Storm Package: synapse-nettools

The following Commands are available from this package. This documentation is generated for version 3.15.0 of the package.

Storm Commands

This package implements the following Storm Commands.

nettools.dns

Gather live DNS data about an FQDN or IP.

This command takes inet:fqdn, inet:ipv4, or inet:ipv6 nodes as input and
performs DNS queries for specific record types. For inet:ipv4 and inet:ipv6
nodes, PTR records will be queried. For inet:fqdn nodes, by default only 'A'
records will be queried for FQDNs, this can be specified with the --type
argument. Supported types are 'A', 'AAAA', 'CNAME', 'NS', 'MX', 'SOA', and 'TXT'.
The results of the queries will be used to create their corresponding
inet:dns:{type} nodes.

Examples:

    // Query DNS for 'A' records
    inet:fqdn=google.com | nettools.dns

    // Query DNS for 'MX' and 'NS' records
    inet:fqdn=google.com | nettools.dns --type MX NS

    // Query DNS for 'TXT' records and yield the created nodes
    inet:fqdn=google.com | nettools.dns --type TXT --yield

    // Query DNS for 'PTR' records
    inet:ipv4=8.8.8.8 | nettools.dns

    // Query DNS for DMARC record
    inet:fqdn=google.com | nettools.dns --dmarc --yield


Usage: nettools.dns [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Enable printing debug output per-node.
  --yield                     : Yield the newly created nodes instead of the input nodes.
  --type <type> [<type> ...]  : A DNS record type or list of types. Types: A,AAAA,NS,MX,SOA,TXT (default: ('A',))
  --dmarc                     : Lookup the DMARC record for the input nodes.  This is equivalent to adding a
"_dmarc" subdomain to the front and querying for a TXT record.

nettools.dns.variants

Gather live DNS data about typographic variants of an FQDN that have DNS entries.

This can be used to find typosquatting or other fraud attempts.

This command takes inet:fqdn nodes as input and performs 'A' and 'AAAA'
DNS queries on variants of the input FDQN.  The queries that resolve
are used to create inet:dns:a and inet:dns:aaaa nodes.

The following variants of the input FQDN are tried:
  * Common typos on qwerty, azerty, and qwertz keyboards
  * Homoglyphs (i.e. letters that look like each other)
  * Extra Hyphenation
  * Insertion of characters
  * Omission of characters
  * Repetition of characters
  * Replacement of characters
  * Transposition of characters
  * Vowel swaps
  * Addition of dictionary words
  * Different TLDs
  * Common misspellings
  * Common homophones
  * Pluralization/singularization

Examples:

    // Look for DNS variants on vertex.link
    inet:fqdn=vertex.link | nettools.dns.variants


Usage: nettools.dns.variants [options]

Options:

  --help                      : Display the command usage.
  --dict <dict>               : Along with other mutations, try adding words from a built-in dictionary of common words.  The value must
specify the language code of the dictionary to use.  This option may be provided multiple times for
multiple languages.  The following language codes are supported:

  en  - English
  zh  - Chinese
  ru  - Russian
  ar  - Arabic
  bn  - Bangla
  bg  - Bulgarian
  ca  - Catalan
  cs  - Czech
  da  - Danish
  nl  - Dutch
  fi  - Finnish
  fr  - French
  de  - German
  el  - Greek
  he  - Hebrew
  hi  - Hindi
  hu  - Hungarian
  is  - Icelandic
  id  - Indonesian
  it  - Italian
  ja  - Japanese
  ko  - Korean
  lv  - Latvian
  lt  - Lithuanian
  mk  - Macedonian
  ms  - Malay
  nb  - Norwegian
  fa  - Persian
  pl  - Polish
  pt  - Portuguese
  ro  - Romanian
  sl  - Slovak
  sk  - Slovenian
  sr  - Serbian
  es  - Spanish
  sv  - Swedish
  fil - Tagalog
  ta  - Tamil
  tr  - Turkish
  uk  - Ukrainian
  ur  - Urdu
  vi  - Vietnamese

  --jobs <jobs>               : Number of workers making DNS requests. (default: 10)
  --debug                     : Enable printing debug output per-node.
  --yield                     : Yield the newly created nodes instead of the input nodes.

nettools.dnswild

Check the input FQDNs for DNS wildcards and record them.

This command takes inet:fqdn nodes as input and attempts to find DNS wildcards by
querying for 'A' records with a randomized guid prepended to the domain. If
results are found, inet:dns:wild:a nodes will be created from the entries returned.

Examples:

    // Check for DNS wildcards on an inet:fqdn
    inet:fqdn=slack.com | nettools.dnswild

    // Check for DNS wildcards on an inet:fqdn and yield the created nodes
    inet:fqdn=google.com | nettools.dnswild --yield


Usage: nettools.dnswild [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Enable printing debug output per-node.
  --yield                     : Yield the newly created nodes instead of the input nodes.

nettools.whois

Gather live whois data about IPv4, IPv6, and FQDN nodes.

For IPv4 or IPv6 nodes, RDAP queries will be used to get data about the IP.
The results from the query will be used to create inet:whois:iprec,
inet:whois:ipcontact, and ps:contact nodes. The inet:whois:iprec nodes will have
ipwhois light edges, connecting them to inet:cidr4 and inet:cidr6 netblocks they
represent.

RDAP queries will automatically retry 3 times on error and retry after 5 seconds
if rate-limited. The timeout argument applies to the total for all retries.

For FQDN nodes, a wrapper around the Linux "whois" command will be used to get and
parse whois data about the domain. The results from the query will be used to
create inet:whois:rec, inet:whois:recns, and inet:whois:email nodes.

Examples:

  // Gather whois data about an IPv4
  inet:ipv4=74.125.225.229 | nettools.whois

  // Gather whois data about an IPv6 and yield the inet:whois:iprec nodes created
  inet:ipv6=2607:f8b0:4004:803::200e | nettools.whois --yield

  // Gather whois data about an FQDN and yield the inet:whois:rec nodes created
  inet:fqdn=vertex.link | nettools.whois --yield


Usage: nettools.whois [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Enable printing debug output per-node.
  --yield                     : Yield the newly created nodes instead of the input nodes.
  --asof <asof>               : Use cached results dating back this far. Use "--asof now" to disable. (default: -30days)
  --timeout <timeout>         : No help available. (default: 30)

Storm Modules

This package does not export any Storm APIs.