superducktoes

Keybase proof

I hereby claim:

• I am superducktoes on github.
• I am superducktoes1 (https://keybase.io/superducktoes1) on keybase.
• I have a public key whose fingerprint is D846 E33D 40A1 C1D3 0A54 24D2 7E5B 32D1 A47B 0D82

To claim this, I am signing this object:

superducktoes

<form version="1.1">
  <label>Email RIOT</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </default>
    </input>

superducktoes

<form version="1.1">
  <label>Country Report</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>Country</label>
      <fieldForLabel>source_country</fieldForLabel>
      <fieldForValue>source_country</fieldForValue>
      <search>
        <query>|inputlookup greynoise_indicators_collection| dedup source_country | table source_country | sort  source_country</query>
        <earliest>-24h@h</earliest>

superducktoes

import requests

# replace with CVE and GreyNoise API key
CVE = "CVE-2024-3273"
GN_API_KEY = "<GN_API_KEY>"

headers = {
    "accept": "application/json",
    "key": GN_API_KEY
}

superducktoes

'''
reads from a file cve_grouping.txt that takes a cve on each line to query greynoise and find ips exploiting each cve
'''

from greynoise import GreyNoise
from functools import reduce

api_client = GreyNoise(api_key="<api_key>")

cve_grouping = {}

superducktoes

135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "POST / HTTP/1.1" 200 3460 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
135.125.246.189 - - [04/Jan/2024:19:56:47 +0000] "GET /.env HTTP/1.1" 404 492 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
205.210.31.40 - - [04/Jan/2024:19:25:30 +0000] "\x16\x03\x01" 400 487 "-" "-"
193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
193.23.3.64 - - [04/Jan/2024:19:22:19 +0000] "GET /.env HTTP/1.1" 404 488 "-" "-"
54.173.133.244 - - [04/Jan/2024:19:18:54 +0000] "GET /downloads/.git/config HTTP/1.1" 404 455 "-" "Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36"
192.155.90.118 - - [04/Jan/2024:19:16:08 +0000] "\x16\x03\x01" 400 487 "-" "-"
185.254.196.173 - -

superducktoes

# python3 ip_hash_query.py 36.106.167.25                                                                                                                             
# takes an ip address as an argument and displays a list of ja3 fingerprints                                                                                         
# paste fingerprint into prompt to get a list of IP's associated with it                                                                                             

import requests
import sys

ip = sys.argv[1]
url = "https://api.greynoise.io/v2/noise/context/" + ip
API_KEY = ""

superducktoes

import requests
import json

url = "https://api.greynoise.io/v2/meta/metadata"

headers = {
    "accept": "application/json",
    "key": ""
}

superducktoes

from greynoise import GreyNoise

# change API key and query
api_key = "<GN_API_KEY>"
gn_query = "last_seen:1d classification:malicious spoofable:false"

# set up api client
api_client = GreyNoise(api_key=api_key)
ip_list = []
complete = False

superducktoes

import matplotlib.pyplot as plt
import numpy as np
import requests
import json

GN_API_KEY = ""
GN_QUERY = 'jira last_seen:30d'
GN_QUERY_URL = "https://api.greynoise.io/v2/experimental/gnql"

HEADERS = {