Instantly share code, notes, and snippets.

Embed
What would you like to do?
Python script to interface with totalhash.com
#!/usr/bin/env python
import sys
from optparse import OptionParser
import requests
import re
from bs4 import BeautifulSoup
#from requests.packages.urllib3.exceptions import InsecureRequestWarning
#This removes the urllib3 warnings
#requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
#####
# Edited malc0de's TotalHash script to work with the new TotalHash domain (https://totalhash.cymru.com)
# Instead of using URLLib, used Requests and Beautiful soup to do all of the work
# Enjoy!
#####
message = 'Python script search totalhash.com see http://totalhash.com/help/ for examples'
parser = OptionParser(message)
parser.add_option('-r', '--report', dest='r', help='print out analysis report ./totalhash.py -r sha256', action='store')
parser.add_option('-s', '--search', dest='s', help='search totalhash ./totalhash.py -s ip:127.0.0.1 (search terms: av: dnsrr: email: filename: hash: ip: mutex: pdb: registry: url: useragent: version: )', action='store')
(options, args) = parser.parse_args()
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
if options.s:
count = 0
total = 0
while count <= total:
#Let's forge our User-agent string
#TODO: Make this configurable as a parameter
headers = {'User-Agent': 'Mozilla/4.0 (compatible; MSIE+8.0; Windows NT 5.1; Trident/4.0;)'}
#TODO: Add Trusted Root Certificate (GeoTrust) so I can remove the verify=False
#Note: Remove verify=False if you want to ensure you're truly connecting with TotalHash. You'll need to add it's Root Certificate to your local trusted store
if count == 0:
r = requests.get('https://totalhash.cymru.com/search/%s' % (options.s), headers=headers, verify=False)
else:
r = requests.get('https://totalhash.cymru.com/search/%s/%s' % (options.s, count), headers=headers, verify=False)
#TH is nice enough to put the number of results at the top of the page, so let's grab that and we can use that in our while loop
results = re.findall("\x3ch3\x3eDisplaying.*?of (.*?) results\x3c\x2fh3\x3e", r.content, re.DOTALL)
total = int(results[0])
#If there is no results, exit
if total == 0:
break
else:
soup = BeautifulSoup(r.content, "html.parser")
for table_ in soup.find_all('table'):
trList = table_.find_all('tr')
for tr in trList:
td = tr.find_all('td')
try:
#Set the sha1, timestamp and detection
sha1 = td[0].find('a').contents[0]
timestamp = td[1].contents[0]
detection = td[3].contents[0]
#If there is a detection, grab the contents of the <a> tag
if detection != 'N/A':
detectionText = detection.contents[0]
else:
detectionText = detection
#Print our results!
#TODO: Write this to a file and not stdout
print sha1 + "," + timestamp + "," + detectionText
except Exception, e:
#This occurs on the first row of the table (which is the header)
#TODO: Make this more elegant instead of in an exception. This could be bad
continue
count = count + 20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment