Compare commits
No commits in common. "main" and "v1.0" have entirely different histories.
59
README.md
59
README.md
@ -1,63 +1,6 @@
|
|||||||
# patdown
|
# patdown
|
||||||
|
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
|
||||||
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
|
|
||||||
|
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
|
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
## Abstract
|
|
||||||
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
|
|
||||||
|
|
||||||
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
|
|
||||||
|
|
||||||
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
|
|
||||||
|
|
||||||
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
|
|
||||||
|
|
||||||
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
|
|
||||||
|
|
||||||
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
|
|
||||||
|
|
||||||
## Installation
|
|
||||||
Retrieve a binary corresponding to your architecture from **Releases**
|
|
||||||
|
|
||||||
*or*
|
|
||||||
|
|
||||||
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
```
|
|
||||||
d | target fqdn (not as reliable, prone to false positives)
|
|
||||||
n | nameserver to query (can be specified multiple times)
|
|
||||||
v | enable verbosity [false]
|
|
||||||
t | threads [5]
|
|
||||||
s | delay between requests in milliseconds, per thread [250]
|
|
||||||
|
|
||||||
e.g.
|
|
||||||
patdown -d target.network
|
|
||||||
patdown -n egress.ns.target.network -n another.egress.ns.target.network
|
|
||||||
patdown -n dc.target.network -v -t 25
|
|
||||||
```
|
|
||||||
|
|
||||||
## Currently Identified Vendors/Solutions:
|
|
||||||
- [x] **CrowdStrike** Falcon
|
|
||||||
- [x] **Microsoft** Defender for Endpoint
|
|
||||||
- [x] **VMWare** Carbon Black
|
|
||||||
- [x] **Check Point** Harmony
|
|
||||||
- [x] **Cybereason** EDR
|
|
||||||
- [x] **Trellix** EDR
|
|
||||||
- [x] **Palo Alto Networks** Cortex XDR
|
|
||||||
- [x] **SentinelOne** Singularity
|
|
||||||
- [x] **Symantec** Endpoint Security
|
|
||||||
- [x] **Tanium** EDR
|
|
||||||
- [x] **Nextron** Aurora
|
|
||||||
- [x] **Trend Micro** Endpoint Sensor
|
|
||||||
- [x] **Rapid7** InsightIDR
|
|
||||||
- [ ] **ESET** Inspect
|
|
||||||
- [ ] **Harfanglab** EDR
|
|
||||||
- [ ] **Limacharlie** EDR
|
|
||||||
- [ ] **Elastic** Security
|
|
||||||
- [ ] **Qualys** EDR
|
|
||||||
- [ ] **Uptycs** XDR
|
|
||||||
- [ ] **WatchGuard** EDR
|
|
||||||
|
@ -1,36 +1,151 @@
|
|||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"time"
|
||||||
|
|
||||||
"patdown/common"
|
"patdown/common"
|
||||||
|
|
||||||
|
"github.com/miekg/dns"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type multiflag []string
|
||||||
|
|
||||||
|
type Pair struct {
|
||||||
|
Nameserver string
|
||||||
|
Domain string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *multiflag) String() string {
|
||||||
|
return "irc.supernets.org #superbowl"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *multiflag) Set(value string) error {
|
||||||
|
*m = append(*m, value)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
domain = flag.String("t", "", "")
|
||||||
|
workers = flag.Int("c", 100, "")
|
||||||
|
delay = flag.Int("s", 100, "")
|
||||||
|
nameserver multiflag
|
||||||
|
)
|
||||||
|
|
||||||
|
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
|
||||||
|
msg := new(dns.Msg)
|
||||||
|
msg.Id = dns.Id()
|
||||||
|
msg.RecursionDesired = ra
|
||||||
|
msg.Question = make([]dns.Question, 1)
|
||||||
|
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
|
||||||
|
return msg
|
||||||
|
}
|
||||||
|
|
||||||
|
func query(q <-chan Pair, tracker chan<- interface{}) {
|
||||||
|
for pair := range q {
|
||||||
|
msg := message(pair.Domain, dns.TypeA, false)
|
||||||
|
in, err := dns.Exchange(msg, pair.Nameserver+":53")
|
||||||
|
if err != nil {
|
||||||
|
common.Error(err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(in.Answer) > 0 {
|
||||||
|
fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver)
|
||||||
|
}
|
||||||
|
time.Sleep(time.Duration(*delay) * time.Millisecond)
|
||||||
|
}
|
||||||
|
tracker <- 1337
|
||||||
|
}
|
||||||
|
|
||||||
|
func testns(ns string) error {
|
||||||
|
msg := message("supernets.org", dns.TypeA, false)
|
||||||
|
_, err := dns.Exchange(msg, ns+":53")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func testreq() bool {
|
||||||
|
msg := message("cloudflare.com", dns.TypeA, false)
|
||||||
|
in, err := dns.Exchange(msg, "1.1.1.1:53")
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if len(in.Answer) > 0 {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
common.LoadArgs()
|
flag.Var(&nameserver, "n", "nameserver to query")
|
||||||
var servers []string
|
flag.Usage = common.Usage
|
||||||
|
flag.Parse()
|
||||||
|
|
||||||
|
var nameservers []string
|
||||||
|
pairs := make(chan Pair)
|
||||||
|
tracker := make(chan interface{})
|
||||||
|
|
||||||
common.Banner()
|
common.Banner()
|
||||||
|
|
||||||
autodetect := common.Params.Domain != ""
|
if *domain != "" {
|
||||||
if autodetect {
|
// query domain for nameservers
|
||||||
if servers = common.PullNS(common.Params.Domain); len(servers) == 0 {
|
nsmsg := message(*domain, dns.TypeNS, true)
|
||||||
common.Fatal("no nameservers found for " + common.Params.Domain)
|
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, ans := range in.Answer {
|
||||||
|
ns, ok := ans.(*dns.NS)
|
||||||
|
if ok {
|
||||||
|
nameservers = append(nameservers, ns.Ns)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
} else if len(nameserver) > 0 {
|
||||||
|
for _, ns := range nameserver {
|
||||||
|
nameservers = append(nameservers, ns)
|
||||||
}
|
}
|
||||||
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
|
|
||||||
} else if len(common.Params.Nservers) > 0 {
|
|
||||||
servers = common.Params.Nservers
|
|
||||||
} else {
|
} else {
|
||||||
common.Fatal("provide a domain or nameservers to target")
|
// print usage
|
||||||
|
common.Usage()
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !common.NeutralReq() {
|
if !testreq() {
|
||||||
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?")
|
common.Fatal("non-recursive queries are being refused, are you on a very dirty box or VPN?")
|
||||||
}
|
}
|
||||||
|
|
||||||
valid := common.ParseNS(servers)
|
common.Info("aggregating nameservers...")
