python编写的溯源工具

0、简介

python编写的溯源工具，方便查询恶意IP地址绑定的历史域名、域名解析IP、备案信息等。

1、代码

#!/usr/bin/python3
'''
Author: gh0stNinja
Blog: https://gh0stninja.github.io/
Date: 2024-08-12 11:52:32
Description: 溯源脚本, 查询恶意IP地址绑定域名、备案信息。
'''

import re
import socket
import time
import requests
import urllib3

# 禁用SSL警告信息
urllib3.disable_warnings()

# 设置颜色
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[33m'
BLUE = '\033[36m'
RESET = '\033[0m'

# 定义常量
HEADERS = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Edg/81.0.416.58"
}

PROXIES = {
    'none': {"http": None, "https": None}
}

# 正则表达式
ip138_domain_re = re.compile(r'</span><a href="/(.*?)/"')
geturl_title_re = re.compile(r"<title>(.*?)</title>")

# 使用集合以避免重复的域名
domains_set = set()

# 存储IP列表
ip_lists = []

# 结果保存文件
result_file = 'result.txt'

def result(target):
    # 打印信息
    print(target)
    
    # 去掉颜色ANSI码
    target = replace(target)
    # 保存结果
    with open(result_file, encoding="utf-8", mode="a+") as f:
        f.write(target + '\n')


# 去掉颜色ANSI码
def replace(message):
    message = message.replace(RED,'').replace(GREEN,'').replace(YELLOW,'').replace(BLUE,'').replace(RESET,'')
    return message

def icplishi_search(url):
    """
    查询历史备案信息
    """
    try:
        req = requests.get(url, headers=HEADERS, proxies=PROXIES["none"], timeout=5, verify=False)
        if "--没有查询到记录--" not in req.text:
            return True
    except Exception as e:
        print('错误信息：', e)
        pass


def attack_tracing(ip):
    """
    根据IP查询绑定的域名, 并检查这些域名是否备案
    """
    try:
        url = f"https://site.ip138.com/{ip}"
        req = requests.get(url, headers=HEADERS, proxies=PROXIES["none"], timeout=5, verify=False)
        domains = ip138_domain_re.findall(req.text)
        if domains:
            result(f"--------------------------------------\n")
            result(f"[+] {GREEN}{ip}{RESET} 查询到历史绑定域名！(查询：{url})")
            # 遍历域名
            for domain in domains:
                # 获取主域名
                match = re.search(r'([a-zA-Z0-9-]+)\.([a-zA-Z0-9-]+\.[a-zA-Z]+)', domain)
                if match:
                    domains_set.add(match.group(2))
                """ 
                解析域名绑定的ip地址 
                """
                try:
                    domain_ip = socket.gethostbyname(domain)
                    if domain_ip:
                        if domain_ip == ip:
                            result(f"[+] {GREEN}{domain}{RESET} 解析IP: {GREEN}{domain_ip}{RESET}")
                        else:
                            result(f"[+] {domain} 解析IP: {domain_ip}")
                except:
                    result(f"[-] {RED}{domain}{RESET} 解析IP, 失败!")
            """
            查询备案
            """
            if domains_set:
                # 将集合转换为列表
                domain_list = list(domains_set)
                for domain in domain_list:
                    # 判断域名是否备案
                    url = f"https://www.beianx.cn/search/{domain}"
                    if icplishi_search(url):
                        result(f"[+] {GREEN}{domain}{RESET} 已备案 (查询：{url})")
                    else:
                        result(f"[-] {RED}{domain}{RESET} 未备案")
                    time.sleep(5)
            print(f"\n--------------------------------------")
        else:
            print(f"[-] {ip} 没有绑定域名")

    except Exception as e:
        print('错误信息：', e)
        pass
    domains_set.clear()


# 主循环
try:
    while True:
        with open('ip.txt', encoding="utf-8", mode="r") as f:
            for target in f:
                ip = target.rstrip("\n")
                if ip not in ip_lists:
                    ip_lists.append(ip)
                    attack_tracing(ip)
        time.sleep(1)
except:
    print("Tips: 把脚本和ip.txt 放在同目录下运行。")

2、截图