Danger-zone tutorial (tool to visualize relationships between domains, IPs and email addresses)
Danger-zone is a tool to correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files. I bumped into this program in the article “OSINT tool for visualizing relationships between domains, IPs and email addresses”, in which the following program screenshots are shown as the program output:
And more:
Cases
- Based on given email, check for associate domains and then check these domains for other emails and IPs.
- For domains check for IP and Emails and next look for associated domains.
- Extract domain from IP, check domain for other IPs and email.
Modules
- Email:
- Trumail - Validation email address (https://trumail.io/)
- Whoxy - Reverse Whois service (https://whoxy.com/) KEY NEEDED
- haveIbeenPwned - Dumps (https://haveibeenpwned.com/)
- Username check - Check username, based on email address, across social media sites (https://username-availability.herokuapp.com/)
- Google - Query Google
- IP:
- Geolocation - Geolocate IP (https://extreme-ip-lookup.com/)
- Threatcrowd - Information about IP (https://github.com/AlienVault-OTX/ApiV2)
- VirusTotal - Information about IP (https://www.virustotal.com/) KEY NEEDED
- Domain:
- TLD - Get sponsor of particular Top Level Domain (https://raw.githubusercontent.com/mikewesthad/tld-data/master/data/tlds.json)
- Threatcrowd - Information about domain (https://github.com/AlienVault-OTX/ApiV2)
- Whoxy - Whois service (https://whoxy.com/)
- Whois history - Historical data about domain (https://whoxy.com/)
- Wayback Machine - Archive version of website (http://archive.org/)
- VirusTotal - Information about domain (https://www.virustotal.com/)
Elasticsearch and Kibana
Before proceeding with the installation, a few words about program dependencies such as Elasticsearch and Kibana. Both of these dependencies are optional and you can skip their installation, especially since a third-party repository is added to Kali Linux (it is not recommended).
To decide whether you need them or not, here is a small description (taken from the official site – I also got to know about these programs only when preparing this article):
- Elasticsearch is a distributed search and analysis engine, suitable for different use cases. Link: https://www.elastic.co/products/elasticsearch
- Kibana is “your window in the Elastic Stack”. Kibana allows you to visualize your Elasticsearch data and navigate the Elastic Stack. Link: https://www.elastic.co/products/kibana
Both of these programs can be installed without adding a new repository – simply download the .DEB files from these pages:
- https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html
- https://www.elastic.co/guide/en/kibana/current/deb.html
How to install Danger-zone in Kali Linux
Download the program itself and install the dependencies:
git clone https://github.com/woj-ciech/Danger-zone cd Danger-zone/ sudo pip2 install -r requirements.txt sudo pip2 install unidecode selenium fake_useragent sudo pip2 install Google-search-api
Install tk:
sudo apt install tk
Open the file settings.json and enter API of virustotal.com and whoxy.com there
gedit settings.json
Install Elasticsearch and Kibana (optional):
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list sudo apt update && sudo apt install elasticsearch kibana sudo systemctl start elasticsearch.service sudo systemctl status elasticsearch.service sudo systemctl start kibana.service sudo systemctl status kibana.service
How to install Danger-zone in ArchLinux / BlackArch
Download the program itself and install the dependencies:
git clone https://github.com/woj-ciech/Danger-zone cd Danger-zone/ sudo pip2 install -r requirements.txt sudo pip2 install unidecode selenium fake_useragent sudo pip2 install Google-search-api
Install Elasticsearch, Kibana and tk:
sudo pacman -S elasticsearch kibana tk
We start the Elasticsearch and Kibana services and check their status:
sudo systemctl start elasticsearch.service sudo systemctl status elasticsearch.service sudo systemctl start kibana.service sudo systemctl status kibana.service
Open the file settings.json and enter API of virustotal.com and whoxy.com there:
gedit settings.json
Danger-zone manual
Usage:
danger-zone.py [-h] [--email EMAIL] [--address ADDRESS]
[--domain DOMAIN] [--elasticsearch]
Options:
-h, --help show this help message and exit --email EMAIL Email address --address ADDRESS IP address --domain DOMAIN Domain name --elasticsearch Elasticsearch output
That is, the program must be run with one of the options --email, --address or --domain. If you have installed Elasticsearch, then each of these options can be combined with --elasticsearch, in this case the collected information will be saved in the Elasticsearch database.