|
||||||
if len(valid) == 0 {
|
|
||||||
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP")
|
for i, ns := range nameservers {
|
||||||
|
if err := testns(ns); err != nil {
|
||||||
|
common.Error("nameserver " + ns + " is not responding")
|
||||||
|
nameservers = append(nameservers[:i], nameservers[i+1:]...)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
common.Takeoff(valid)
|
common.Info(fmt.Sprintf("snooping caches on %d resolvers...", len(nameservers)))
|
||||||
|
|
||||||
|
go func() {
|
||||||
|
for i := 0; i < *workers; i++ {
|
||||||
|
query(pairs, tracker)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
for _, ns := range nameservers {
|
||||||
|
for k, _ := range common.Domains {
|
||||||
|
pairs <- Pair{Nameserver: ns, Domain: k}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
close(pairs)
|
||||||
|
|
||||||
|
for x := 0; x < *workers; x++ {
|
||||||
|
<-tracker
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,39 +0,0 @@
|
|||||||
package common
|
|
||||||
|
|
||||||
import "flag"
|
|
||||||
|
|
||||||
type multiflag []string
|
|
||||||
|
|
||||||
type Config struct {
|
|
||||||
Domain string
|
|
||||||
Threads int
|
|
||||||
Delay int
|
|
||||||
Nservers []string
|
|
||||||
Verbose bool
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
|
||||||
domain = flag.String("d", "", "")
|
|
||||||
workers = flag.Int("t", 5, "")
|
|
||||||
delay = flag.Int("s", 250, "")
|
|
||||||
verbose = flag.Bool("v", false, "")
|
|
||||||
nsarg multiflag
|
|
||||||
Params Config
|
|
||||||
)
|
|
||||||
|
|
||||||
func (m *multiflag) String() string {
|
|
||||||
return "front page maximum wage"
|
|
||||||
}
|
|
||||||
|
|
||||||
func (m *multiflag) Set(value string) error {
|
|
||||||
*m = append(*m, value)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func LoadArgs() {
|
|
||||||
flag.Var(&nsarg, "n", "")
|
|
||||||
flag.Usage = Usage
|
|
||||||
flag.Parse()
|
|
||||||
|
|
||||||
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
|
|
||||||
}
|
|
87
common/console.go
Normal file
87
common/console.go
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
package common
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
ColorReset = "\033[0m"
|
||||||
|
ColorRed = "\033[31m"
|
||||||
|
ColorPurple = "\033[35m"
|
||||||
|
ColorLightBlue = "\033[34m"
|
||||||
|
ColorCyan = "\033[36m"
|
||||||
|
ColorGreen = "\033[32m"
|
||||||
|
ColorOrange = "\033[91m"
|
||||||
|
ColorGray = "\033[90m"
|
||||||
|
ColorYellow = "\033[93m"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Banner() {
|
||||||
|
fmt.Printf(`%s
|
||||||
|
.------..------..------..------..------..------..------.
|
||||||
|
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
|
||||||
|
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
|
||||||
|
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
|
||||||
|
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
|
||||||
|
'------''------''------''------''------''------''------'
|
||||||
|
|
||||||
|
%s%s sincerely,
|
||||||
|
~ delorean%s
|
||||||
|
|
||||||
|
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
|
||||||
|
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
|
||||||
|
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
|
||||||
|
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
|
||||||
|
}
|
||||||
|
|
||||||
|
func Usage() {
|
||||||
|
fmt.Fprintf(os.Stderr, `patdown usage:
|
||||||
|
(%s-t%s) - target domain
|
||||||
|
(%s-n%s) - specific nameserver to snoop, can be multiple
|
||||||
|
(%s-c%s) - concurrent threads [%s100%s]
|
||||||
|
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
|
||||||
|
|
||||||
|
%se.g.%s
|
||||||
|
patdown -t supernets.org
|
||||||
|
patdown -n ns1.supernets.org -n ns2.supernets.org
|
||||||
|
patdown -t supernets.org -c 50 -s 500
|
||||||
|
|
||||||
|
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
|
||||||
|
}
|
||||||
|
|
||||||
|
var Vendors = map[string]string{
|
||||||
|
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
|
||||||
|
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
|
||||||
|
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
|
||||||
|
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
|
||||||
|
"Cybereason": "\033[93mCybereason\033[0m",
|
||||||
|
"Trellix": "\033[32mTrellix\033[0m",
|
||||||
|
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
|
||||||
|
"SentinelOne": "\033[35mSentinelOne\033[0m",
|
||||||
|
"Symantec": "\033[93mSymantec\033[0m",
|
||||||
|
"Tanium": "\033[31mTanium\033[0m",
|
||||||
|
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
|
||||||
|
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
|
||||||
|
}
|
||||||
|
|
||||||
|
func Success(msg string) {
|
||||||
|
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
func Info(msg string) {
|
||||||
|
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
func Warning(msg string) {
|
||||||
|
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
func Error(msg string) {
|
||||||
|
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
func Fatal(msg string) {
|
||||||
|
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
|
||||||
|
os.Exit(-1)
|
||||||
|
}
|
@ -1,96 +0,0 @@
|
|||||||
package common
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
)
|
|
||||||
|
|
||||||
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
|
|
||||||
queries := make(chan Query)
|
|
||||||
tab := make(chan interface{})
|
|
||||||
|
|
||||||
if !recursive {
|
|
||||||
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
|
|
||||||
for i := 0; i < threads; i++ {
|
|
||||||
go RunQuery(queries, tab, delay)
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, ns := range nameservers {
|
|
||||||
for vendor, domains := range Vendors {
|
|
||||||
for _, domainpair := range domains {
|
|
||||||
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
|
|
||||||
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
|
|
||||||
for i := 0; i < threads; i++ {
|
|
||||||
go RunQueryRA(queries, tab, delay)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !single {
|
|
||||||
for _, ns := range nameservers {
|
|
||||||
for vendor, domains := range Vendors {
|
|
||||||
for _, domainpair := range domains {
|
|
||||||
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
for vendor, domains := range Vendors {
|
|
||||||
for _, domainpair := range domains {
|
|
||||||
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
close(queries)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Takeoff(nameservers []Nameserver) {
|
|
||||||
var nonrns, rns []Nameserver
|
|
||||||
for _, ns := range nameservers {
|
|
||||||
if ns.Recursive {
|
|
||||||
rns = append(rns, ns)
|
|
||||||
}
|
|
||||||
if ns.NonRA {
|
|
||||||
nonrns = append(nonrns, ns)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(nonrns) == 0 && len(rns) == 0 {
|
|
||||||
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
|
|
||||||
}
|
|
||||||
|
|
||||||
recursive := false
|
|
||||||
|
|
||||||
for {
|
|
||||||
if !recursive {
|
|
||||||
if len(nonrns) > 0 {
|
|
||||||
scan(nonrns, Params.Threads, Params.Delay, false, false)
|
|
||||||
} else {
|
|
||||||
for {
|
|
||||||
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
|
|
||||||
ColorRed, ColorReset))
|
|
||||||
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
|
|
||||||
var input string
|
|
||||||
fmt.Scanln(&input)
|
|
||||||
if input == "y" {
|
|
||||||
recursive = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
if input == "n" {
|
|
||||||
os.Exit(0)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
|
|
||||||
scan(rns, Params.Threads, Params.Delay, true, autodetected)
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
69
common/io.go
69
common/io.go
@ -1,69 +0,0 @@
|
|||||||
package common
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
ColorReset = "\033[0m"
|
|
||||||
ColorRed = "\033[31m"
|
|
||||||
ColorPurple = "\033[35m"
|
|
||||||
ColorLightBlue = "\033[34m"
|
|
||||||
ColorCyan = "\033[36m"
|
|
||||||
ColorGreen = "\033[32m"
|
|
||||||
ColorOrange = "\033[91m"
|
|
||||||
ColorGray = "\033[90m"
|
|
||||||
ColorYellow = "\033[93m"
|
|
||||||
ColorWhite = "\033[97m"
|
|
||||||
)
|
|
||||||
|
|
||||||
func Usage() {
|
|
||||||
Banner()
|
|
||||||
fmt.Printf(`
|
|
||||||
usage:
|
|
||||||
%s!%s d | target fqdn (not recommended)
|
|
||||||
%s!%s n | nameserver to query (can be specified multiple times)
|
|
||||||
v | enable verbosity %s[false]%s
|
|
||||||
t | threads %s[5]%s
|
|
||||||
s | delay between requests in milliseconds, per thread %s[250]%s
|
|
||||||
|
|
||||||
e.g.
