forked from sevsec/vt-scan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvt-scan.sh
executable file
·141 lines (129 loc) · 4.04 KB
/
vt-scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
# Current functionality:
# - Submit a file object to be scanned by VT
# - Retrieve a scan report from VT
set -e
set -u
set -o pipefail
VERSION="Version 2.0 (March 16, 2020)"
check_deps() {
# Validate that curl and jq are available
which curl > /dev/null 2>&1
if [[ "$?" -ne 0 ]]; then
echo -ne "You are missing curl, which is required to run this script. Please install curl and try again.\n\n"
exit 4
fi
which jq > /dev/null 2>&1
if [[ "$?" -ne 0 ]]; then
echo -ne "You are missing jq, which is required to run this script. Please install jq and try again.\n\n"
exit 5
fi
}
write_usage() {
# output script purpose, params
echo "VirusTotal Scan Script for API V3"
echo -ne "Interact with VT from your shell.\n\n"
echo -ne "Required parameters: API token, Action to perform.\n"
echo -ne "Usage example: ./vt-scan.sh -t <API TOKEN> -f <FILE PATH>\n\n"
echo -ne "\t-k\t\tAPI key for VirusTotal - REQUIRED.\n"
echo -ne "\t-f\t\tFULL PATH to a file object for VT to scan.\n"
echo -ne "\t-u\t\tSubmit URL for VT scan.\n"
echo -ne "\t-d\t\tSubmit domain for VT scan.\n"
echo -ne "\t-i\t\tSubmit IP for VT scan.\n"
echo -ne "\t-a\t\tRetrieve analysis for existing scan, expects base64 object ID.\n"
echo -ne "\t-v\t\tDisplay version information.\n"
echo -ne "\t-h\t\tDisplay this help text with usage information.\n\n"
}
vt_file() {
# Submit a file
APIKEY="$1"
FILE="$2"
curl -s --request POST --url "https://www.virustotal.com/api/v3/files" --header "x-apikey: $APIKEY" --form "file=@$FILE"
}
vt_url() {
# Submit a URL
APIKEY="$1"
URL="$2"
curl -s --request GET --url "https://www.virustotal.com/api/v3/urls" --header "x-apikey: $APIKEY" --form "url=$URL"
}
vt_domain() {
# Submit a domain
APIKEY="$1"
DOMAIN="$2"
curl -s --request GET --url "https://www.virustotal.com/api/v3/domains/$DOMAIN" --header "x-apikey: $APIKEY"
}
vt_ip() {
# Submit an IP
APIKEY="$1"
IP="$2"
curl -s --request GET --url "https://www.virustotal.com/api/v3/ip_addresses/$IP" --header "x-apikey: $APIKEY"
}
vt_analysis() {
# Retrieve analysis for a file
APIKEY="$1"
FILEID="$2"
curl -s --request GET --url "https://www.virustotal.com/api/v3/analyses/$FILEID" --header "x-apikey: $APIKEY"
}
vt_report() {
# Retrieve a report - I believe this is deprecated, leaving in for now
APIKEY="$1"
RESOURCE="$2"
curl -s --request GET --url "https://www.virustotal.com/api/v3/file/report?apikey=$APIKEY&resource=$RESOURCE"
}
##### EXECUTION BEGINS HERE #####
# Make sure we have the necessary dependencies
check_deps
# Grab CLI options
while getopts ":k:a:f:u:d:i:vh:" FLAG; do
case ${FLAG} in
k ) #API Token
if [[ "$OPTARG" =~ [0-9a-z]{64} ]]; then
APIKEY="$OPTARG"
else
echo "Invalid API key: $OPTARG"
exit 2
fi
;;
a ) # Retrieve analysis on a file
FILEID="$OPTARG"
vt_analysis "$APIKEY" "$FILEID"
exit 0
;;
f ) # File and file path
if [[ -f "$OPTARG" ]]; then
FILE="$OPTARG"
vt_file "$APIKEY" "$FILE"
else
echo "Invalid file specified: $OPTARG"
exit 3
fi
exit 0
;;
u ) # URL
URL="$OPTARG"
vt_url "$APIKEY" "$URL"
exit 0
;;
d ) # Domain
DOMAIN="$OPTARG"
vt_domain "$APIKEY" "$DOMAIN"
exit 0
;;
i ) # IP
IP="$OPTARG"
vt_ip "$APIKEY" "$IP"
exit 0
;;
v ) # Display version information
echo $VERSION
exit 0
;;
h | * | \? | :) # Help
write_usage
exit 0
;;
esac
done
shift $((OPTIND -1))
echo -ne "Either you did not give the required parameters or you wish to do nothing. So be it.\n\n"
write_usage