran into an issue just testing out something.
I did a reputation check for a website (first one that came to mind) and i got the following traceback info.

 WHO IS REPORT:
  CIDR:      13.32.0.0/12
  Name:      AT-88-Z
  Range:     13.32.0.0 - 13.47.255.255
  Descr:     Amazon Technologies Inc.
  Country:   US
  State:     WA
  City:      Seattle
  Address:   410 Terry Ave N.
  Post Code: 98109
  Created:   2016-08-09
  Updated:   2018-04-12

 VirusTotal Report:
 There's been an error - check your API key, or VirusTotal is possible down
Traceback (most recent call last):
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\contrib\pyopenssl.py", line 456, in wrap_socket
    cnx.do_handshake()
  File "C:\code\Sooty\venv\lib\site-packages\OpenSSL\SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "C:\code\Sooty\venv\lib\site-packages\OpenSSL\SSL.py", line 1639, in _raise_ssl_error
    raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (10054, 'WSAECONNRESET')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\connectionpool.py", line 839, in _validate_conn
    conn.connect()
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\connection.py", line 344, in connect
    ssl_context=context)
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\util\ssl_.py", line 347, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\contrib\pyopenssl.py", line 462, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: SysCallError(10054, 'WSAECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\code\Sooty\venv\lib\site-packages\requests\adapters.py", line 449, in send
    timeout=timeout
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "C:\code\Sooty\venv\lib\site-packages\urllib3\util\retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='check.torproject.org', port=443): Max retries exceeded with url: /cgi-bin/TorBulkExitList.py?ip=1.1.1.1 (Caused by SSLError(SSLError("bad handshake: SysCallError(10054, 'WSAECONNRESET')")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\code\Sooty\Sooty.py", line 996, in <module>
    mainMenu()
  File "C:\code\Sooty\Sooty.py", line 165, in mainMenu
    switchMenu(input())
  File "C:\code\Sooty\Sooty.py", line 54, in switchMenu
    phishingMenu()
  File "C:\code\Sooty\Sooty.py", line 573, in phishingMenu
    phishingSwitch(input())
  File "C:\code\Sooty\Sooty.py", line 107, in phishingSwitch
    haveIBeenPwned()
  File "C:\code\Sooty\Sooty.py", line 679, in haveIBeenPwned
    phishingMenu()
  File "C:\code\Sooty\Sooty.py", line 573, in phishingMenu
    phishingSwitch(input())
  File "C:\code\Sooty\Sooty.py", line 109, in phishingSwitch
    mainMenu()
  File "C:\code\Sooty\Sooty.py", line 165, in mainMenu
    switchMenu(input())
  File "C:\code\Sooty\Sooty.py", line 48, in switchMenu
    repChecker()
  File "C:\code\Sooty\Sooty.py", line 355, in repChecker
    req = requests.get(TOR_URL)
  File "C:\code\Sooty\venv\lib\site-packages\requests\api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "C:\code\Sooty\venv\lib\site-packages\requests\api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "C:\code\Sooty\venv\lib\site-packages\requests\sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\code\Sooty\venv\lib\site-packages\requests\sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "C:\code\Sooty\venv\lib\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='check.torproject.org', port=443): Max retries exceeded with url: /cgi-bin/TorBulkExitList.py?ip=1.1.1.1 (Caused by SSLError(SSLError("bad handshake: SysCallError(10054, 'WSAECONNRESET')")))

I haven't had the time yet to find out why this is happening myself. There seems to be an SSL verification issue, but I don't know with which service.

Hello. I have python code for integration with urlscan.io (api key required). If this is a feature you'd like to add I can create a pull request.

Hi,

While installing we are getting below error

python3 Sooty.py
Traceback (most recent call last):
File "Sooty.py", line 11, in
import html.parser
ModuleNotFoundError: No module named 'html.parser'

What is the Issue you are experiencing?
All of the dependancies install without any issues. However when I run python3 Sooty.py Python crashes

What Operating System are you using?
macOS 10.15.7
Python 3.8.6

Additional Information
The issue appears to be in the libcrypto module

/usr/lib/libcrypto.dylib
abort() called
Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.

OPTION 2: Decoders (PP, URL) > OPTION 1: ProofPoint Decoder

This option works (the URL is decoded correctly) but upon selecting 'OPTION 1' you're taken to the next line with no prompt for the URL.

Using 'OPTION 2: URL Decoder' presents you with 'url: ' which I think is the intended behavior.

What is the feature that you are requesting?
Some features used in the tool can leak information to attackers and open source intelligence such as the scan to URLscan.
Therefore the tool should provide a one-shot disclaimer and a disclaimer likely in the README.

