mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-25 22:08:55 +00:00
28d57e7178
Squashed commit of the following:
commit c0d9e8d5d188c13e7e5ec0612e99bfb7e25f47d4
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date: Fri Jan 7 16:05:12 2022 +0100
Update name of indicators JSON file
commit f719e49c5f942cef64931ecf422b6a6e7b8c9f17
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date: Fri Jan 7 15:38:03 2022 +0100
Do not set indicators option on module if no indicators were loaded
commit a289eb8de936f7d74c6c787cbb8daf5c5bec015c
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date: Fri Jan 7 14:43:00 2022 +0100
Simplify code for loading IoCs
commit 0804563415ee80d76c13d3b38ffe639fa14caa14
Author: Donncha Ó Cearbhaill <donncha.ocearbhaill@amnesty.org>
Date: Fri Jan 7 13:43:47 2022 +0100
Add metadata to IoC entries
commit 97d0e893c1a0736c4931363ff40f09a030b90cf6
Author: tek <tek@randhome.io>
Date: Fri Dec 17 16:43:09 2021 +0100
Implements automated loading of indicators
commit c381e14df92ae4d7d846a1c97bcf6639cc526082
Author: tek <tek@randhome.io>
Date: Fri Dec 17 12:41:15 2021 +0100
Improves download-indicators
commit b938e02ddfd0b916fd883f510b467491a4a84e5f
Author: tek <tek@randhome.io>
Date: Fri Dec 17 01:44:26 2021 +0100
Adds download-indicators for mvt-ios and mvt-android
304 lines
12 KiB
Python
304 lines
12 KiB
Python
# Mobile Verification Toolkit (MVT)
|
|
# Copyright (c) 2021 The MVT Project Authors.
|
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
|
# https://license.mvt.re/1.1/
|
|
|
|
import logging
|
|
import os
|
|
import io
|
|
|
|
import click
|
|
from rich.logging import RichHandler
|
|
from rich.prompt import Prompt
|
|
|
|
from mvt.common.help import HELP_MSG_MODULE, HELP_MSG_IOC
|
|
from mvt.common.help import HELP_MSG_FAST, HELP_MSG_OUTPUT
|
|
from mvt.common.help import HELP_MSG_LIST_MODULES
|
|
from mvt.common.indicators import Indicators
|
|
from mvt.common.indicators import download_indicators_files
|
|
from mvt.common.logo import logo
|
|
from mvt.common.module import run_module, save_timeline
|
|
from mvt.common.options import MutuallyExclusiveOption
|
|
|
|
from .decrypt import DecryptBackup
|
|
from .modules.backup import BACKUP_MODULES
|
|
from .modules.fs import FS_MODULES
|
|
from .modules.mixed import MIXED_MODULES
|
|
|
|
# Setup logging using Rich.
|
|
LOG_FORMAT = "[%(name)s] %(message)s"
|
|
logging.basicConfig(level="INFO", format=LOG_FORMAT, handlers=[
|
|
RichHandler(show_path=False, log_time_format="%X")])
|
|
log = logging.getLogger(__name__)
|
|
|
|
# Set this environment variable to a password if needed.
|
|
PASSWD_ENV = "MVT_IOS_BACKUP_PASSWORD"
|
|
|
|
|
|
#==============================================================================
|
|
# Main
|
|
#==============================================================================
|
|
@click.group(invoke_without_command=False)
|
|
def cli():
|
|
logo()
|
|
|
|
|
|
#==============================================================================
|
|
# Command: version
|
|
#==============================================================================
|
|
@cli.command("version", help="Show the currently installed version of MVT")
|
|
def version():
|
|
return
|
|
|
|
|
|
#==============================================================================
|
|
# Command: decrypt-backup
|
|
#==============================================================================
|
|
@cli.command("decrypt-backup", help="Decrypt an encrypted iTunes backup")
|
|
@click.option("--destination", "-d", required=True,
|
|
help="Path to the folder where to store the decrypted backup")
|
|
@click.option("--password", "-p", cls=MutuallyExclusiveOption,
|
|
help=f"Password to use to decrypt the backup (or, set {PASSWD_ENV} environment variable)",
|
|
mutually_exclusive=["key_file"])
|
|
@click.option("--key-file", "-k", cls=MutuallyExclusiveOption,
|
|
type=click.Path(exists=True),
|
|
help="File containing raw encryption key to use to decrypt the backup",
|
|
mutually_exclusive=["password"])
|
|
@click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
|
@click.pass_context
|
|
def decrypt_backup(ctx, destination, password, key_file, backup_path):
|
|
backup = DecryptBackup(backup_path, destination)
|
|
|
|
if key_file:
|
|
if PASSWD_ENV in os.environ:
|
|
log.info("Ignoring environment variable, using --key-file '%s' instead",
|
|
PASSWD_ENV, key_file)
|
|
|
|
backup.decrypt_with_key_file(key_file)
|
|
elif password:
|
|
log.info("Your password may be visible in the process table because it was supplied on the command line!")