|
|
||||||
patdown -d target.network
|
|
||||||
patdown -n egress.ns.target.network -n another.egress.ns.target.network
|
|
||||||
patdown -n dc.target.network -v -t 25
|
|
||||||
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Banner() {
|
|
||||||
fmt.Fprintf(os.Stderr, `
|
|
||||||
_______
|
|
||||||
_/_ / ---' ____)____
|
|
||||||
_ __. / __/ __ , , , ___ ______)
|
|
||||||
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
|
|
||||||
/ _______)
|
|
||||||
' ---.__________)
|
|
||||||
|
|
||||||
`)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Success(msg string) {
|
|
||||||
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Info(msg string) {
|
|
||||||
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Warn(msg string) {
|
|
||||||
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Error(msg string) {
|
|
||||||
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
|
|
||||||
}
|
|
||||||
|
|
||||||
func Fatal(msg string) {
|
|
||||||
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
|
|
||||||
os.Exit(-1)
|
|
||||||
}
|
|
140
common/net.go
140
common/net.go
@ -1,140 +0,0 @@
|
|||||||
package common
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/miekg/dns"
|
|
||||||
)
|
|
||||||
|
|
||||||
type Query struct {
|
|
||||||
Nameserver string
|
|
||||||
Vendor string
|
|
||||||
DomainPair Pair
|
|
||||||
}
|
|
||||||
|
|
||||||
type Nameserver struct {
|
|
||||||
Nameserver string
|
|
||||||
NonRA bool
|
|
||||||
Recursive bool
|
|
||||||
}
|
|
||||||
|
|
||||||
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
|
|
||||||
msg := new(dns.Msg)
|
|
||||||
msg.Id = dns.Id()
|
|
||||||
msg.RecursionDesired = ra
|
|
||||||
msg.Question = make([]dns.Question, 1)
|
|
||||||
msg.Question[0] = dns.Question{
|
|
||||||
Name: dns.Fqdn(domain),
|
|
||||||
Qtype: reqtype,
|
|
||||||
Qclass: dns.ClassINET,
|
|
||||||
}
|
|
||||||
return msg
|
|
||||||
}
|
|
||||||
|
|
||||||
func ParseNS(nameservers []string) []Nameserver {
|
|
||||||
var valid []Nameserver
|
|
||||||
msg := message("cloudflare.com", dns.TypeA, false)
|
|
||||||
for _, ns := range nameservers {
|
|
||||||
nonra, ra := false, false
|
|
||||||
in, err := dns.Exchange(msg, ns+":53")
|
|
||||||
if err != nil {
|
|
||||||
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if in.Rcode == dns.RcodeRefused {
|
|
||||||
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
|
|
||||||
} else {
|
|
||||||
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
|
|
||||||
nonra = true
|
|
||||||
}
|
|
||||||
if in.RecursionAvailable {
|
|
||||||
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
|
|
||||||
ra = true
|
|
||||||
} else {
|
|
||||||
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
|
|
||||||
}
|
|
||||||
|
|
||||||
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
|
|
||||||
}
|
|
||||||
return valid
|
|
||||||
}
|
|
||||||
|
|
||||||
func NeutralReq() bool {
|
|
||||||
msg := message("supernets.org", dns.TypeA, true)
|
|
||||||
in, err := dns.Exchange(msg, "1.1.1.1:53")
|
|
||||||
if err != nil {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
if len(in.Answer) > 0 {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
func PullNS(d string) []string {
|
|
||||||
nsmsg := message(d, dns.TypeNS, true)
|
|
||||||
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
|
|
||||||
if err != nil {
|
|
||||||
Fatal("unable to retrieve nameservers for " + d)
|
|
||||||
}
|
|
||||||
|
|
||||||
nameservers := []string{}
|
|
||||||
|
|
||||||
for _, ans := range in.Answer {
|
|
||||||
ns, ok := ans.(*dns.NS)
|
|
||||||
if ok {
|
|
||||||
nameservers = append(nameservers, ns.Ns)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nameservers
|
|
||||||
}
|
|
||||||
|
|
||||||
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
|
|
||||||
for qdata := range q {
|
|
||||||
if Params.Verbose {
|
|
||||||
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
|
|
||||||
}
|
|
||||||
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
|
|
||||||
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
|
|
||||||
if err != nil {
|
|
||||||
Error(err.Error())
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(in.Answer) > 0 {
|
|
||||||
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
|
|
||||||
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
|
|
||||||
}
|
|
||||||
time.Sleep(time.Duration(delay) * time.Millisecond)
|
|
||||||
}
|
|
||||||
tracker <- 1337
|
|
||||||
}
|
|
||||||
|
|
||||||
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
|
|
||||||
for qdata := range q {
|
|
||||||
if Params.Verbose {
|
|
||||||
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
|
|
||||||
}
|
|
||||||
for x := 0; x < 2; x++ {
|
|
||||||
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
|
|
||||||
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
|
|
||||||
if err != nil {
|
|
||||||
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
|
|
||||||
time.Sleep(2 * time.Second)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(in.Answer) > 0 {
|
|
||||||
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
|
|
||||||
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
|
|
||||||
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
break
|
|
||||||
}
|
|
||||||
time.Sleep(time.Duration(delay) * time.Millisecond)
|
|
||||||
}
|
|
||||||
tracker <- 1337
|
|
||||||
}
|
|
700
common/ref.go
700
common/ref.go
@ -1,483 +1,287 @@
|
|||||||
package common
|
package common
|
||||||
|
|
||||||
import "fmt"
|
var Domains = map[string]string{
|
||||||
|
|
||||||
type Pair struct {
|
|
||||||
Domain string
|
|
||||||
TTL uint32
|
|
||||||
}
|
|
||||||
|
|
||||||
var Vendors = map[string][]Pair{
|
|
||||||
fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft,
|
|
||||||
fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack,
|
|
||||||
fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike,
|
|
||||||
fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint,
|
|
||||||
fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason,
|
|
||||||
fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix,
|
|
||||||
fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto,
|
|
||||||
fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone,
|
|
||||||
fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec,
|
|
||||||
fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium,
|
|
||||||
fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora,
|
|
||||||
fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro,
|
|
||||||
fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7,
|
|
||||||
}
|
|
||||||
|
|
||||||
// Microsoft Defender for Endpoint
|
// Microsoft Defender for Endpoint
|
||||||
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
|
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
|
||||||
var domains_microsoft = []Pair{
|
"security.microsoft.com": "Microsoft Defender for Endpoint",
|
||||||
{"download.microsoft.com", 3600}, // not certain
|
"download.microsoft.com": "Microsoft Defender for Endpoint",
|
||||||
{"go.microsoft.com", 3600}, // not certain
|
"ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"security.microsoft.com", 3600},
|
"ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"settings-win.data.microsoft.com", 3600}, // not certain
|
"ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"windowsupdate.com", 300},
|
"ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"ctldl.windowsupdate.com", 3600}, // not certain
|
"wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"wdcp.microsoft.com", 3600},
|
"wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"wd.microsoft.com", 300},
|
"ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"wdcpalt.microsoft.com", 3600},
|
"ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"checkappexec.microsoft.com", 3600}, // not certain
|
"ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"smartscreen-prod.microsoft.com", 3600},
|
"ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"vortex-win.data.microsoft.com", 120},
|
"wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"update.microsoft.com", 3600}, // not certain
|
"wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"download.windowsupdate.com", 3600}, // not certain
|
"usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"definitionupdates.microsoft.com", 3600},
|
"wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
// {"delivery.mp.microsoft.com", 0},
|
"usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
// {"fe3cr.delivery.mp.microsoft.com", 0},
|
"wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"ussus2westprod.blob.core.windows.net", 60},
|
"ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"ussus1westprod.blob.core.windows.net", 60},
|
"wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"wsus2westprod.blob.core.windows.net", 60},
|
"ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"wseu1northprod.blob.core.windows.net", 60},
|
"wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint",
|
||||||
{"wsus2eastprod.blob.core.windows.net", 60},
|
"settings-win.data.microsoft.com": "Microsoft Defender for Endpoint",
|
||||||
{"ussus3westprod.blob.core.windows.net", 60},
|
"vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint",
|
||||||
{"wsus1eastprod.blob.core.windows.net", 60},
|
"go.microsoft.com": "Microsoft Defender for Endpoint",
|
||||||
{"wsuk1westprod.blob.core.windows.net", 60},
|
"ctldl.windowsupdate.com": "Microsoft Defender for Endpoint",
|
||||||
{"ussus2eastprod.blob.core.windows.net", 60},
|
"windowsupdate.com": "Microsoft Defender for Endpoint",
|
||||||
{"usseu1northprod.blob.core.windows.net", 60},
|
|
||||||
{"wsus1westprod.blob.core.windows.net", 60},
|
|
||||||
{"usseu1westprod.blob.core.windows.net", 60},
|
|
||||||
{"ussus1eastprod.blob.core.windows.net", 60},
|
|
||||||
{"ussuk1westprod.blob.core.windows.net", 60},
|
|
||||||
{"ussus4eastprod.blob.core.windows.net", 60},
|
|
||||||
{"wseu1westprod.blob.core.windows.net", 60},
|
|
||||||
{"ussuk1southprod.blob.core.windows.net", 60},
|
|
||||||
{"ussus3eastprod.blob.core.windows.net", 60},
|
|
||||||
{"ussus4westprod.blob.core.windows.net", 60},
|
|
||||||
{"wsuk1southprod.blob.core.windows.net", 60},
|
|
||||||
}
|
|
||||||
|
|
||||||
// VMWare Carbon Black
|
// VMWare Carbon Black
|
||||||
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
|
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
|
||||||
// https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html
|
"carbonblack.com": "VMWare Carbon Black",
|
||||||
// restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295
|
"carbonblack.io": "VMWare Carbon Black",
|
||||||
var domains_carbonblack = []Pair{
|
"defense-eap01.conferdeploy.net": "VMWare Carbon Black",
|
||||||
{"defense-prod05.conferdeploy.net", 60},
|
"dashboard.confer.net": "VMWare Carbon Black",
|
||||||
{"console.cloud.vmware.com", 60},
|
"defense.conferdeploy.net": "VMWare Carbon Black",
|
||||||
{"updates2.cdc.carbonblack.io", 300},
|
"defense-prod05.conferdeploy.net": "VMWare Carbon Black",
|
||||||
{"dashboard.confer.net", 300},
|
"defense-eu.conferdeploy.net": "VMWare Carbon Black",
|
||||||
{"console.cloud-us-gov.vmware.com", 300},
|
"defense-prodnrt.conferdeploy.net": "VMWare Carbon Black",
|
||||||
{"ew2.carbonblackcloud.vmware.com", 30},
|
"defense-prodsyd.conferdeploy.net": "VMWare Carbon Black",
|
||||||
{"defense.conferdeploy.net", 60},
|
"ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black",
|
||||||
{"carbonblack.io", 60},
|
"gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black",
|
||||||
{"carbonblack.vmware.com", 86400},
|
"updates.cdc.carbonblack.io": "VMWare Carbon Black",
|
||||||
{"defense-prodnrt.conferdeploy.net", 60},
|
"updates2.cdc.carbonblack.io": "VMWare Carbon Black",
|
||||||
{"updates.cdc.carbonblack.io", 60},
|
"carbonblack.vmware.com": "VMWare Carbon Black",
|
||||||
{"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600},
|
"console.cloud-us-gov.vmware.com": "VMWare Carbon Black",
|
||||||
{"defense-prodsyd.conferdeploy.net", 60},
|
"console.cloud.vmware.com": "VMWare Carbon Black",
|
||||||
{"carbonblack.com", 300},
|
|
||||||
{"defense-eap01.conferdeploy.net", 60},
|
|
||||||
{"defense-eu.conferdeploy.net", 60},
|
|
||||||
{"api.alliance.carbonblack.com", 600},
|
|
||||||
{"api2.alliance.carbonblack.com", 600},
|
|
||||||
{"threatintel.bit9.com", 3600},
|
|
||||||
{"yum.distro.carbonblack.io", 300},
|
|
||||||
}
|
|
||||||
|
|
||||||
// CrowdStrike Falcon
|
// CrowdStrike Falcon
|
||||||
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
|
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
|
||||||
var domains_crowdstrike = []Pair{
|
"crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"falcon.us-2.crowdstrike.com", 120},
|
"ts01-b.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"falcon.crowdstrike.com", 60},
|
"lfodown01-b.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"ts01-gyr-maverick.cloudsink.net", 60},
|
"lfoup01-b.cloudsink.net": "CrowdStrike Falcon",
|
||||||
// {"us-gov-2.crowdstrike.com", 0},
|
"falcon.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"api.crowdstrike.com", 300},
|
"assets.falcon.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"ts01-b.cloudsink.net", 1800},
|
"assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
// {"firehose.us-gov-2.crowdstrike.com", 0},
|
"api.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"assets.falcon.eu-1.crowdstrike.com", 120},
|
"firehose.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"api.eu-1.crowdstrike.com", 60},
|
"ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"lfodown01-b.cloudsink.net", 1800},
|
"lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"assets-public.falcon.crowdstrike.com", 60},
|
"lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"assets.falcon.us-2.crowdstrike.com", 120},
|
"falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"api.us-2.crowdstrike.com", 120},
|
"assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"assets-public.us-2.falcon.crowdstrike.com", 120},
|
"assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"firehose.laggar.gcw.crowdstrike.com", 60},
|
"api.us-2.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"ts01-lanner-lion.cloudsink.net", 60},
