From 82f49eb78e4b4f3e574ad84621adde86edef6754 Mon Sep 17 00:00:00 2001 From: delorean Date: Thu, 14 Dec 2023 22:43:59 -0600 Subject: [PATCH] initial --- README.md | 6 + cmd/patdown/main.go | 135 +++++++++++++++++++++ common/console.go | 73 +++++++++++ common/ref.go | 287 ++++++++++++++++++++++++++++++++++++++++++++ go.mod | 11 ++ go.sum | 10 ++ 6 files changed, 522 insertions(+) create mode 100644 README.md create mode 100644 cmd/patdown/main.go create mode 100644 common/console.go create mode 100644 common/ref.go create mode 100644 go.mod create mode 100644 go.sum diff --git a/README.md b/README.md new file mode 100644 index 0000000..a7229b7 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +# patdown +> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems. + +

+ +

diff --git a/cmd/patdown/main.go b/cmd/patdown/main.go new file mode 100644 index 0000000..75487dc --- /dev/null +++ b/cmd/patdown/main.go @@ -0,0 +1,135 @@ +package main + +import ( + "flag" + "fmt" + "time" + + "patdown/common" + + "github.com/miekg/dns" +) + +type multiflag []string + +type Pair struct { + Nameserver string + Domain string +} + +func (m *multiflag) String() string { + return "irc.supernets.org #superbowl" +} + +func (m *multiflag) Set(value string) error { + *m = append(*m, value) + return nil +} + +var ( + domain = flag.String("t", "", "domain to query") + workers = flag.Int("c", 100, "number of workers") + delay = flag.Int("s", 100, "delay (sleep) between queries in milliseconds") + nameserver multiflag +) + +func message(domain string, reqtype uint16, ra bool) *dns.Msg { + msg := new(dns.Msg) + msg.Id = dns.Id() + msg.RecursionDesired = ra + msg.Question = make([]dns.Question, 1) + msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET} + return msg +} + +func query(q <-chan Pair, tracker chan<- interface{}) { + for pair := range q { + msg := message(pair.Domain, dns.TypeA, false) + // fmt.Println("Querying ", pair.Domain, " on ", pair.Nameserver) + in, err := dns.Exchange(msg, pair.Nameserver+":53") + if err != nil { + common.Error(err.Error()) + continue + } + + if len(in.Answer) > 0 { + fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver) + } + time.Sleep(time.Duration(*delay) * time.Millisecond) + } + tracker <- 1337 +} + +func testns(ns string) error { + msg := message("supernets.org", dns.TypeA, false) + _, err := dns.Exchange(msg, ns+":53") + if err != nil { + return err + } + return nil +} + +func main() { + flag.Var(&nameserver, "n", "nameserver to query") + flag.Usage = common.Usage + flag.Parse() + + var nameservers []string + pairs := make(chan Pair) + tracker := make(chan interface{}) + + common.Banner() + + if *domain != "" { + // query domain for nameservers + nsmsg := message(*domain, dns.TypeNS, true) + in, err := dns.Exchange(nsmsg, "1.1.1.1:53") + if err != nil { + panic(err) + } + + for _, ans := range in.Answer { + ns, ok := ans.(*dns.NS) + if ok { + nameservers = append(nameservers, ns.Ns) + } + } + + fmt.Println(nameservers) + } else if len(nameserver) > 0 { + for _, ns := range nameserver { + nameservers = append(nameservers, ns) + } + } else { + // print usage + } + + common.Info("aggregating nameservers...") + + for i, ns := range nameservers { + if err := testns(ns); err != nil { + common.Error("nameserver " + ns + " is not responding") + nameservers = append(nameservers[:i], nameservers[i+1:]...) + } + } + + common.Info(fmt.Sprintf("snooping EDR domains from %d resolvers...", len(nameservers))) + + go func() { + for i := 0; i < *workers; i++ { + query(pairs, tracker) + } + }() + + for _, ns := range nameservers { + for k, _ := range common.Domains { + pairs <- Pair{Nameserver: ns, Domain: k} + } + } + + close(pairs) + + for