search

passivetotal / python_api

Python abstract API for PassiveTotal services in the form of libraries and command line utilities.
http://passivetotal.readthedocs.org/en/latest/index.html
Other
85 stars 28 forks source link

KeyError in Whois Lookups #31

Closed sdcorlin closed 3 years ago

sdcorlin commented 3 years ago

I am getting a key error when trying to use any of the whois calls in the analyzer. Apologies if I set something up wrong here.

Using both IPAddress:

>>> analyzer.IPAddress('8.8.8.8').whois Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python3.9/site-packages/passivetotal/analyzer/ip.py", line 145, in whois return self._api_get_whois() File "/usr/local/lib/python3.9/site-packages/passivetotal/analyzer/ip.py", line 108, in _api_get_whois self._whois = IPWhois(response) File "/usr/local/lib/python3.9/site-packages/passivetotal/analyzer/whois.py", line 349, in __new__ domain = record['domain'] # yes, it's an IP, but this is where the data is

Or a Domain, from the example on the README:

>>> analyzer.Hostname('riskiq.com').whois Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python3.9/site-packages/passivetotal/analyzer/hostname.py", line 193, in whois return self._api_get_whois( File "/usr/local/lib/python3.9/site-packages/passivetotal/analyzer/hostname.py", line 96, in _api_get_whois self._whois = DomainWhois(response) File "/usr/local/lib/python3.9/site-packages/passivetotal/analyzer/whois.py", line 309, in __new__ domain = record['domain'] KeyError: 'domain'

aeetos commented 3 years ago

Hello, thank you for trying this out!

Your code seems correct - I believe the problem is your API credentials are not working or are not setup properly, and the Analyzer module is doing a poor job of telling you that. We'll work on getting better visibility to those errors, but until then, you can use this code to get the actual API response and start troubleshooting your credentials.

from passivetotal import WhoisRequest
whois_request = WhoisRequest.from_config()
whois_response = whois_request.get_whois_details(query='8.8.8.8')
print(whois_response)

If my theory is correct, you will get a response with an error message. Let me know!

sdcorlin commented 3 years ago

Looks like you're right, Im getting a 429:

{'timestamp': '2021-06-02T23:40:19.310+00:00', 'status': 429, 'error': 'Too Many Requests', 'message': '', 'path': '/v2/whois'}

Im surprised considering Im not doing anything besides these calls but perhaps my account is limited within my org

aeetos commented 3 years ago

Okay, got it - I recommend submitting a ticket to RiskIQ support - they might be able to guide you to API keys that are not as restricted. Email support at riskiq dot net with that error message, ideally from your org email address, and they'll get you setup.

Better exception handling for this will be in the next version of the Python library - we're testing changes to it now.

aeetos commented 3 years ago

Hi @sdcorlin - v2.5.0 of the Python library added exception handling to give better feedback when using the analyzer module to interact with our API. You'll get an AnalyzerAPIError object with details on the request itself that should help diagnose these issues. Thanks for helping us see the need for this! Please open another issue if you have any other problems.