I would also suggest adding the passive alternative of scan -> search.

Additional information

Scanning on URLscan can lead to expose sensitive documents, sessions. It can also tip attacker that a specific campaign and even a specific email address is valid, information that they can use in a more advanced campaign.

Would using the HIBP API similarly to the VT API be a possible feature request?

Issue installing requirements

Collecting dfir-unfurl (from -r requirements.txt (line 6))
Could not find a version that satisfies the requirement dfir-unfurl (from -r requirements.txt (line 6)) (from versions: )
No matching distribution found for dfir-unfurl (from -r requirements.txt (line 6))

What Operating System are you using?
Kali / Debian

When try to run Sooty.py in Kali after installing all requirement.txt using pip command with Python3 available.

Getting error when I ran python Sooty.py
Traceback (most recent call last):
File "Sooty.py", line 13, in
import urllib.parse
ImportError: No module named parse

Pip install -r requirements.txt results in:

Collecting pywin32==224 (from -r requirements.txt (line 12))
ERROR: Could not find a version that satisfies the requirement pywin32==224 (from -r requirements.txt (line 12)) (from versions: none)

Same for pip3.

Tried this on both plain Ubuntu 18.04 LTS and Ubuntu 18.04 LTS in Windows subsystem for Linux: same error.

Describe the bug
Hi while I was trying to launch Sooty for the first time. I received a message error that no module named 'strictyaml'. This stopped launching Sooty
Reproduction Steps
Steps to reproduce the behavior:
1.navigate the the main branch on cli
2. launch Sooty by command python3 Sooty.py
3. error pop up and no further action
...

Expected behavior
Application to launch

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop Operating System:

• Kali Linux 2019.1

Additional context
Add any other context about the problem here.

Can not execute Sooty after install

S.O. Ubuntu Server 18.04.4
Python3
installed all the requirements --> OK
modify API Keys in config.yaml

but when i try to run "python3 Sooty.py" i get this error message:

"Traceback (most recent call last):
File "Sooty.py", line 17, in
import strictyaml
ModuleNotFoundError: No module named 'strictyaml'"

What is the feature that you are requesting?
Default URLScan type to private

Additional information
Instead of defaulting to public, what do you think of defaulting to private with an option to choose what you want, or just hit enter to leave default?

Is your feature request related to a problem? Please describe.
No problem, just thinking. Before I submit a PR with changes, I wanted to bounce the idea off of you first since it is your baby after all.

Additional context
None. Just a privacy goof.

Add support to Base64 extraction and decoding for URLs.
Already done on my fork, under the Decoders menu.
I just run a regex to detect possible b64 strings and then try to decode each match, printing on success.

Hello, I tried to make a file that contains hash list. I make a some modification for list.txt input. I have a purpose for match hash list with vt hash signature to decide its malware or not line by line. But the problem is, that it takes a very long time for giving the result. I am new in programming, so i dont know whats wrong with that. Sorry I'm not fluent in English, i hope u understand what im saying. is there any solution?

Nice work on the enhancements, I'll keep adding until you tell me to stop haha

• A decoder along the lines of >> Paste internet headers from email >> tool outputs fields of interest (e.g Sender IP, Original true sender address, SPF etc.) in a pretty and liftable snippet

When trying to launch Sooty, getting the below error.

python Sooty.py
File "Sooty.py", line 822
SyntaxError: Non-ASCII character '\xe2' in file Sooty.py on line 822, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

Apologies if this is a daft question but to get the email analysis working I had to install VS 2015 Update 3 however I note that mainstream support has now ended. (https://support.microsoft.com/en-gb/lifecycle/search/1117)

Is there a more recent version this works with/is there a plan to move to something newer?

The following Error:

ubuntu@ubuntu-VirtualBox:~/Desktop$ python Sooty.py
File "Sooty.py", line 7
[<]!DOCTYPE html[>]
^
SyntaxError: invalid syntax

Pip install the requirement.txt in Kali linux.

R E P U T A T I O N C H E C K

Enter IP, URL or Email Address: 8.8.8.8

WHO IS REPORT:
CIDR: 8.0.0.0/9
Name: LVLT-ORG-8-8
Range: 8.0.0.0 - 8.127.255.255
Descr: Level 3 Parent, LLC
Country: US
State: LA
City: Monroe
Address: 100 CenturyLink Drive
Post Code: 71203
Created: 1992-12-01
Updated: 2018-04-23

VirusTotal Report:
Traceback (most recent call last):
File "Sooty.py", line 1218, in
mainMenu()
File "Sooty.py", line 180, in mainMenu
switchMenu(input())
File "Sooty.py", line 55, in switchMenu
repChecker()
File "Sooty.py", line 392, in repChecker
params = {'apikey': configvars.data['VT_API_KEY'], 'ip': wIP}
NameError: name 'configvars' is not defined

Any idea?