|
"firehose.us-2.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"lfoup01-lanner-lion.cloudsink.net", 1800},
|
"ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"assets-public.falcon.eu-1.crowdstrike.com", 120},
|
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
|
||||||
{"crowdstrike.com", 300},
|
"lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"lfoup01-gyr-maverick.cloudsink.net", 1800},
|
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
|
||||||
{"lfoup01-b.cloudsink.net", 1800},
|
"falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"ts01-laggar-gcw.cloudsink.net", 60},
|
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
|
||||||
{"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60},
|
"api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"ts01-us-gov-2.cloudsink.net", 1800},
|
"firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60},
|
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon",
|
||||||
{"assets.falcon.crowdstrike.com", 60},
|
"ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"lfodown01-lanner-lion.cloudsink.net", 60},
|
"lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"falcon.laggar.gcw.crowdstrike.com", 60},
|
"api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"firehose.us-2.crowdstrike.com", 120},
|
"firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"firehose.eu-1.crowdstrike.com", 120},
|
"ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"lfodown01-laggar-gcw.cloudsink.net", 60},
|
"lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"api.laggar.gcw.crowdstrike.com", 60},
|
"lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon",
|
||||||
{"lfodown01-gyr-maverick.cloudsink.net", 60},
|
"assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"lfodown01-us-gov-2.cloudsink.net", 1800},
|
"assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60},
|
"api.eu-1.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"firehose.crowdstrike.com", 300},
|
"firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon",
|
||||||
{"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Harmony / CheckPoint
|
// Harmony / CheckPoint
|
||||||
// https://support.checkpoint.com/results/sk/sk116590
|
// https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
|
||||||
var domains_checkpoint = []Pair{
|
"checkpoint.com": "CheckPoint Harmony",
|
||||||
{"rep.checkpoint.com", 1800},
|
"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony",
|
||||||
{"threat-emulation.checkpoint.com", 1800},
|
"europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony",
|
||||||
{"sc1.checkpoint.com", 1800},
|
"datatube-prod.azurewebsites.net": "CheckPoint Harmony",
|
||||||
{"gwevents.checkpoint.com", 300},
|
"epmgmt.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"gwevents.us.checkpoint.com", 180},
|
"endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"endpoint-cdn.epmgmt.checkpoint.com", 300},
|
"ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony",
|
||||||
// {"checkpoint.com", 25}, <- dynamic ttl
|
"epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"kav8.checkpoint.com", 1800},
|
"file-rep.iaas.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"cloudinfra-gw.portal.checkpoint.com", 60},
|
"url-rep.iaas.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"datatube-prod.azurewebsites.net", 30},
|
"threatcloud.iaas.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"updates.checkpoint.com", 1800},
|
"te.iaas.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"ep-repo.epmgmt.checkpoint.com", 300},
|
"sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"file-rep.iaas.checkpoint.com", 60},
|
"iaas.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"threatcloud.iaas.checkpoint.com", 60},
|
"cws.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"dl3.checkpoint.com", 1800},
|
"rep.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"secureupdates.checkpoint.com", 1800},
|
"te.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"epm-gw-eu.epmgmt.checkpoint.com", 86400},
|
"threat-emulation.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"url-rep.iaas.checkpoint.com", 60},
|
"kav8.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"te.iaas.checkpoint.com", 60},
|
"secureupdates.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"services.checkpoint.com", 1800},
|
"sc1.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"europe-west1-datatube-240519.cloudfunctions.net", 300},
|
"updates.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"cws.checkpoint.com", 1800},
|
"dl3.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"teadv.checkpoint.com", 1800},
|
"cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300},
|
"gwevents.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"te.checkpoint.com", 1800},
|
"teadv.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"hap2.epmgmt.checkpoint.com", 300},
|
"services.checkpoint.com": "CheckPoint Harmony",
|
||||||
{"hap21.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap5.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap51.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap1.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap11.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap3.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap31.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap4.epmgmt.checkpoint.com", 300},
|
|
||||||
{"hap41.epmgmt.checkpoint.com", 300},
|
|
||||||
{"ftp-proxy.checkpoint.com", 1800},
|
|
||||||
{"web-rep.checkpoint.com", 1800},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Cybereason
|
// Cybereason
|
||||||
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
|
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
|
||||||
var domains_cybereason = []Pair{
|
"cybereason.com": "Cybereason",
|
||||||
{"data-epgw-eu-west-1.cybereason.net", 300},
|
"probe-dist.cybereason.net": "Cybereason",
|
||||||
{"probe-dist-asia-northeast-1.cybereason.net", 60},
|
"data-epgw.cybereason.net": "Cybereason",
|
||||||
{"data-epgw-asia-northeast-1.cybereason.net", 300},
|
"probe-dist-eu-west-1.cybereason.net": "Cybereason",
|
||||||
{"probe-dist.cybereason.net", 300},
|
"data-epgw-eu-west-1.cybereason.net": "Cybereason",
|
||||||
{"probe-dist-eu-west-1.cybereason.net", 300},
|
"probe-dist-asia-northeast-1.cybereason.net": "Cybereason",
|
||||||
{"probe-dist-dns.cybereason.net", 3600},
|
"data-epgw-asia-northeast-1.cybereason.net": "Cybereason",
|
||||||
{"data-epgw.cybereason.net", 300},
|
|
||||||
{"cybereason.com", 600},
|
|
||||||
}
|
|
||||||
|
|
||||||
// FireEye / Trellix
|
// FireEye / Trellix
|
||||||
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
|
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
|
||||||
var domains_trellix = []Pair{
|
"api.manage.trellix.com": "Trellix",
|
||||||
{"epo.trellix.com", 300},
|
"uam.api.trellix.com": "Trellix",
|
||||||
{"s-download.trellix.com", 300},
|
"cdn-usw001.manage.trellix.com": "Trellix",
|
||||||
{"lc.trellix.com", 300},
|
"sw-usw001.manage.trellix.com": "Trellix",
|
||||||
{"manage.trellix.com", 60},