|
|
|
|
if PASSWD_ENV in os.environ:
|
|
log.info("Ignoring %s environment variable, using --password argument instead",
|
|
PASSWD_ENV)
|
|
|
|
backup.decrypt_with_password(password)
|
|
elif PASSWD_ENV in os.environ:
|
|
log.info("Using password from %s environment variable", PASSWD_ENV)
|
|
backup.decrypt_with_password(os.environ[PASSWD_ENV])
|
|
else:
|
|
sekrit = Prompt.ask("Enter backup password", password=True)
|
|
backup.decrypt_with_password(sekrit)
|
|
|
|
if not backup.can_process():
|
|
ctx.exit(1)
|
|
|
|
backup.process_backup()
|
|
|
|
|
|
#==============================================================================
|
|
# Command: extract-key
|
|
#==============================================================================
|
|
@cli.command("extract-key", help="Extract decryption key from an iTunes backup")
|
|
@click.option("--password", "-p",
|
|
help=f"Password to use to decrypt the backup (or, set {PASSWD_ENV} environment variable)")
|
|
@click.option("--key-file", "-k",
|
|
help="Key file to be written (if unset, will print to STDOUT)",
|
|
required=False,
|
|
type=click.Path(exists=False, file_okay=True, dir_okay=False, writable=True))
|
|
@click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
|
def extract_key(password, backup_path, key_file):
|
|
backup = DecryptBackup(backup_path)
|
|
|
|
if password:
|
|
log.info("Your password may be visible in the process table because it was supplied on the command line!")
|
|
|
|
if PASSWD_ENV in os.environ:
|
|
log.info("Ignoring %s environment variable, using --password argument instead",
|
|
PASSWD_ENV)
|
|
elif PASSWD_ENV in os.environ:
|
|
log.info("Using password from %s environment variable", PASSWD_ENV)
|
|
password = os.environ[PASSWD_ENV]
|
|
else:
|
|
password = Prompt.ask("Enter backup password", password=True)
|
|
|
|
backup.decrypt_with_password(password)
|
|
backup.get_key()
|
|
|
|
if key_file:
|
|
backup.write_key(key_file)
|
|
|
|
|
|
#==============================================================================
|
|
# Command: check-backup
|
|
#==============================================================================
|
|
@cli.command("check-backup", help="Extract artifacts from an iTunes backup")
|
|
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
|
default=[], help=HELP_MSG_IOC)
|
|
@click.option("--output", "-o", type=click.Path(exists=False), help=HELP_MSG_OUTPUT)
|
|
@click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
|
|
@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
|
|
@click.option("--module", "-m", help=HELP_MSG_MODULE)
|
|
@click.argument("BACKUP_PATH", type=click.Path(exists=True))
|
|
@click.pass_context
|
|
def check_backup(ctx, iocs, output, fast, backup_path, list_modules, module):
|
|
if list_modules:
|
|
log.info("Following is the list of available check-backup modules:")
|
|
for backup_module in BACKUP_MODULES + MIXED_MODULES:
|
|
log.info(" - %s", backup_module.__name__)
|
|
|
|
return
|
|
|
|
log.info("Checking iTunes backup located at: %s", backup_path)
|
|
|
|
if output and not os.path.exists(output):
|
|
try:
|
|
os.makedirs(output)
|
|
except Exception as e:
|
|
log.critical("Unable to create output folder %s: %s", output, e)
|
|
ctx.exit(1)
|
|
|
|
indicators = Indicators(log=log)
|
|
indicators.load_indicators_files(iocs)
|
|
|
|
timeline = []
|
|
timeline_detected = []
|
|
for backup_module in BACKUP_MODULES + MIXED_MODULES:
|
|
if module and backup_module.__name__ != module:
|
|
continue
|
|
|
|
m = backup_module(base_folder=backup_path, output_folder=output, fast_mode=fast,
|
|
log=logging.getLogger(backup_module.__module__))
|
|
m.is_backup = True
|
|
if indicators.ioc_count:
|
|
m.indicators = indicators
|
|
m.indicators.log = m.log
|
|
|
|
run_module(m)
|
|
timeline.extend(m.timeline)
|
|
timeline_detected.extend(m.timeline_detected)
|
|
|
|
if output:
|
|
if len(timeline) > 0:
|
|
save_timeline(timeline, os.path.join(output, "timeline.csv"))
|
|
if len(timeline_detected) > 0:
|
|
save_timeline(timeline_detected, os.path.join(output, "timeline_detected.csv"))
|
|
|
|
|
|
#==============================================================================
|
|
# Command: check-fs
|
