joydragon/check_opentip.py

## check_opentip.py
#!/usr/bin/env python3
# This is a script to query the Kaspersky OpenTIP
# Dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform.
# And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content

import requests
import sys
from os import path

cym9cgwjk = "G27TVJWVYdVHJW15auIG0v3ViYJJmqWi7leK4mPw/BgKEAAAAAAAAAAAAAD//y0H5/YSEB4pNeCdtYNFyD9vmrTrDIQY2azN0/su"

def extract_hashes(text, myhash):
    start = 18+len(myhash)
    md5 = text[start:start+32]
    start = 52+len(myhash)
    sha1 = text[start:start+40]
    start = 94+len(myhash)
    sha256 = text[start:start+64]
    return [md5, sha1, sha256]

def update_auth_header():
    global cym9cgwjk
    url = "https://opentip.kaspersky.com/ui/checksession"
    headers = {
            'authority': 'opentip.kaspersky.com',
            'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36',
            'accept': '*/*',
            'sec-fetch-site': 'same-origin',
            'sec-fetch-mode': 'cors',
            'sec-fetch-dest': 'empty',
            'referer': 'https://opentip.kaspersky.com/'
            }
    r = requests.request("GET", url, headers=headers)
    if r.status_code == 200:
        cym9cgwjk = r.headers["Cym9cgwjk"]
        print("Usando header nuevo: " + cym9cgwjk)

def make_call(myhash, retry=False):
    url = "https://opentip.kaspersky.com/ui/lookup"

    data = b'\n'+ bytes(chr(len(myhash))+myhash, 'utf-8') + b'\x10\x00'

    headers = {
      "authority":"opentip.kaspersky.com",
      "cym9cgwjk": cym9cgwjk,
      "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36",
      "accept":"*/*",
      "origin":"https://opentip.kaspersky.com",
      "sec-fetch-site":"same-origin",
      "sec-fetch-mode":"cors",
      "sec-fetch-dest":"empty",
      "referer":"https://opentip.kaspersky.com/"+myhash+"/"
    }
    r = requests.request("POST", url, headers=headers, data=data)

    if r.status_code == 200:
        if r.text.find("Red")-len(myhash) == 13:
            res = {
                    "result": "Malware",
                    "hashes": extract_hashes(r.text, myhash)
                    }
        elif r.text.find("Green")-len(myhash) == 13:
            res = {
                    "result": "Clean",
                    "hashes": extract_hashes(r.text, myhash)
                    }
        else:
            res = {
                    "result": "Unknown",
                    "hashes": [myhash]
                }
    else:
        if retry==False:
            update_auth_header()
            return make_call(myhash, True)
        else:
            res = {
                "result": "Forbidden",
                "hashes": [myhash]
                }
    return res

def main():
    if len(sys.argv) > 1:
        update_auth_header()

        if path.exists(sys.argv[1]):
            f = open(sys.argv[1],"r")
            hashes = f.readlines()
            f.close()

            malwares = []
            cleans = []
            unknowns = []

            for h in hashes:
                print("Ahora: " + h)
                r = make_call(h.strip())
                if r["result"] == "Malware":
                    malwares.extend(r["hashes"])
                elif r["result"] == "Clean":
                    cleans.extend(r["hashes"])
                else:
                    unknowns.extend(r["hashes"])

            print("Malwares:")
            print(malwares)
            print("Cleans:")
            print(cleans)
            print("Unknowns:")
            print(unknowns)
        else:
            myhash = sys.argv[1]
            r = make_call(myhash)
            print(r["result"])
            print(r["hashes"])
    else:
        print("ERROR: falta el argumento (md5, sha1, sha256)")


if __name__ == "__main__":
    main()
	#!/usr/bin/env python3
	# This is a script to query the Kaspersky OpenTIP
	# Dunno if the "cym9cgwjk" header is going to expire, but you can get it from a normal connection to the platform.
	# And sorry Kaspersky if you don't intend the platform to be used like this, I can remove this content

	import requests
	import sys
	from os import path

	cym9cgwjk = "G27TVJWVYdVHJW15auIG0v3ViYJJmqWi7leK4mPw/BgKEAAAAAAAAAAAAAD//y0H5/YSEB4pNeCdtYNFyD9vmrTrDIQY2azN0/su"

	def extract_hashes(text, myhash):
	start = 18+len(myhash)
	md5 = text[start:start+32]
	start = 52+len(myhash)
	sha1 = text[start:start+40]
	start = 94+len(myhash)
	sha256 = text[start:start+64]
	return [md5, sha1, sha256]

	def update_auth_header():
	global cym9cgwjk
	url = "https://opentip.kaspersky.com/ui/checksession"
	headers = {
	'authority': 'opentip.kaspersky.com',
	'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36',
	'accept': '/',
	'sec-fetch-site': 'same-origin',
	'sec-fetch-mode': 'cors',
	'sec-fetch-dest': 'empty',
	'referer': 'https://opentip.kaspersky.com/'
	}
	r = requests.request("GET", url, headers=headers)
	if r.status_code == 200:
	cym9cgwjk = r.headers["Cym9cgwjk"]
	print("Usando header nuevo: " + cym9cgwjk)

	def make_call(myhash, retry=False):
	url = "https://opentip.kaspersky.com/ui/lookup"

	data = b'\n'+ bytes(chr(len(myhash))+myhash, 'utf-8') + b'\x10\x00'

	headers = {
	"authority":"opentip.kaspersky.com",
	"cym9cgwjk": cym9cgwjk,
	"user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36",
	"accept":"/",
	"origin":"https://opentip.kaspersky.com",
	"sec-fetch-site":"same-origin",
	"sec-fetch-mode":"cors",
	"sec-fetch-dest":"empty",
	"referer":"https://opentip.kaspersky.com/"+myhash+"/"
	}
	r = requests.request("POST", url, headers=headers, data=data)

	if r.status_code == 200:
	if r.text.find("Red")-len(myhash) == 13:
	res = {
	"result": "Malware",
	"hashes": extract_hashes(r.text, myhash)
	}
	elif r.text.find("Green")-len(myhash) == 13:
	res = {
	"result": "Clean",
	"hashes": extract_hashes(r.text, myhash)
	}
	else:
	res = {
	"result": "Unknown",
	"hashes": [myhash]
	}
	else:
	if retry==False:
	update_auth_header()
	return make_call(myhash, True)
	else:
	res = {
	"result": "Forbidden",
	"hashes": [myhash]
	}
	return res

	def main():
	if len(sys.argv) > 1:
	update_auth_header()

	if path.exists(sys.argv[1]):
	f = open(sys.argv[1],"r")
	hashes = f.readlines()
	f.close()

	malwares = []
	cleans = []
	unknowns = []

	for h in hashes:
	print("Ahora: " + h)
	r = make_call(h.strip())
	if r["result"] == "Malware":
	malwares.extend(r["hashes"])
	elif r["result"] == "Clean":
	cleans.extend(r["hashes"])
	else:
	unknowns.extend(r["hashes"])

	print("Malwares:")
	print(malwares)
	print("Cleans:")
	print(cleans)
	print("Unknowns:")
	print(unknowns)
	else:
	myhash = sys.argv[1]
	r = make_call(myhash)
	print(r["result"])
	print(r["hashes"])
	else:
	print("ERROR: falta el argumento (md5, sha1, sha256)")


	if __name__ == "__main__":
	main()