search

Te-k / harpoon

CLI tool for open source and threat intelligence
https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-/-threat-intelligence-tool/
GNU General Public License v3.0
1.16k stars 181 forks source link

BinaryEdge "Invalid return code 403" issue #111

Closed ufth closed 5 years ago

ufth commented 5 years ago

there is some bug with BinaryEdge:

harpoon ip intel 120.27.37.74
###################### 120.27.37.74 ###################
[+] Downloading BinaryEdge information...
Traceback (most recent call last):
  File "/usr/local/bin/harpoon", line 10, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.5/dist-packages/harpoon/main.py", line 61, in main
    plugins[args.command].run(config, args, plugins)
  File "/usr/local/lib/python3.5/dist-packages/harpoon/commands/ip.py", line 276, in run
    res = be.domain_ip(unbracket(args.IP))
  File "/usr/local/lib/python3.5/dist-packages/pybinaryedge/api.py", line 340, in domain_ip
    params={'page': page}
  File "/usr/local/lib/python3.5/dist-packages/pybinaryedge/api.py", line 53, in _get
    'Invalid return code %i' % r.status_code
pybinaryedge.api.BinaryEdgeException: Invalid return code 403

API token seems OK:

harpoon config -c | grep binaryedge
-binaryedge      -> OK

maybe their API changed..

Te-k commented 5 years ago

Hi, Thanks for submitting a bug ! It is indeed a bug because this BinaryEdge query requires a paid subscription. I pushed a quick fix in the dev version of harpoon, if you install it from the master branch, it should be fixed (ip intel should not crash but BinaryEdge results won't be shown)

ufth commented 5 years ago

Thanks a lot! I can confirm that your fix works:

harpoon ip intel 121.58.231.75
###################### 121.58.231.75 ###################
[+] Downloading BinaryEdge information...
BinaryEdge request failed, you need a paid subscription
[+] Downloading OTX information....

Interesting, but they do have a free API that supports 100 queries per month:

curl 'https://api.binaryedge.io/v2/query/ip/120.27.37.74' -H 'X-Key:API_KEY' | jq .

{
  "query": "120.27.37.74",
  "total": 2,
  "targets_found": 1,
  "events": [
    {
      "port": 3389,
      "results": [
        {
          "target": {
            "port": 3389,
            "ip": "120.27.37.74",
            "protocol": "tcp"
          },
          "origin": {
            "type": "rdp",
            "module": "grabber",
            "ts": 1555598736338,
            "ip": "139.162.198.123",
            "country": "uk"
          },
          "result": {
            "data": {
              "reason": "Connection to the other side was lost in a non-clean fashion.",
              "security": "RDP"
            }
          }
        },
        {
          "result": {
            "data": {
              "state": {
                "state": "open|filtered"
              },
              "service": {
                "name": "ms-wbt-server",
                "method": "table_default"
              }
            }
          },
          "origin": {
            "type": "service-simple",
            "module": "grabber",
            "country": "us",
            "port": 42918,
            "ip": "192.155.91.85",
            "ts": 1555485516755
          },
          "target": {
            "port": 3389,
            "ip": "120.27.37.74",
            "protocol": "tcp"
          }
        }
      ]
    }
  ]
}

I don't know if it is worth implementing (100 requests for 30 day is very low limit) - just testing..

Te-k commented 5 years ago

Yes, the free account allows to get information on open ports but not passive DNS (which requires a paid subscription). I have created a ticket #112 to keep that in mind :)