|
"cdn-usw002.manage.trellix.com": "Trellix",
|
||||||
{"cds-usw001.manage.trellix.com", 60},
|
"sw-usw002.manage.trellix.com": "Trellix",
|
||||||
{"cdn-usw002.manage.trellix.com", 60},
|
"cdn-usw003.manage.trellix.com": "Trellix",
|
||||||
{"cdn-usw001.manage.trellix.com", 60},
|
"sw-usw003.manage.trellix.com": "Trellix",
|
||||||
{"cdn-usw003.manage.trellix.com", 60},
|
"cdn-usw004.manage.trellix.com": "Trellix",
|
||||||
{"auth.ui.trellix.com", 60},
|
"sw-usw004.manage.trellix.com": "Trellix",
|
||||||
{"uam.api.trellix.com", 60},
|
"cdn-sgp001.manage.trellix.com": "Trellix",
|
||||||
{"api.manage.trellix.com", 60},
|
"sw-sgp001.manage.trellix.com": "Trellix",
|
||||||
{"cds-usw002.manage.trellix.com", 60},
|
"cdn-eu001.manage.trellix.com": "Trellix",
|
||||||
{"trellix.com", 60},
|
"sw-eu001.manage.trellix.com": "Trellix",
|
||||||
{"dxlweb-usw001.manage.trellix.com", 60},
|
"cdn-au001.manage.trellix.com": "Trellix",
|
||||||
{"cds-usw003.manage.trellix.com", 60},
|
"sw-au001.manage.trellix.com": "Trellix",
|
||||||
{"cdn-sgp001.manage.trellix.com", 60},
|
"cdn-ind001.manage.trellix.com": "Trellix",
|
||||||
{"dxlweb-usw002.manage.trellix.com", 60},
|
"sw-ind001.manage.trellix.com": "Trellix",
|
||||||
{"cdn-ind001.manage.trellix.com", 60},
|
"cds-usw001.manage.trellix.com": "Trellix",
|
||||||
{"dxl-usw002.manage.trellix.com", 60},
|
"cds-usw002.manage.trellix.com": "Trellix",
|
||||||
{"dxl-usw001.manage.trellix.com", 60},
|
"cds-usw003.manage.trellix.com": "Trellix",
|
||||||
{"dxlweb-usw003.manage.trellix.com", 60},
|
"cds-usw004.manage.trellix.com": "Trellix",
|
||||||
{"cds-usw004.manage.trellix.com", 60},
|
"dxl-usw001.manage.trellix.com": "Trellix",
|
||||||
{"cdn-au001.manage.trellix.com", 60},
|
"dxl-usw002.manage.trellix.com": "Trellix",
|
||||||
{"dxlweb-usw004.manage.trellix.com", 60},
|
"dxl-usw003.manage.trellix.com": "Trellix",
|
||||||
{"cdn-usw004.manage.trellix.com", 60},
|
"dxl-usw004.manage.trellix.com": "Trellix",
|
||||||
{"dxl-usw004.manage.trellix.com", 60},
|
"dxlweb-usw001.manage.trellix.com": "Trellix",
|
||||||
{"dxl-usw003.manage.trellix.com", 60},
|
"dxlweb-usw002.manage.trellix.com": "Trellix",
|
||||||
{"cdn-eu001.manage.trellix.com", 60},
|
"dxlweb-usw003.manage.trellix.com": "Trellix",
|
||||||
{"iam.cloud.trellix.com", 10},
|
"dxlweb-usw004.manage.trellix.com": "Trellix",
|
||||||
{"iam-rs.cloud.trellix.com", 10},
|
|
||||||
{"gsd.cloud.trellix.com", 10},
|
|
||||||
{"d2c-us-west-2.manage.trellix.com", 60},
|
|
||||||
{"d2c-eu-central-1.manage.trellix.com", 60},
|
|
||||||
{"dxlweb-sgp001.manage.trellix.com", 60},
|
|
||||||
{"dxl-sgp001.manage.trellix.com", 60},
|
|
||||||
{"dxl-eu001.manage.trellix.com", 60},
|
|
||||||
{"dxlweb-eu001.manage.trellix.com", 60},
|
|
||||||
{"dxl-au001.manage.trellix.com", 60},
|
|
||||||
{"dxlweb-au001.manage.trellix.com", 60},
|
|
||||||
{"dxl-ind001.manage.trellix.com", 60},
|
|
||||||
{"dxlweb-ind001.manage.trellix.com", 60},
|
|
||||||
{"ui-usw001.manage.trellix.com", 60},
|
|
||||||
{"ui-usw002.manage.trellix.com", 60},
|
|
||||||
{"ui-usw003.manage.trellix.com", 60},
|
|
||||||
{"ui-usw004.manage.trellix.com", 60},
|
|
||||||
{"ui-sgp001.manage.trellix.com", 60},
|
|
||||||
{"ui-eu001.manage.trellix.com", 60},
|
|
||||||
{"ui-au001.manage.trellix.com", 60},
|
|
||||||
{"ui-ind001.manage.trellix.com", 60},
|
|
||||||
{"ah-usw001.manage.trellix.com", 60},
|
|
||||||
{"ah-usw002.manage.trellix.com", 60},
|
|
||||||
{"ah-usw003.manage.trellix.com", 60},
|
|
||||||
{"ah-usw004.manage.trellix.com", 60},
|
|
||||||
{"ah-sgp001.manage.trellix.com", 60},
|
|
||||||
{"ah-eu001.manage.trellix.com", 60},
|
|
||||||
{"ah-au001.manage.trellix.com", 60},
|
|
||||||
{"ah-ind001.manage.trellix.com", 60},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Cortex XDR / Palo Alto Networks
|
// Cortex XDR / Palo Alto Networks
|
||||||
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
|
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
|
||||||
var domains_paloalto = []Pair{
|
"paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-au.storage.googleapis.com", 300},
|
"lrc-us.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-eu.paloaltonetworks.com", 14400},
|
"lrc-eu.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"global-content-profiles-policy.storage.googleapis.com", 300},
|
"lrc-ca.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300},
|
"lrc-uk.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-ch.paloaltonetworks.com", 14400},
|
"lrc-jp.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-jp.paloaltonetworks.com", 14400},
|
"lrc-sg.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-qt.storage.googleapis.com", 300},
|
"lrc-au.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-pl.storage.googleapis.com", 300},
|
"lrc-de.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"pendo-static-5664029141630976.storage.googleapis.com", 300},
|
"lrc-in.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-sg.storage.googleapis.com", 300},
|
"lrc-ch.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-uk.paloaltonetworks.com", 14400},
|
"lrc-pl.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-us.paloaltonetworks.com", 14400},
|
"lrc-tw.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-tw.paloaltonetworks.com", 1800},
|
"lrc-qt.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-eu.storage.googleapis.com", 300},
|
"lrc-fa.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"lrc-ca.paloaltonetworks.com", 14400},
|
"panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"paloaltonetworks.com", 30},
|
"panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks",
|
||||||
// {"lrc-fa.paloaltonetworks.com", 14400},
|
"panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-in.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-fa.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-ca.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"lrc-pl.paloaltonetworks.com", 14400},
|
"panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"lrc-qt.paloaltonetworks.com", 300},
|
"panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-us.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"lrc-de.paloaltonetworks.com", 300},
|
"panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-installers-prod-us.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-ch.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"lrc-in.paloaltonetworks.com", 14400},
|
"panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-de.storage.googleapis.com", 300},
|
"panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"lrc-au.paloaltonetworks.com", 14400},
|
"panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-tw.storage.googleapis.com", 300},
|
"panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"login.paloaltonetworks.com", 14400},
|
"global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"lrc-sg.paloaltonetworks.com", 14400},
|
"login.paloaltonetworks.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-evr-prod-jp.storage.googleapis.com", 300},
|
"pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks",
|