Sample run to collect domain information:
python2 danger-zone.py --domain suip.biz --elastic
Examples of results:
Sample run to collect email address information:
python2 danger-zone.py --email proghoster@gmail.com --elastic
Sample run to collect IP address information:
python2 danger-zone.py --address 185.117.153.79 --elastic
Examples of results:
Data analysis in Elasticsearch and Kibana
Elasticsearch data is available at http://127.0.0.1:9200 and the query can be done like this: http://127.0.0.1:9200/virustotal/_search. The result will be displayed in JSON format – which is convenient for processing in programs, but not human-friendly.
For this reason, we installed Kibana, which is available at http://localhost:5601
When opening, select “Explore on my own”:
On the home page, select “Connect to your Elasticsearch index”.
There are options for creating an index template:
- coordinates
- threatcrowd
- threatcrowd_ip
- virustotal
- whois
Choose one of them (can be done with all one by one).
And click the ‘Create index pattern’ button.
I do not know how to use Kibana – I clicked here and there, but I was lucky only in the “Discover” tab. There you can select various fields and add them to the table.
Here are screenshots from the author:
Also, the collected data is stored in the folder structure in the program directory:
Example of information from a file:
Conclusion
In general, the idea is very interesting, but for some reason the author did so that “script goes only 2–3 levels down and shows 3 newest results”. Because of this, my results were scanty. Although, it seems, Elasticsearch saves more results – at least I definitely saw more subdomains there than on the graph.
Perhaps a deeper acquaintance with Danger-zone and Kibana will allow achieving better results. I also always had a zero balance of Whoxy – perhaps this also played a role in the lack of results.
But while the most complete results I get to collect it in ‘manual’ mode, when using the services:
- Sites on the same IP
- History of site IP addresses
- DNS history records from securitytrails
Examples of successful cases of searching related sites (including when measures were taken to conceal information):
- Dissection of the scammer site (case)
- How to find out all sites at an IP
- Open source research with OSRFramework (search by mail, nickname, domain)
IMHO, if the author of the program would base it on securitytrails (this service, by the way, is not used at all) and drop the restriction on the number of results obtained (for example, so that the option could be used to set the analysis depth and the number of domains), this tool can be much more efficient and interesting.
Troubleshooting
ImportError: libtk8.6.so: cannot open shared object file: No such file or directory
If an error occurs:
File "danger-zone.py", line 5, in <module>
import utils
File "/home/mial/bin/Danger-zone/utils.py", line 1, in <module>
import domains
File "/home/mial/bin/Danger-zone/domains.py", line 7, in <module>
import tools
File "/home/mial/bin/Danger-zone/tools.py", line 5, in <module>
import matplotlib.pyplot as plt
File "/usr/lib/python2.7/site-packages/matplotlib/pyplot.py", line 115, in <module>
_backend_mod, new_figure_manager, draw_if_interactive, _show = pylab_setup()
File "/usr/lib/python2.7/site-packages/matplotlib/backends/__init__.py", line 32, in pylab_setup
globals(),locals(),[backend_name],0)
File "/usr/lib/python2.7/site-packages/matplotlib/backends/backend_tkagg.py", line 6, in <module>
from six.moves import tkinter as Tk
File "/usr/lib/python2.7/site-packages/six.py", line 203, in load_module
mod = mod._resolve()
File "/usr/lib/python2.7/site-packages/six.py", line 115, in _resolve
return _import_module(self.mod)
File "/usr/lib/python2.7/site-packages/six.py", line 82, in _import_module
__import__(name)
File "/usr/lib/python2.7/lib-tk/Tkinter.py", line 39, in <module>
import _tkinter # If this fails your Python may not be configured for Tk
ImportError: libtk8.6.so: cannot open shared object file: No such file or directory
You need to install the tk package.
In Debian, Kali Linux, Ubuntu, Linux Mint and their derivatives:
sudo apt install tk
In Arch Linux, BlackArch and their derivatives:
sudo pacman -S elasticsearch kibana tk
tk is a windowing toolkit for use with tcl. And Tcl is a scripting language.
Related articles:
- Open source research with OSRFramework (search by mail, nickname, domain) (76.3%)
- How to find usernames on social media using Sherlock (65.4%)
- Revealing the perimeter (CASE) (62.9%)
- How to find out hostnames for many IP addresses (56.6%)
- Utilities for information gathering, OSINT and network analysis in Windows and Linux (55.7%)
- How to configure Kali Linux to use a static IP address (RANDOM - 1.1%)