mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-28 07:09:00 +00:00
Properly checking any potential domains in Manifest.db records (fixes: #293)
This commit is contained in:
Nex
parent
7ad7782b51
commit
631354c131
|
|
@ -264,7 +264,7 @@ class URL:
|
|||
self.top_level = self.get_top_level()
|
||||
self.is_shortened = False
|
||||
|
||||
def get_domain(self) -> None:
|
||||
def get_domain(self) -> str:
|
||||
"""Get the domain from a URL.
|
||||
|
||||
:param url: URL to parse
|
||||
|
|
@ -273,15 +273,11 @@ class URL:
|
|||
:rtype: str
|
||||
|
||||
"""
|
||||
# TODO: Properly handle exception.
|
||||
try:
|
||||
return get_tld(self.url,
|
||||
as_object=True,
|
||||
fix_protocol=True).parsed_url.netloc.lower().lstrip("www.")
|
||||
except Exception:
|
||||
return None
|
||||
return get_tld(self.url,
|
||||
as_object=True,
|
||||
fix_protocol=True).parsed_url.netloc.lower().lstrip("www.")
|
||||
|
||||
def get_top_level(self) -> None:
|
||||
def get_top_level(self) -> str:
|
||||
"""Get only the top-level domain from a URL.
|
||||
|
||||
:param url: URL to parse
|
||||
|
|
@ -290,13 +286,9 @@ class URL:
|
|||
:rtype: str
|
||||
|
||||
"""
|
||||
# TODO: Properly handle exception.
|
||||
try:
|
||||
return get_tld(self.url,
|
||||
as_object=True,
|
||||
fix_protocol=True).fld.lower()
|
||||
except Exception:
|
||||
return None
|
||||
return get_tld(self.url,
|
||||
as_object=True,
|
||||
fix_protocol=True).fld.lower()
|
||||
|
||||
def check_if_shortened(self) -> bool:
|
||||
"""Check if the URL is among list of shortener services.
|
||||
|
|
|
|||
|
|
@ -151,7 +151,6 @@ def extract_key(password, key_file, backup_path):
|
|||
@click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
||||
@click.pass_context
|
||||
def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path):
|
||||
print(backup_path)
|
||||
cmd = CmdIOSCheckBackup(target_path=backup_path, results_path=output,
|
||||
ioc_files=iocs, module_name=module, fast_mode=fast)
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ from typing import Optional
|
|||
|
||||
from mvt.common.module import DatabaseNotFoundError
|
||||
from mvt.common.utils import convert_datetime_to_iso, convert_unix_to_iso
|
||||
from mvt.common.url import URL
|
||||
|
||||
from ..base import IOSExtraction
|
||||
|
||||
|
|
@ -99,10 +100,18 @@ class Manifest(IOSExtraction):
|
|||
continue
|
||||
|
||||
rel_path = result["relative_path"].lower()
|
||||
for ioc in self.indicators.get_iocs("domains"):
|
||||
if ioc["value"].lower() in rel_path:
|
||||
parts = rel_path.split("_")
|
||||
for part in parts:
|
||||
try:
|
||||
part_parsed = URL(part)
|
||||
except:
|
||||
continue
|
||||
|
||||
ioc = self.indicators.check_domain(part)
|
||||
if ioc:
|
||||
self.log.warning("Found mention of domain \"%s\" in a backup file with "
|
||||
"path: %s", ioc["value"], rel_path)
|
||||
result["matched_indicator"] = ioc
|
||||
self.detected.append(result)
|
||||
|
||||
def run(self) -> None:
|
||||
|
|
|
|||
|
|
@ -60,14 +60,21 @@ class SafariHistory(IOSExtraction):
|
|||
if not result["redirect_destination"]:
|
||||
continue
|
||||
|
||||
origin_domain = URL(result["url"]).domain
|
||||
try:
|
||||
origin_domain = URL(result["url"]).domain
|
||||
except:
|
||||
origin_domain = ""
|
||||
|
||||
# We loop again through visits in order to find redirect record.
|
||||
for redirect in self.results:
|
||||
if redirect["visit_id"] != result["redirect_destination"]:
|
||||
continue
|
||||
|
||||
redirect_domain = URL(redirect["url"]).domain
|
||||
try:
|
||||
redirect_domain = URL(redirect["url"]).domain
|
||||
except:
|
||||
redirect_domain = ""
|
||||
|
||||
# If the redirect destination is the same domain as the origin,
|
||||
# it's most likely an HTTPS upgrade.
|
||||
if origin_domain == redirect_domain:
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user