||||||
{"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
|
|
||||||
{"distributions.traps.paloaltonetworks.com", 300},
|
|
||||||
{"distributions-prod-fed.traps.paloaltonetworks.com", 300},
|
|
||||||
{"cortex-gateway.paloaltonetworks.com", 30},
|
|
||||||
{"gw-app-proxy.us.paloaltonetworks.com", 300},
|
|
||||||
{"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
|
|
||||||
{"identity.paloaltonetworks.com", 300},
|
|
||||||
{"identity.gslb.paloaltonetworks.com", 5},
|
|
||||||
{"identity.gcp.gslb.paloaltonetworks.com", 5},
|
|
||||||
{"lrc-fed.paloaltonetworks.com", 14400},
|
|
||||||
{"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
|
|
||||||
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
|
|
||||||
{"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
|
|
||||||
{"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
|
|
||||||
{"app-proxy.federal.paloaltonetworks.com", 300},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Singularity / SentinelOne
|
// Singularity / SentinelOne
|
||||||
var domains_sentinelone = []Pair{
|
"sentinelone.com": "SentinelOne",
|
||||||
{"eu1-oauth.mobile.sentinelone.net", 300},
|
"xdr.intus1.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-qi.mobile.sentinelone.net", 300},
|
"console.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"console.mobile.sentinelone.net", 300},
|
"content.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"sentinelone.com", 300},
|
"device-api.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-console.mobile.sentinelone.net", 300},
|
"eu1-acceptor.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-content.mobile.sentinelone.net", 300},
|
"eu1-console.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"panel.mobile.sentinelone.net", 300},
|
"eu1-content.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"oauth.mobile.sentinelone.net", 300},
|
"eu1-device-api.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"xdr.intus1.sentinelone.net", 60},
|
"eu1-oauth.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-device-api.mobile.sentinelone.net", 300},
|
"eu1-panel.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-vpc.mobile.sentinelone.net", 300},
|
"eu1-qi.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-acceptor.mobile.sentinelone.net", 300},
|
"eu1-token.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"login.sentinelone.net", 300},
|
"eu1-vpc.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"device-api.mobile.sentinelone.net", 300},
|
"ut.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-panel.mobile.sentinelone.net", 300},
|
"oauth.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"eu1-token.mobile.sentinelone.net", 300},
|
"panel.mobile.sentinelone.net": "SentinelOne",
|
||||||
{"content.mobile.sentinelone.net", 300},
|
|
||||||
{"ut.sentinelone.net", 300},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Symantec / Broadcom
|
// Symantec / Broadcom
|
||||||
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html
|
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
|
||||||
var domains_symantec = []Pair{
|
"symantec.com": "Symantec",
|
||||||
{"liveupdate.symantec.com", 3600},
|
"remotetunnel1.edrc.symantec.com": "Symantec",
|
||||||
{"liveupdate.symantecliveupdate.com", 600},
|
"remotetunnel2.edrc.symantec.com": "Symantec",
|
||||||
{"shasta-rrs.symantec.com", 1800},
|
"remotetunnel3.edrc.symantec.com": "Symantec",
|
||||||
{"ent-shasta-rrs.symantec.com", 1800},
|
"remotetunnel4.edrc.symantec.com": "Symantec",
|
||||||
{"ent-shasta-mr-clean.symantec.com", 1800},
|
"remotetunnel5.edrc.symantec.com": "Symantec",
|
||||||
{"symantec.com", 600},
|
"api-gateway.symantec.com": "Symantec",
|
||||||
{"sp.cwfservice.net", 600},
|
"liveupdate.symantec.com": "Symantec",
|
||||||
{"us.spoc.securitycloud.symantec.com", 600},
|
"ratings-wrs.symantec.com": "Symantec",
|
||||||
{"eu.spoc.securitycloud.symantec.com", 600},
|
"stnd-avpg.crsi.symantec.com": "Symantec",
|
||||||
{"in.spoc.securitycloud.symantec.com", 3600},
|
"stnd-ipsg.crsi.symantec.com": "Symantec",
|
||||||
{"telemetry.broadcom.com", 3600},
|
"central.b6.crsi.symantec.com": "Symantec",
|
||||||
{"tses.broadcom.com", 30},
|
"bash-avpg.crsi.symantec.com": "Symantec",
|
||||||
{"central.b6.crsi.symantec.com", 1800},
|
"swupdate.brightmail.com": "Symantec",
|
||||||
{"central.ss.crsi.symantec.com", 1800},
|
"shasta-rrs.symantec.com": "Symantec",
|
||||||
{"central.nrsi.symantec.com", 1800},
|
"shasta-mrs.symantec.com": "Symantec",
|
||||||
{"central.avsi.symantec.com", 1800},
|
"datafeedapi.symanteccloud.com": "Symantec",
|
||||||
{"central.crsi.symantec.com", 1800},
|
"telemetry.broadcom.com": "Symantec",
|
||||||
{"shasta-mrs.symantec.com", 1800},
|
"sso1.edrc.symantec.com": "Symantec",
|
||||||
{"shasta-clt.symantec.com", 1800},
|
|
||||||
{"stnd-avpg.crsi.symantec.com", 1800},
|
|
||||||
{"avs-avpg.crsi.symantec.com", 1800},
|
|
||||||
{"stnd-ipsg.crsi.symantec.com ", 1800},
|
|
||||||
{"bash-avpg.crsi.symantec.com", 1800},
|
|
||||||
{"tus1gwynwapex01.symantec.com", 3600},
|
|
||||||
{"pod.threatpulse.com", 120},
|
|
||||||
{"faults.qalabs.symantec.com", 1800},
|
|
||||||
{"faults.symantec.com", 1800},
|
|
||||||
{"linux-repo-us.securityalliance.cloud", 86400},
|
|
||||||
{"usea1.r3.securitycloud.symantec.com", 3600},
|
|
||||||
{"euws1.r3.securitycloud.symantec.com", 3600},
|
|
||||||
{"inso1.r3.securitycloud.symantec.com", 3600},
|
|
||||||
{"datafeedapi.symanteccloud.com", 300},
|
|
||||||
{"us.spoc.securitycloud.symantec.com", 600},
|
|
||||||
{"eu.spoc.securitycloud.symantec.com ", 600},
|
|
||||||
{"in.spoc.securitycloud.symantec.com", 3600},
|
|
||||||
{"uploads.sep.securitycloud.symantec.com", 3600},
|
|
||||||
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
|
|
||||||
{"uploads.sep.in.securitycloud.symantec.com", 3600},
|
|
||||||
{"ws.securitycloud.symantec.com", 600},
|
|
||||||
{"bds.securitycloud.symantec.com", 600},
|
|
||||||
{"ws.eu.securitycloud.symantec.com", 3600},
|
|
||||||
{"bds.eu.securitycloud.symantec.com", 3600},
|
|
||||||
{"ws.in.securitycloud.symantec.com ", 3600},
|
|
||||||
{"bds.in.securitycloud.symantec.com", 3600},
|
|
||||||
{"cdn.sepmobile.securitycloud.symantec.com", 300},
|
|
||||||
{"mitm.sepmobile.securitycloud.symantec.com", 300},
|
|
||||||
{"services-prod.symantec.com", 600},
|
|
||||||
{"sep.securitycloud.symantec.com", 3600},
|
|
||||||
{"sep.eu.securitycloud.symantec.com", 3600},
|
|
||||||
{"sep.in.securitycloud.symantec.com", 3600},
|
|
||||||
{"avagoext.okta.com", 300},
|
|
||||||
{"accounts.saas.broadcomcloud.com", 3600},
|
|
||||||
{"api.sep.securitycloud.symantec.com", 86400},
|
|
||||||
{"api.sep.eu.securitycloud.symantec.com", 3600},
|
|
||||||
{"api.sep.in.securitycloud.symantec.com", 3600},
|
|
||||||
{"knowledge.broadcom.com", 3600},
|
|
||||||
{"support.broadcom.com", 300},
|
|
||||||
{"casupport.broadcom.com", 300},
|
|
||||||
{"login.broadcom.com", 3600},
|
|
||||||
{"ced.broadcom.com", 3600},
|
|
||||||
{"ratings-wrs.symantec.com", 3600},
|
|
||||||
{"api-gateway.symantec.com", 3600},
|
|
||||||
{"swupdate.brightmail.com", 3600},
|
|