|
#==============================================================================
|
|
@cli.command("check-fs", help="Extract artifacts from a full filesystem dump")
|
|
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
|
default=[], help=HELP_MSG_IOC)
|
|
@click.option("--output", "-o", type=click.Path(exists=False), help=HELP_MSG_OUTPUT)
|
|
@click.option("--fast", "-f", is_flag=True, help=HELP_MSG_FAST)
|
|
@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
|
|
@click.option("--module", "-m", help=HELP_MSG_MODULE)
|
|
@click.argument("DUMP_PATH", type=click.Path(exists=True))
|
|
@click.pass_context
|
|
def check_fs(ctx, iocs, output, fast, dump_path, list_modules, module):
|
|
if list_modules:
|
|
log.info("Following is the list of available check-fs modules:")
|
|
for fs_module in FS_MODULES + MIXED_MODULES:
|
|
log.info(" - %s", fs_module.__name__)
|
|
|
|
return
|
|
|
|
log.info("Checking filesystem dump located at: %s", dump_path)
|
|
|
|
if output and not os.path.exists(output):
|
|
try:
|
|
os.makedirs(output)
|
|
except Exception as e:
|
|
log.critical("Unable to create output folder %s: %s", output, e)
|
|
ctx.exit(1)
|
|
|
|
indicators = Indicators(log=log)
|
|
indicators.load_indicators_files(iocs)
|
|
|
|
timeline = []
|
|
timeline_detected = []
|
|
for fs_module in FS_MODULES + MIXED_MODULES:
|
|
if module and fs_module.__name__ != module:
|
|
continue
|
|
|
|
m = fs_module(base_folder=dump_path, output_folder=output, fast_mode=fast,
|
|
log=logging.getLogger(fs_module.__module__))
|
|
|
|
m.is_fs_dump = True
|
|
if indicators.ioc_count:
|
|
m.indicators = indicators
|
|
m.indicators.log = m.log
|
|
|
|
run_module(m)
|
|
timeline.extend(m.timeline)
|
|
timeline_detected.extend(m.timeline_detected)
|
|
|
|
if output:
|
|
if len(timeline) > 0:
|
|
save_timeline(timeline, os.path.join(output, "timeline.csv"))
|
|
if len(timeline_detected) > 0:
|
|
save_timeline(timeline_detected, os.path.join(output, "timeline_detected.csv"))
|
|
|
|
|
|
#==============================================================================
|
|
# Command: check-iocs
|
|
#==============================================================================
|
|
@cli.command("check-iocs", help="Compare stored JSON results to provided indicators")
|
|
@click.option("--iocs", "-i", type=click.Path(exists=True), multiple=True,
|
|
default=[], required=True, help=HELP_MSG_IOC)
|
|
@click.option("--list-modules", "-l", is_flag=True, help=HELP_MSG_LIST_MODULES)
|
|
@click.option("--module", "-m", help=HELP_MSG_MODULE)
|
|
@click.argument("FOLDER", type=click.Path(exists=True))
|
|
@click.pass_context
|
|
def check_iocs(ctx, iocs, list_modules, module, folder):
|
|
all_modules = []
|
|
for entry in BACKUP_MODULES + FS_MODULES:
|
|
if entry not in all_modules:
|
|
all_modules.append(entry)
|
|
|
|
if list_modules:
|
|
log.info("Following is the list of available check-iocs modules:")
|
|
for iocs_module in all_modules:
|
|
log.info(" - %s", iocs_module.__name__)
|
|
|
|
return
|
|
|
|
log.info("Checking stored results against provided indicators...")
|
|
|
|
indicators = Indicators(log=log)
|
|
indicators.load_indicators_files(iocs)
|
|
|
|
for file_name in os.listdir(folder):
|
|
name_only, ext = os.path.splitext(file_name)
|
|
file_path = os.path.join(folder, file_name)
|
|
|
|
for iocs_module in all_modules:
|
|
if module and iocs_module.__name__ != module:
|
|
continue
|
|
|
|
if iocs_module().get_slug() != name_only:
|
|
continue
|
|
|
|
log.info("Loading results from \"%s\" with module %s", file_name,
|
|
iocs_module.__name__)
|
|
|
|
m = iocs_module.from_json(file_path,
|
|
log=logging.getLogger(iocs_module.__module__))
|
|
if indicators.ioc_count:
|
|
m.indicators = indicators
|
|
m.indicators.log = m.log
|
|
|
|
try:
|
|
m.check_indicators()
|
|
except NotImplementedError:
|
|
continue
|
|
|
|
#==============================================================================
|
|
# Command: download-indicators
|
|
#==============================================================================
|
|
@cli.command("download-indicators", help="Download public STIX2 indicators")
|
|
def download_indicators():
|
|
download_indicators_files(log)
|