Recently I wrote a tool called JTB Investigator that is essentially a framework to automate lookups I have to do like 100 times a day. Why you might ask do I have to do the same basic lookups so often? One word: BitSight. For those of you that have never heard of it BitSight is a Security Ratings tool that looks at the external IP range of an organization and gives you an overall score based on what it sees. Along with this score it gives alerts about the ‘issues’ it finds. These include severe, useful things like hosts interacting with known botnet C2s and expired certificates. It also gives alerts for very small things but that’s another story
Anyway these alerts provide little to nothing in the way of actionable intelligence. The give you the public IP it flagged as the offender that caused the alert and the alert that happened. That’s it. If it’s a certificate error it gives some information about the cert or if it’s an open port it tells you what port, but if it detects botnet traffic from one of their DNS Blackholes it doesn’t tell the IP or url it was going to or any extra information. On top of that the organization I work for has very limited host based logs so tracking a NATed public IP back to it’s private IP is rather difficult. (I’m also not a very good threat hunter)
If you have read my previous post you know that I recently attended DerbyCon and saw an awesome talk by @byt3bl33d3r about a very interesting implementation of Python, IronPython. IronPython allows the usage of .NET assemblies within Python scripts and programs. This allows powerful interactions with lower-level Windows functions with the ease of Python scripting. You can read more about it here.
After digging into it a little bit and following along with IronPython in Action and Professional IronPython, (The IronPython Cookbook is a great resource too) I realized I needed to understand Python and .NET more before I could do anything useful with IronPython. Since I had been so frustrated with doing the same lookups over and over again to try and figure out what resource was causing the alerts in BitSight, I decided to both make my life easier and get better with python by writing this tool.
The tool is a simple framework that automates DNS Lookups, nmap scans, and whois lookups at the moment but can be easily extended (thanks to me finally understanding OOP a little bit). You can use it as either a menu driven tool or from the command line to completely automate the process.
Just feed it either a hostname or an IP address and let it do the rest for you! I don’t know if anyone else will find this useful but it has definitely saved me some time at work and was a lot of fun to make!
I learned a lot about Python and OOP throughout this project. I gave me a great base to start digging deeper into IronPython. The next step is to really understand the .NET framework better. It’s amazing how control you can get just by import the CLR but that’s for another post when I actually know what I’m talking about.
Thanks for getting through this rant and don’t forget to check out my tool on github!