||||||
{"licensing.dmas.symantec.com", 3600},
|
|
||||||
{"api.us.dmas.symantec.com", 300},
|
|
||||||
{"api.eu.dmas.symantec.com", 300},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Tanium
|
// Tanium
|
||||||
var domains_tanium = []Pair{
|
"tanium.com": "Tanium",
|
||||||
{"content.tanium.com", 300},
|
"shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"docs-es.tanium.com", 300},
|
"shared.prd-int.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"docs-fr.tanium.com", 300},
|
"shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"tanium.com", 300},
|
"shared.prd-us-1.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"go2.tanium.com", 300},
|
"prd-int-manage.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"learn.tanium.com", 300},
|
"prd-int.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"som.cloud.tanium.com", 60},
|
"prd-us-1-manage.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"download.tanium.com", 300},
|
"prd-us-1.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"fnf-api.cloud.tanium.com", 60},
|
"prd.mdm.cloud.tanium.com": "Tanium",
|
||||||
{"community.tanium.com", 300},
|
"jp.tanium.com": "Tanium",
|
||||||
{"3.distribute.cloud.tanium.com", 300},
|
"docs-es.tanium.com": "Tanium",
|
||||||
{"content.tanium.com", 300},
|
"docs-fr.tanium.com": "Tanium",
|
||||||
{"help.tanium.com", 300},
|
"docs-ko.tanium.com": "Tanium",
|
||||||
{"docs.tanium.com", 300},
|
|
||||||
{"moveit.tanium.com", 300},
|
|
||||||
{"kb.tanium.com", 300},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Aurora
|
// Aurora
|
||||||
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
|
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
|
||||||
var domains_aurora = []Pair{
|
"update-102.nextron-systems.com": "Nextron Aurora",
|
||||||
{"update-aurora.nextron-systems.com", 60},
|
"update-201.nextron-systems.com": "Nextron Aurora",
|
||||||
{"update-102.nextron-systems.com", 60},
|
"update-202.nextron-systems.com": "Nextron Aurora",
|
||||||
{"update-202.nextron-systems.com", 60},
|
"update-aurora.nextron-systems.com": "Nextron Aurora",
|
||||||
{"update-201.nextron-systems.com", 60},
|
"update-lite.nextron-systems.com": "Nextron Aurora",
|
||||||
{"update-lite.nextron-systems.com", 60},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Trend Micro
|
// Trend Micro
|
||||||
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
|
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
|
||||||
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
|
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
|
||||||
var domains_trendmicro = []Pair{
|
"api.eu.nacloud.trendmicro.com": "Trend Micro",
|
||||||
{"xdr.trendmicro.co.jp", 60},
|
"api.jp.nacloud.trendmicro.com": "Trend Micro",
|
||||||
{"files.trendmicro.com", 1800},
|
"api.sg.nacloud.trendmicro.com": "Trend Micro",
|
||||||
{"api.nacloud.trendmicro.com", 60},
|
"api.us.nacloud.trendmicro.com": "Trend Micro",
|
||||||
{"cloudone.trendmicro.com", 60},
|
"docs.trendmicro.com": "Trend Micro",
|
||||||
{"ddd53-p.activeupdate.trendmicro.com", 1800},
|
"licenseupdate.trendmicro.com": "Trend Micro",
|
||||||
{"trenddefense.com", 300},
|
"api.nacloud.trendmicro.com": "Trend Micro",
|
||||||
{"threatconnect.trendmicro.com", 1800},
|
"trendmicro.com": "Trend Micro",
|
||||||
{"api.sg.nacloud.trendmicro.com", 60},
|
"files.trendmicro.com": "Trend Micro",
|
||||||
{"trendmicro.com", 1800},
|
"xdr.trendmicro.com": "Trend Micro",
|
||||||
{"api.jp.nacloud.trendmicro.com", 60},
|
"xdr.trendmicro.co.jp": "Trend Micro",
|
||||||
{"api.eu.nacloud.trendmicro.com", 60},
|
"trenddefense.com": "Trend Micro",
|
||||||
{"docs.trendmicro.com", 1800},
|
"ddd53-p.activeupdate.trendmicro.com": "Trend Micro",
|
||||||
{"api.us.nacloud.trendmicro.com", 60},
|
"ddd53-threatconnect.trendmicro.com": "Trend Micro",
|
||||||
{"ddd53-threatconnect.trendmicro.com", 1800},
|
"threatconnect.trendmicro.com": "Trend Micro",
|
||||||
{"licenseupdate.trendmicro.com", 1800},
|
"cloudone.trendmicro.com": "Trend Micro",
|
||||||
{"xdr.trendmicro.com", 60},
|
|
||||||
}
|
|
||||||
|
|
||||||
// Rapid7 InsightIDR
|
|
||||||
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
|
|
||||||
var domains_rapid7 = []Pair{
|
|
||||||
{"data.insight.rapid7.com", 60},
|
|
||||||
{"us2.data.insight.rapid7.com", 30},
|
|
||||||
{"us3.data.insight.rapid7.com", 30},
|
|
||||||
{"eu.data.insight.rapid7.com", 30},
|
|
||||||
{"ca.data.insight.rapid7.com", 30},
|
|
||||||
{"au.data.insight.rapid7.com", 30},
|
|
||||||
{"ap.data.insight.rapid7.com", 30},
|
|
||||||
{"endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"us2.endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"us3.endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"eu.endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"ca.endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"au.endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"ap.endpoint.ingress.rapid7.com", 300},
|
|
||||||
{"us.storage.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
|
|
||||||
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
|
|
||||||
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"au.storage.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
|
||||||
}
|
}
|
||||||
|
14
go.mod
14
go.mod
@ -1,13 +1,11 @@
|
|||||||
module patdown
|
module patdown
|
||||||
|
|
||||||
go 1.22.6
|
go 1.21.0
|
||||||
|
|
||||||
require github.com/miekg/dns v1.1.62
|
|
||||||
|
|
||||||
require (
|
require (
|
||||||
golang.org/x/mod v0.18.0 // indirect
|
github.com/miekg/dns v1.1.57 // indirect
|
||||||
golang.org/x/net v0.27.0 // indirect
|
golang.org/x/mod v0.12.0 // indirect
|
||||||
golang.org/x/sync v0.7.0 // indirect
|
golang.org/x/net v0.17.0 // indirect
|
||||||
golang.org/x/sys v0.22.0 // indirect
|
golang.org/x/sys v0.13.0 // indirect
|
||||||
golang.org/x/tools v0.22.0 // indirect
|
golang.org/x/tools v0.13.0 // indirect
|
||||||
)
|
)
|
||||||
|
22
go.sum
22
go.sum
@ -1,12 +1,10 @@
|
|||||||
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
|
github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
|
||||||
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
|
github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
|
||||||
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
|
golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
|
||||||
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||||
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
|
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
|
||||||
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
|
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
|
||||||
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
|
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
|
||||||
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
|
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
|
||||||
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
|
||||||
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
|
|
||||||
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
|
|
||||||
|
Loading…
Reference in New Issue
Block a user