[Analyzer] abuse_whois integration

[drego85]

Name

After the recent integration of Abusix to identify IP address abuse teams, it may be interesting to integrate @ninoseki's abuse_whois project to obtain abuse references for domain names as well.

Link

https://github.com/ninoseki/abuse_whois

Why should we use it

To improve interactions with abuse teams.

[mlodic]

why not?

And recently we went even further. With the last release (6.0.2) we added a new TakeDown_Request Playbook which automates everything: in this way the user needs only to submit the domain they want to take down and IntelOwl would do all the rest.... and it would send the email to the abuse contact provider too :) You could give it a try :)

We'll show this use case at the next Honeynet Workshop, then we'll share slides and content here

[ninoseki]

FYI sending email approach does not work well in many cases. Especially if you send an email to a domain registrar.
I often get automatic reply says “please submit it via our form”. And in most cases a form has a captcha. So it’s difficult to automate the whole process.

[mlodic]

Thanks for sharing :) Right now our playbook sends the email only to hosting providers and not domain registrars. I have no actual extensive experience on that so what you shared is nice to know. I'll update this post if we get more interesting findings about.

[pranjalg1331]

@mlodic, I’d be happy to create an observable analyzer for abuse_whois and can get it done quickly. Please feel free to assign this issue to me.

[pranjalg1331]

@mlodic This is the reformatted result which I am planning to return for DNS analysis in the analyzer -
{
"domain": {
"name": "youtube.com",
"ip_address": "142.250.192.142",
"registrar": {
"provider": "markmonitor.com",
"email": "[email protected]",
"type": "email"
}
},
"domain_info": {
"nameservers": [
"ns1.google.com",
"ns2.google.com",
"ns3.google.com",
"ns4.google.com"
],
"statuses": [
"client update prohibited",
"client transfer prohibited",
"client delete prohibited",
"server update prohibited",
"server transfer prohibited",
"server delete prohibited"
],
"expires_at": "2025-02-15T00:00:00+00:00",
"updated_at": "2024-01-14T09:59:58+00:00"
},
"contacts": {
"registrant": {
"email": "REDACTED FOR PRIVACY",
"name": "REDACTED FOR PRIVACY",
"telephone": "REDACTED FOR PRIVACY"
},
"abuse": {
"email": "[email protected]",
"telephone": "+1.2086851750"
},
"technical": {
"status": "REDACTED FOR PRIVACY"
}
}
}
Do you have any suggestions here?

[mlodic]

you can open a PR for this analyzer after you have solved the already opened PRs and issues you already committed to

[pranjalg1331]

@fgibertoni, Can we use the async function inside the analyzer or we will have to create a docker-based integration ?
This is how the tool is used->
await get_abuse_contacts("1.1.1.1")

[pranjalg1331]

@fgibertoni, also please assign this issue to me.😊

[fgibertoni]

Hi @pranjalg1331!
Reading the tool's page it looks like you can use the library without creating a docker-based integration. In my opinion, you should create one if you want to follow the "As a CLI tool" section.
Also, I'm going to assign this issue to you. Feel free to open a draft PR if you need any help :)