x := 0; x < *workers; x++ { + <-tracker + } +} diff --git a/common/console.go b/common/console.go new file mode 100644 index 0000000..eab6f76 --- /dev/null +++ b/common/console.go @@ -0,0 +1,73 @@ +package common + +import ( + "fmt" + "os" +) + +var ( + ColorReset = "\033[0m" + ColorRed = "\033[31m" + ColorPurple = "\033[35m" + ColorLightBlue = "\033[34m" + ColorCyan = "\033[36m" + ColorGreen = "\033[32m" + ColorOrange = "\033[91m" + ColorGray = "\033[90m" + ColorYellow = "\033[93m" +) + +func Banner() { + fmt.Printf(`%s + _ __________=__ + \\@([____]_____() + _/\|-[____] + / /(( ) ___ __ _____ ___ ___ _ _ _ _ + /____|'----' | |_) / /\ | | | | \ / / \ \ \ / | |\ | + \____/ |_| /_/--\ |_| |_|_/ \_\_/ \_\/\/ |_| \| +%s%s + sincerely, + ~ delorean%s + +`, ColorRed, ColorReset, ColorGray, ColorReset) +} + +var Vendors = map[string]string{ + "Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m", + "VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m", + "CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m", + "CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m", + "Cybereason": "\033[93mCybereason\033[0m", + "Trellix": "\033[32mTrellix\033[0m", + "Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m", + "SentinelOne": "\033[35mSentinelOne\033[0m", + "Symantec": "\033[93mSymantec\033[0m", + "Tanium": "\033[31mTanium\033[0m", + "Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m", + "Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m", +} + +func Success(msg string) { + fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg) +} + +func Info(msg string) { + fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg) +} + +func Warning(msg string) { + fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg) +} + +func Error(msg string) { + fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg) +} + +func Fatal(msg string) { + fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg) + os.Exit(-1) +} + +func Usage() { + fmt.Printf(" %s~u~%s usage:\npatdown -t \npatdown -n ns1.target.com -n ns2.target.com", ColorOrange, ColorReset) +} diff --git a/common/ref.go b/common/ref.go new file mode 100644 index 0000000..09b2357 --- /dev/null +++ b/common/ref.go @@ -0,0 +1,287 @@ +package common + +var Domains = map[string]string{ + // Microsoft Defender for Endpoint + //https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls + "security.microsoft.com": "Microsoft Defender for Endpoint", + "download.microsoft.com": "Microsoft Defender for Endpoint", + "ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", + "settings-win.data.microsoft.com": "Microsoft Defender for Endpoint", + "vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint", + "go.microsoft.com": "Microsoft Defender for Endpoint", + "ctldl.windowsupdate.com": "Microsoft Defender for Endpoint", + "windowsupdate.com": "Microsoft Defender for Endpoint", + + // VMWare Carbon Black + // https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls + "carbonblack.com": "VMWare Carbon Black", + "carbonblack.io": "VMWare Carbon Black", + "defense-eap01.conferdeploy.net": "VMWare Carbon Black", + "dashboard.confer.net": "VMWare Carbon Black", + "defense.conferdeploy.net": "VMWare Carbon Black", + "defense-prod05.conferdeploy.net": "VMWare Carbon Black", + "defense-eu.conferdeploy.net": "VMWare Carbon Black", + "defense-prodnrt.conferdeploy.net": "VMWare Carbon Black", + "defense-prodsyd.conferdeploy.net": "VMWare Carbon Black", + "ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black", + "gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black", + "updates.cdc.carbonblack.io": "VMWare Carbon Black", + "updates2.cdc.carbonblack.io": "VMWare Carbon Black", + "carbonblack.vmware.com": "VMWare