Storm Package: synapse-nettools
The following Commands are available from this package. This documentation is generated for version 3.21.0 of the package.
Storm Commands
This package implements the following Storm Commands.
nettools.dns
Gather live DNS data about an FQDN or IP.
This command takes inet:fqdn, inet:ipv4, or inet:ipv6 nodes as input and
performs DNS queries for specific record types. For inet:ipv4 and inet:ipv6
nodes, PTR records will be queried. For inet:fqdn nodes, by default only 'A'
records will be queried for FQDNs, this can be specified with the --type
argument. Supported types are 'A', 'AAAA', 'CNAME', 'NS', 'MX', 'SOA', and 'TXT'.
The results of the queries will be used to create their corresponding
inet:dns:{type} nodes.
Examples:
// Query DNS for 'A' records
inet:fqdn=google.com | nettools.dns
// Query DNS for 'MX' and 'NS' records
inet:fqdn=google.com | nettools.dns --type MX NS
// Query DNS for 'TXT' records and yield the created nodes
inet:fqdn=google.com | nettools.dns --type TXT --yield
// Query DNS for 'PTR' records
inet:ipv4=8.8.8.8 | nettools.dns
// Query DNS for DMARC record
inet:fqdn=google.com | nettools.dns --dmarc --yield
Usage: nettools.dns [options]
Options:
--help : Display the command usage.
--debug : Enable printing debug output per-node.
--yield : Yield the newly created nodes instead of the input nodes.
--type <type> [<type> ...] : A DNS record type or list of types. Types: A,AAAA,NS,MX,SOA,TXT (default: ('A',))
--dmarc : Lookup the DMARC record for the input nodes. This is equivalent to adding a
"_dmarc" subdomain to the front and querying for a TXT record.
nettools.dns.variants
Gather live DNS data about typographic variants of an FQDN that have DNS entries.
This can be used to find typosquatting or other fraud attempts.
This command takes inet:fqdn nodes as input and performs 'A' and 'AAAA'
DNS queries on variants of the input FDQN. The queries that resolve
are used to create inet:dns:a and inet:dns:aaaa nodes.
The following variants of the input FQDN are tried:
* Common typos on qwerty, azerty, and qwertz keyboards
* Homoglyphs (i.e. letters that look like each other)
* Extra Hyphenation
* Insertion of characters
* Omission of characters
* Repetition of characters
* Replacement of characters
* Transposition of characters
* Vowel swaps
* Addition of dictionary words
* Different TLDs
* Common misspellings
* Common homophones
* Pluralization/singularization
Examples:
// Look for DNS variants on vertex.link
inet:fqdn=vertex.link | nettools.dns.variants
Usage: nettools.dns.variants [options]
Options:
--help : Display the command usage.
--dict <dict> : Along with other mutations, try adding words from a built-in dictionary of common
words. The value must
specify the language code of the dictionary to use. This option may be provided
multiple times for
multiple languages. The following language codes are supported:
en - English
zh - Chinese
ru - Russian
ar - Arabic
bn - Bangla
bg - Bulgarian
ca - Catalan
cs - Czech
da - Danish
nl - Dutch
fi - Finnish
fr - French
de - German
el - Greek
he - Hebrew
hi - Hindi
hu - Hungarian
is - Icelandic
id - Indonesian
it - Italian
ja - Japanese
ko - Korean
lv - Latvian
lt - Lithuanian
mk - Macedonian
ms - Malay
nb - Norwegian
fa - Persian
pl - Polish
pt - Portuguese
ro - Romanian
sl - Slovak
sk - Slovenian
sr - Serbian
es - Spanish
sv - Swedish
fil - Tagalog
ta - Tamil
tr - Turkish
uk - Ukrainian
ur - Urdu
vi - Vietnamese
--jobs <jobs> : Number of workers making DNS requests. (default: 10)
--debug : Enable printing debug output per-node.
--yield : Yield the newly created nodes instead of the input nodes.
nettools.dnswild
Check the input FQDNs for DNS wildcards and record them.
This command takes inet:fqdn nodes as input and attempts to find DNS wildcards by
querying for 'A' records with a randomized guid prepended to the domain. If
results are found, inet:dns:wild:a nodes will be created from the entries returned.
Examples:
// Check for DNS wildcards on an inet:fqdn
inet:fqdn=slack.com | nettools.dnswild
// Check for DNS wildcards on an inet:fqdn and yield the created nodes
inet:fqdn=google.com | nettools.dnswild --yield
Usage: nettools.dnswild [options]
Options:
--help : Display the command usage.
--debug : Enable printing debug output per-node.
--yield : Yield the newly created nodes instead of the input nodes.
nettools.whois
Gather live whois data about IPv4, IPv6, and FQDN nodes.
For IPv4 or IPv6 nodes, RDAP queries will be used to get data about the IP.
The results from the query will be used to create inet:whois:iprec,
inet:whois:ipcontact, and ps:contact nodes. The inet:whois:iprec nodes will have
ipwhois light edges, connecting them to inet:cidr4 and inet:cidr6 netblocks they
represent.
RDAP queries will automatically retry 3 times on error and retry after 5 seconds
if rate-limited. The timeout argument applies to the total for all retries.
For FQDN nodes, a wrapper around the Linux "whois" command will be used to get and
parse whois data about the domain. The results from the query will be used to
create inet:whois:rec, inet:whois:recns, and inet:whois:email nodes.
Examples:
// Gather whois data about an IPv4
inet:ipv4=74.125.225.229 | nettools.whois
// Gather whois data about an IPv6 and yield the inet:whois:iprec nodes created
inet:ipv6=2607:f8b0:4004:803::200e | nettools.whois --yield
// Gather whois data about an FQDN and yield the inet:whois:rec nodes created
inet:fqdn=vertex.link | nettools.whois --yield
Usage: nettools.whois [options]
Options:
--help : Display the command usage.
--debug : Enable printing debug output per-node.
--yield : Yield the newly created nodes instead of the input nodes.
--asof <asof> : Use cached results dating back this far. Use "--asof now" to disable. (default:
-30days)
--timeout <timeout> : No help available. (default: 30)
Storm Modules
This package does not export any Storm APIs.