Danger-zone tutorial (tool to visualize relationships between domains, IPs and email addresses)

Danger-zone is a tool to correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files. I bumped into this program in the article “OSINT tool for visualizing relationships between domains, IPs and email addresses”, in which the following program screenshots are shown as the program output:

And more:

Cases

  • Based on given email, check for associate domains and then check these domains for other emails and IPs.
  • For domains check for IP and Emails and next look for associated domains.
  • Extract domain from IP, check domain for other IPs and email.

Modules

Elasticsearch and Kibana

Before proceeding with the installation, a few words about program dependencies such as Elasticsearch and Kibana. Both of these dependencies are optional and you can skip their installation, especially since a third-party repository is added to Kali Linux (it is not recommended).

To decide whether you need them or not, here is a small description (taken from the official site – I also got to know about these programs only when preparing this article):

Both of these programs can be installed without adding a new repository – simply download the .DEB files from these pages:

How to install Danger-zone in Kali Linux

Download the program itself and install the dependencies: 

git clone https://github.com/woj-ciech/Danger-zone
cd Danger-zone/
sudo pip2 install -r requirements.txt
sudo pip2 install unidecode selenium fake_useragent
sudo pip2 install Google-search-api

Install tk: 

sudo apt install tk

Open the file settings.json and enter API of virustotal.com and whoxy.com there 

gedit settings.json

Install Elasticsearch and Kibana (optional): 

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch kibana

sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service

sudo systemctl start kibana.service
sudo systemctl status kibana.service

How to install Danger-zone in ArchLinux / BlackArch

Download the program itself and install the dependencies: 

git clone https://github.com/woj-ciech/Danger-zone
cd Danger-zone/
sudo pip2 install -r requirements.txt
sudo pip2 install unidecode selenium fake_useragent
sudo pip2 install Google-search-api

Install Elasticsearch, Kibana and tk: 

sudo pacman -S elasticsearch kibana tk

We start the Elasticsearch and Kibana services and check their status: 

sudo systemctl start elasticsearch.service
sudo systemctl status elasticsearch.service

sudo systemctl start kibana.service
sudo systemctl status kibana.service

Open the file settings.json and enter API of virustotal.com and whoxy.com there: 

gedit settings.json

Danger-zone manual

Usage: 

danger-zone.py [-h] [--email EMAIL] [--address ADDRESS]
                      [--domain DOMAIN] [--elasticsearch]

Options: 

  -h, --help         show this help message and exit
  --email EMAIL      Email address
  --address ADDRESS  IP address
  --domain DOMAIN    Domain name
  --elasticsearch    Elasticsearch output

That is, the program must be run with one of the options --email, --address or --domain. If you have installed Elasticsearch, then each of these options can be combined with --elasticsearch, in this case the collected information will be saved in the Elasticsearch database.

Sample run to collect domain information: 

python2 danger-zone.py --domain suip.biz --elastic

Examples of results:

Sample run to collect email address information: 

python2 danger-zone.py --email proghoster@gmail.com --elastic

Sample run to collect IP address information: 

python2 danger-zone.py --address 185.117.153.79 --elastic

Examples of results:

Data analysis in Elasticsearch and Kibana

Elasticsearch data is available at http://127.0.0.1:9200 and the query can be done like this: http://127.0.0.1:9200/virustotal/_search. The result will be displayed in JSON format – which is convenient for processing in programs, but not human-friendly.

For this reason, we installed Kibana, which is available at http://localhost:5601

When opening, select “Explore on my own”:

On the home page, select “Connect to your Elasticsearch index”.

There are options for creating an index template:

  • coordinates
  • threatcrowd
  • threatcrowd_ip
  • virustotal
  • whois

Choose one of them (can be done with all one by one).

And click the ‘Create index pattern’ button.

I do not know how to use Kibana – I clicked here and there, but I was lucky only in the “Discover” tab. There you can select various fields and add them to the table.

Here are screenshots from the author:

Also, the collected data is stored in the folder structure in the program directory:

Example of information from a file:

Conclusion

In general, the idea is very interesting, but for some reason the author did so that “script goes only 2–3 levels down and shows 3 newest results”. Because of this, my results were scanty. Although, it seems, Elasticsearch saves more results – at least I definitely saw more subdomains there than on the graph.

Perhaps a deeper acquaintance with Danger-zone and Kibana will allow achieving better results. I also always had a zero balance of Whoxy – perhaps this also played a role in the lack of results.

But while the most complete results I get to collect it in ‘manual’ mode, when using the services:

Examples of successful cases of searching related sites (including when measures were taken to conceal information):

IMHO, if the author of the program would base it on securitytrails (this service, by the way, is not used at all) and drop the restriction on the number of results obtained (for example, so that the option could be used to set the analysis depth and the number of domains), this tool can be much more efficient and interesting.

Troubleshooting

ImportError: libtk8.6.so: cannot open shared object file: No such file or directory

If an error occurs: 

  File "danger-zone.py", line 5, in <module>
    import utils
  File "/home/mial/bin/Danger-zone/utils.py", line 1, in <module>
    import domains
  File "/home/mial/bin/Danger-zone/domains.py", line 7, in <module>
    import tools
  File "/home/mial/bin/Danger-zone/tools.py", line 5, in <module>
    import matplotlib.pyplot as plt
  File "/usr/lib/python2.7/site-packages/matplotlib/pyplot.py", line 115, in <module>
    _backend_mod, new_figure_manager, draw_if_interactive, _show = pylab_setup()
  File "/usr/lib/python2.7/site-packages/matplotlib/backends/__init__.py", line 32, in pylab_setup
    globals(),locals(),[backend_name],0)
  File "/usr/lib/python2.7/site-packages/matplotlib/backends/backend_tkagg.py", line 6, in <module>
    from six.moves import tkinter as Tk
  File "/usr/lib/python2.7/site-packages/six.py", line 203, in load_module
    mod = mod._resolve()
  File "/usr/lib/python2.7/site-packages/six.py", line 115, in _resolve
    return _import_module(self.mod)
  File "/usr/lib/python2.7/site-packages/six.py", line 82, in _import_module
    __import__(name)
  File "/usr/lib/python2.7/lib-tk/Tkinter.py", line 39, in <module>
    import _tkinter # If this fails your Python may not be configured for Tk
ImportError: libtk8.6.so: cannot open shared object file: No such file or directory

You need to install the tk package.

In Debian, Kali Linux, Ubuntu, Linux Mint and their derivatives: 

sudo apt install tk

In Arch Linux, BlackArch and their derivatives: 

sudo pacman -S elasticsearch kibana tk

tk is a windowing toolkit for use with tcl. And Tcl is a scripting language.

Related articles:

Recommended for you:

June 26, 2019 , , , , , , Information Gathering No Comments »

Leave a Reply

Your email address will not be published.