Carbon Black", + "console.cloud-us-gov.vmware.com": "VMWare Carbon Black", + "console.cloud.vmware.com": "VMWare Carbon Black", + + // CrowdStrike Falcon + // https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements + "crowdstrike.com": "CrowdStrike Falcon", + "ts01-b.cloudsink.net": "CrowdStrike Falcon", + "lfodown01-b.cloudsink.net": "CrowdStrike Falcon", + "lfoup01-b.cloudsink.net": "CrowdStrike Falcon", + "falcon.crowdstrike.com": "CrowdStrike Falcon", + "assets.falcon.crowdstrike.com": "CrowdStrike Falcon", + "assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon", + "api.crowdstrike.com": "CrowdStrike Falcon", + "firehose.crowdstrike.com": "CrowdStrike Falcon", + "ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", + "lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", + "lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", + "falcon.us-2.crowdstrike.com": "CrowdStrike Falcon", + "assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon", + "assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon", + "api.us-2.crowdstrike.com": "CrowdStrike Falcon", + "firehose.us-2.crowdstrike.com": "CrowdStrike Falcon", + "ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon", + "sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", + "lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon", + "ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", + "falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", + "laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", + "api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", + "firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", + "falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", + "ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon", + "lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon", + "api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon", + "firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon", + "ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", + "lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", + "lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", + "assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon", + "assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon", + "api.eu-1.crowdstrike.com": "CrowdStrike Falcon", + "firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon", + + // Harmony / CheckPoint + // https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590 + "checkpoint.com": "CheckPoint Harmony", + "us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony", + "europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony", + "datatube-prod.azurewebsites.net": "CheckPoint Harmony", + "epmgmt.checkpoint.com": "CheckPoint Harmony", + "endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony", + "ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony", + "epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony", + "file-rep.iaas.checkpoint.com": "CheckPoint Harmony", + "url-rep.iaas.checkpoint.com": "CheckPoint Harmony", + "threatcloud.iaas.checkpoint.com": "CheckPoint Harmony", + "te.iaas.checkpoint.com": "CheckPoint Harmony", + "sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony", + "iaas.checkpoint.com": "CheckPoint Harmony", + "cws.checkpoint.com": "CheckPoint Harmony", + "rep.checkpoint.com": "CheckPoint Harmony", + "te.checkpoint.com": "CheckPoint Harmony", + "threat-emulation.checkpoint.com": "CheckPoint Harmony", + "kav8.checkpoint.com": "CheckPoint Harmony", + "secureupdates.checkpoint.com": "CheckPoint Harmony", + "sc1.checkpoint.com": "CheckPoint Harmony", + "updates.checkpoint.com": "CheckPoint Harmony", + "dl3.checkpoint.com": "CheckPoint