These are some more things I'm currently working on
VirusTotal
-URL scan
-submit file hash
Alien Vault OTX - pull reputation data on:
-domain
-ip
Apility (they have a free API, it has a rate limit, but I haven't hit it ever.
-domain
-ip

The more sources, the better, since some miss things. If there are more sources, a sort of average "combined threat score" can be found. Let me know if you're interested in any of these.

A few more I might be wanting to work on in the future are:
urlhaus - to pull urls and hashes
threatminer

Thanks for your work on Sooty so far, super helpful!

I'd like to be able to interact with Sooty via the CLI rather than the text menu.

ie: ./Sooty --sanitise "URL" or ./Sooty --AnalyzeEmail "email.msg"

It'd make it faster than using the TUI and scriptable.

What is the Issue you are experiencing?
Give a description of what issue you are facing? eg. issue installing from requirements file, etc.
Cannot use the sooty.py when i use the ubuntu PC with proxy setting

What Operating System are you using?
The OS of the device that Sooty is running on.
ubuntu 20

Additional Information
Any additional information that may benefit this case.

Describe the bug
No module named 'tkinter' when running for first time

Traceback (most recent call last):
File "Sooty.py", line 21, in
import tkinter
ModuleNotFoundError: No module named 'tkinter'

Reproduction Steps
Steps to reproduce the behavior:

1. git clones repo into dir
2. went to dir
3. pip3 install -r requirements
   ...

Expected behavior
A clear and concise description of what was expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop Operating System:

• OS: Ubuntu 19.04

Additional context
Python 3.7.5

Describe the bug
When using the Option 4: DNS lookup and select option 3: WHOIS Lookup, when entering any of the requested i.e. IP / Domain the result goes into endless loop, it does not exit after giving the output. See attached

Reproduction Steps
Steps to reproduce the behavior:

1. Select Option 4: DNS Lookup
2. Select option 3: WhoIs lookup
3. Enter any value and check
   ...

Expected behavior
It should have thrown the output and given another prompt to select options, rather it goes into endless loop.

Screenshots
attached screenshot

Desktop Operating System:

• OS: [e.g. Win10, Linux, etc.]

Additional context
Add any other context about the problem here.

Issue
Emails don't open on first attempt if a space is in the email name

Effect
Emails have to be opened a second time in order for Python to read them

I appreciate the call out as a contributor for the Proofpoint script, but I can't take credit for it. I wanted to be sure that you saw my reply on Gist (https://gist.github.com/aaronjcopley/65a5198bf7b35361fdd315e786be9b9d#gistcomment-2936712) because I also noted there is a newer version published there.

Thanks!

What is the feature that you are requesting?
It would be useful to have an ioc extractor from PDF or webpages, to CSV

Additional information
Maybe this module would be useful: https://github.com/armbues/ioc_parser

Additional context
For instance, a new report from AV vendors came out. I could use Sooty to extract IOCs and input it in our tools.

I believe this feature works, I am just not easily understanding how to present it the header? I select option 1 and I get this:
Error Opening File

Extracting Headers...
Header Error
Traceback (most recent call last):
File "Sooty.py", line 592, in analyzePhish
print(" FROM: ", str(msg.SenderName), ", ", str(msg.SenderEmailAddress))
UnboundLocalError: local variable 'msg' referenced before assignment

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "Sooty.py", line 996, in
mainMenu()
File "Sooty.py", line 165, in mainMenu
switchMenu(input())
File "Sooty.py", line 54, in switchMenu
phishingMenu()
File "Sooty.py", line 573, in phishingMenu
phishingSwitch(input())
File "Sooty.py", line 101, in phishingSwitch
analyzePhish()
File "Sooty.py", line 603, in analyzePhish
f.close()

I realize it is an error saying that it didn't receive any input but where do I put the header?

Thanks,

What is the Issue you are experiencing?
Give a description of what issue you are facing? eg. issue installing from requirements file, etc.

I have cloned the Sooty github page, installed the requirements, and I am running Python 3+. whenever I CD into the 'sooty' directory, I cannot get the application to launch.

What Operating System are you using?
The OS of the device that Sooty is running on.
I am using a Virtual environment with Debian. LinuxMint

Additional Information
Any additional information that may benefit this case.
Looks like other github actions are all performing normally, I just cannot get the application to launch.