Nick Roy superducktoes

## greynoise_tag_timeline.py
import requests

# replace with CVE and GreyNoise API key
CVE = "CVE-2024-3273"
GN_API_KEY = "<GN_API_KEY>"

headers = {
    "accept": "application/json",
    "key": GN_API_KEY
}

## cve_grouping.py
'''
reads from a file cve_grouping.txt that takes a cve on each line to query greynoise and find ips exploiting each cve
'''

from greynoise import GreyNoise
from functools import reduce

api_client = GreyNoise(api_key="<api_key>")

cve_grouping = {}

## access_combined.txt
135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "POST / HTTP/1.1" 200 3460 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "GET /.env HTTP/1.1" 404 492 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
54.173.133.244 - - [04/Jan/2024:19:18:54 +0000] "GET /downloads/.git/config HTTP/1.1" 404 455 "-" "Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36"
192.155.90.118 - - [04/Jan/2024:19:16:08 +0000] "\x16\x03\x01" 400 487 "-" "-"
185.254.196.173 - -

## ip_hash_query.py
# python3 ip_hash_query.py 36.106.167.25
# takes an ip address as an argument and displays a list of ja3 fingerprints
# paste fingerprint into prompt to get a list of IP's associated with it

import requests
import sys

ip = sys.argv[1]
url = "https://api.greynoise.io/v2/noise/context/" + ip
API_KEY = ""

## gn_tags.py
import requests
import json

url = "https://api.greynoise.io/v2/meta/metadata"

headers = {
    "accept": "application/json",
    "key": ""
}

## greynoise_query_malicious.py
from greynoise import GreyNoise

# change API key and query
api_key = "<GN_API_KEY>"
gn_query = "last_seen:1d classification:malicious spoofable:false"

# set up api client
api_client = GreyNoise(api_key=api_key)
ip_list = []
complete = False

## greynoise_plotting.py
import matplotlib.pyplot as plt
import numpy as np
import requests
import json

GN_API_KEY = ""
GN_QUERY = 'jira last_seen:30d'
GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"

HEADERS = {

## ip_sim_hunting.py
import requests
import sys

api_key = ""
limit = 10 # can change for more

if(len(sys.argv) < 2):
    print("need an IP")
    quit()
headers = {

## greynoise_file_query.py
import fileinput
import re
from greynoise import GreyNoise

# command usage: cat <file_ips>.txt| python3 file_ips_lookup.py
# parses a file line by line to extract IP's

def parse_results(greynoise_results):
    for i in greynoise_results:
        print("IP: {} - Noise Status: {} - RIOT Status: {}".format(i["ip"], i["noise"], i["riot"]))

## gn_query_write_to_file.py
import requests
import json

GN_API_KEY = ""
GN_QUERY = 'tags:"SSH Bruteforcer" last_seen:1d spoofable:false'
file_name = "./greynoise_ips.txt"


GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"
	import requests

	# replace with CVE and GreyNoise API key
	CVE = "CVE-2024-3273"
	GN_API_KEY = "<GN_API_KEY>"

	headers = {
	"accept": "application/json",
	"key": GN_API_KEY
	}
	'''
	reads from a file cve_grouping.txt that takes a cve on each line to query greynoise and find ips exploiting each cve
	'''

	from greynoise import GreyNoise
	from functools import reduce

	api_client = GreyNoise(api_key="<api_key>")

	cve_grouping = {}
	135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "POST / HTTP/1.1" 200 3460 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
	135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "GET /.env HTTP/1.1" 404 492 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
	205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
	205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
	193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
	193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
	54.173.133.244 - - [04/Jan/2024:19:18:54 +0000] "GET /downloads/.git/config HTTP/1.1" 404 455 "-" "Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36"
	192.155.90.118 - - [04/Jan/2024:19:16:08 +0000] "\x16\x03\x01" 400 487 "-" "-"
	185.254.196.173 - -
	# python3 ip_hash_query.py 36.106.167.25
	# takes an ip address as an argument and displays a list of ja3 fingerprints
	# paste fingerprint into prompt to get a list of IP's associated with it

	import requests
	import sys

	ip = sys.argv[1]
	url = "https://api.greynoise.io/v2/noise/context/" + ip
	API_KEY = ""
	import requests
	import json

	url = "https://api.greynoise.io/v2/meta/metadata"

	headers = {
	"accept": "application/json",
	"key": ""
	}
	from greynoise import GreyNoise

	# change API key and query
	api_key = "<GN_API_KEY>"
	gn_query = "last_seen:1d classification:malicious spoofable:false"

	# set up api client
	api_client = GreyNoise(api_key=api_key)
	ip_list = []
	complete = False
	import matplotlib.pyplot as plt
	import numpy as np
	import requests
	import json

	GN_API_KEY = ""
	GN_QUERY = 'jira last_seen:30d'
	GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"

	HEADERS = {
	import fileinput
	import re
	from greynoise import GreyNoise

	# command usage: cat <file_ips>.txt\| python3 file_ips_lookup.py
	# parses a file line by line to extract IP's

	def parse_results(greynoise_results):
	for i in greynoise_results:
	print("IP: {} - Noise Status: {} - RIOT Status: {}".format(i["ip"], i["noise"], i["riot"]))