Harmony", + "cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony", + "gwevents.checkpoint.com": "CheckPoint Harmony", + "teadv.checkpoint.com": "CheckPoint Harmony", + "services.checkpoint.com": "CheckPoint Harmony", + + // Cybereason + // https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html + "cybereason.com": "Cybereason", + "probe-dist.cybereason.net": "Cybereason", + "data-epgw.cybereason.net": "Cybereason", + "probe-dist-eu-west-1.cybereason.net": "Cybereason", + "data-epgw-eu-west-1.cybereason.net": "Cybereason", + "probe-dist-asia-northeast-1.cybereason.net": "Cybereason", + "data-epgw-asia-northeast-1.cybereason.net": "Cybereason", + + // FireEye / Trellix + // https://kcm.trellix.com/corporate/index?page=content&id=KB90878 + "api.manage.trellix.com": "Trellix", + "uam.api.trellix.com": "Trellix", + "cdn-usw001.manage.trellix.com": "Trellix", + "sw-usw001.manage.trellix.com": "Trellix", + "cdn-usw002.manage.trellix.com": "Trellix", + "sw-usw002.manage.trellix.com": "Trellix", + "cdn-usw003.manage.trellix.com": "Trellix", + "sw-usw003.manage.trellix.com": "Trellix", + "cdn-usw004.manage.trellix.com": "Trellix", + "sw-usw004.manage.trellix.com": "Trellix", + "cdn-sgp001.manage.trellix.com": "Trellix", + "sw-sgp001.manage.trellix.com": "Trellix", + "cdn-eu001.manage.trellix.com": "Trellix", + "sw-eu001.manage.trellix.com": "Trellix", + "cdn-au001.manage.trellix.com": "Trellix", + "sw-au001.manage.trellix.com": "Trellix", + "cdn-ind001.manage.trellix.com": "Trellix", + "sw-ind001.manage.trellix.com": "Trellix", + "cds-usw001.manage.trellix.com": "Trellix", + "cds-usw002.manage.trellix.com": "Trellix", + "cds-usw003.manage.trellix.com": "Trellix", + "cds-usw004.manage.trellix.com": "Trellix", + "dxl-usw001.manage.trellix.com": "Trellix", + "dxl-usw002.manage.trellix.com": "Trellix", + "dxl-usw003.manage.trellix.com": "Trellix", + "dxl-usw004.manage.trellix.com": "Trellix", + "dxlweb-usw001.manage.trellix.com": "Trellix", + "dxlweb-usw002.manage.trellix.com": "Trellix", + "dxlweb-usw003.manage.trellix.com": "Trellix", + "dxlweb-usw004.manage.trellix.com": "Trellix", + + // Cortex XDR / Palo Alto Networks + // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access + "paloaltonetworks.com": "Palo Alto Networks", + "lrc-us.paloaltonetworks.com": "Palo Alto Networks", + "lrc-eu.paloaltonetworks.com": "Palo Alto Networks", + "lrc-ca.paloaltonetworks.com": "Palo Alto Networks", + "lrc-uk.paloaltonetworks.com": "Palo Alto Networks", + "lrc-jp.paloaltonetworks.com": "Palo Alto Networks", + "lrc-sg.paloaltonetworks.com": "Palo Alto Networks", + "lrc-au.paloaltonetworks.com": "Palo Alto Networks", + "lrc-de.paloaltonetworks.com": "Palo Alto Networks", + "lrc-in.paloaltonetworks.com": "Palo Alto Networks", + "lrc-ch.paloaltonetworks.com": "Palo Alto Networks", + "lrc-pl.paloaltonetworks.com": "Palo Alto Networks", + "lrc-tw.paloaltonetworks.com": "Palo Alto Networks", + "lrc-qt.paloaltonetworks.com": "Palo Alto Networks", + "lrc-fa.paloaltonetworks.com": "Palo Alto Networks", + "panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks", + "global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks", + "login.paloaltonetworks.com": "Palo Alto Networks", + "pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks", + + // Singularity / SentinelOne + "sentinelone.com": "SentinelOne", + "xdr.intus1.sentinelone.net": "SentinelOne", + "console.mobile.sentinelone.net": "SentinelOne", + "content.mobile.sentinelone.net": "SentinelOne", + "device-api.mobile.sentinelone.net": "SentinelOne", + "eu1-acceptor.mobile.sentinelone.net": "SentinelOne", + "eu1-console.mobile.sentinelone.net": "SentinelOne", + "eu1-content.mobile.sentinelone.net": "SentinelOne", + "eu1-device-api.mobile.sentinelone.net": "SentinelOne", + "eu1-oauth.mobile.sentinelone.net": "SentinelOne", + "eu1-panel.mobile.sentinelone.net": "SentinelOne", + "eu1-qi.mobile.sentinelone.net": "SentinelOne", + "eu1-token.mobile.sentinelone.net": "SentinelOne", + "eu1-vpc.mobile.sentinelone.net": "SentinelOne", + "ut.sentinelone.net": "SentinelOne", + "oauth.mobile.sentinelone.net": "SentinelOne", + "panel.mobile.sentinelone.net": "SentinelOne", + + // Symantec / Broadcom + // https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html + "symantec.com": "Symantec", + "remotetunnel1.edrc.symantec.com": "Symantec", + "remotetunnel2.edrc.symantec.com": "Symantec", + "remotetunnel3.edrc.symantec.com": "Symantec", + "remotetunnel4.edrc.symantec.com": "Symantec", + "remotetunnel5.edrc.symantec.com": "Symantec", + "api-gateway.symantec.com": "Symantec", + "liveupdate.symantec.com": "Symantec", + "ratings-wrs.symantec.com": "Symantec", + "stnd-avpg.crsi.symantec.com": "Symantec", + "stnd-ipsg.crsi.symantec.com": "Symantec", + "central.b6.crsi.symantec.com": "Symantec", + "bash-avpg.crsi.symantec.com": "Symantec", + "swupdate.brightmail.com": "Symantec", + "shasta-rrs.symantec.com": "Symantec", + "shasta-mrs.symantec.com": "Symantec", + "datafeedapi.symanteccloud.com": "Symantec", + "telemetry.broadcom.com": "Symantec", + "sso1.edrc.symantec.com": "Symantec", + + // Tanium + "tanium.com": "Tanium", + "shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium", + "shared.prd-int.mdm.cloud.tanium.com": "Tanium", + "shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium", + "shared.prd-us-1.mdm.cloud.tanium.com": "Tanium", + "prd-int-manage.mdm.cloud.tanium.com": "Tanium", + "prd-int.mdm.cloud.tanium.com": "Tanium", + "prd-us-1-manage.mdm.cloud.tanium.com": "Tanium", + "prd-us-1.mdm.cloud.tanium.com": "Tanium", + "prd.mdm.cloud.tanium.com": "Tanium", + "jp.tanium.com": "Tanium", + "docs-es.tanium.com": "Tanium", + "docs-fr.tanium.com": "Tanium", + "docs-ko.tanium.com": "Tanium", + + // Aurora + // https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html + "update-102.nextron-systems.com": "Nextron Aurora", + "update-201.nextron-systems.com": "Nextron Aurora", + "update-202.nextron-systems.com": "Nextron Aurora", + "update-aurora.nextron-systems.com": "Nextron Aurora", + "update-lite.nextron-systems.com": "Nextron Aurora", + + // Trend Micro + // https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002 + // https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/ + "api.eu.nacloud.trendmicro.com": "Trend Micro", + "api.jp.nacloud.trendmicro.com": "Trend Micro", + "api.sg.nacloud.trendmicro.com": "Trend Micro", + "api.us.nacloud.trendmicro.com": "Trend Micro", + "docs.trendmicro.com": "Trend Micro", + "licenseupdate.trendmicro.com": "Trend Micro", + "api.nacloud.trendmicro.com": "Trend Micro", + "trendmicro.com": "Trend Micro", + "files.trendmicro.com": "Trend Micro", + "xdr.trendmicro.com": "Trend Micro", + "xdr.trendmicro.co.jp": "Trend Micro", + "trenddefense.com": "Trend Micro", + "ddd53-p.activeupdate.trendmicro.com": "Trend Micro", + "ddd53-threatconnect.trendmicro.com": "Trend Micro", + "threatconnect.trendmicro.com": "Trend Micro", + "cloudone.trendmicro.com": "Trend Micro", +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..5511441 --- /dev/null +++ b/go.mod @@ -0,0 +1,11 @@ +module patdown + +go 1.21.0 + +require ( + github.com/miekg/dns v1.1.57 // indirect + golang.org/x/mod v0.12.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/tools v0.13.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..84f8017 --- /dev/null +++ b/go.sum @@ -0,0 +1,10 @@ +github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=