initial commit, enjoy!

Author: bitdiscovery

README.md

@@ -0,0 +1,98 @@
+# Bit Discovery Python scripts
+
+These scripts demonstrate how you can integrate your work with the Bit Discovery API.
+
+To run these scripts, you have to have [Python 3.6+](https://www.python.org/downloads/) installed on your computer and
+your Bit Discovery API keys for an inventory. (You can get this on
+your [Bit Discovery profile page](https://dev.bitdiscovery.com/user/profile).) The best way is to save your API key to a
+variable and reuse it for every script.
+
+```shell
+APIKEY=eyJh...hUFs
+python pdf-report.py $APIKEY
+```
+
+If you need more information about the options of any script, just see the help message:
+
+```shell
+python pdf-report.py --help
+```
+
+## PDF Report
+
+The `pdf-report.py` script exports the assets from one or all of your inventories (`--multiple` flag), and creates a PDF
+file analysis based on the inventory data.
+
+### Usage
+
+> For now, this script requires Python 3.6, because the fpdf dependency doesn't work with newer versions.
+
+Install the dependencies:
+
+```shell
+pip install argparse datetime fpdf matplotlib pypdf2 requests
+```
+
+Create a pdf report by passing the inventory api key:
+
+```shell
+python3 pdf-report.py $APIKEY
+```
+
+If you want to create a pdf report for every inventory you own, you can pass the `--multiple` flag:
+
+```shell
+python3 pdf-report.py $APIKEY --multiple
+```
+
+## Auto add assets
+
+The `auto-add-assets.py` script can search your cloud provider, AWS, Google Cloud or Azure (using their respective
+command-line tools), and add your running instances to the provided inventory.
+
+### Usage
+
+For this script you need to have and be signed in to the command-line interfaces of your cloud provider of choice. For
+AWS, install the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html), for GCP Cloud
+the [gcloud CLI](https://cloud.google.com/sdk/docs/install) and for
+Azure [az](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).
+
+After that, install the Python dependencies:
+
+```shell
+pip install argparse datetime requests sh
+```
+
+Read your running EC2 instances and buckets from your AWS account:
+
+```shell
+python3 auto-add-assets.py amazon-ec2 $APIKEY
+```
+
+Similarly for Google Cloud and Azure:
+
+```shell
+# GCP
+python3 auto-add-assets.py google-cloud $APIKEY
+# Azure
+python3 auto-add-assets.py azure $APIKEY
+```
+
+## Delete ip or source
+
+The `delete-ip.py` script deletes one specific IP or source from your inventory.
+
+### Usage
+
+First, install the Python dependencies:
+
+```shell
+pip install argparse requests sh
+```
+
+Delete an IP or a source (with its id) from the given inventory:
+
+```shell
+python3 delete-ip.py ip 1.1.1.1 $APIKEY
+python3 delete-ip.py source 13 $APIKEY
+```

auto-add-assets.py

@@ -0,0 +1,157 @@
+#!/usr/bin/python3
+import sys
+from argparse import ArgumentParser
+from typing import Dict, Any, Optional, List
+from bitdiscovery.api import BitDiscoveryApi, try_multiple_times, get_lastid
+from bitdiscovery.cloud import get_provider, remove_matches, CloudProvider, AWSProvider
+
+parser = ArgumentParser(description="Add your cloud provider assets to your Bit Discovery inventory.")
+parser.add_argument('cloudprovider', metavar="PROVIDER", type=str, choices=['amazon-ec2', 'google-cloud', 'azure'],
+                    help="The cloud provider to add assets from, either amazon-ec2, google-cloud or azure.")
+parser.add_argument('apikey', metavar="APIKEY", type=str, help="Your Bit Discovery API key.")
+parser.add_argument('--env', choices=['dev', 'staging', 'prod'], default="dev",
+                    help="The Bit Discovery environment (by default 'dev')")
+parser.add_argument('--offset', type=int, default=0, help="Offset to the API request data (by default 0).")
+parser.add_argument('--limit', type=int, default=5000, help="Limit to the API request data (by default 500).")
+args = parser.parse_args()
+
+APIKEY: str = args.apikey
+CLOUD_PROVIDER: str = args.cloudprovider
+APIURL: str = "https://bitdiscovery.com/api/1.0"
+OFFSET: int = args.offset
+LIMIT: int = args.limit
+
+
+# Takes two dicts and safely merges them into a copy
+def merge_two_dicts(x: Dict, y: Dict) -> Dict:
+    z = x.copy()  # start with x's keys and values
+    z.update(y)  # modifies z with y's keys and values & returns None
+    return z
+
+
+# Find all IPs belonging in Bit Discovery
+print("Initializing and pulling assets from Bit Discovery...")
+
+api = BitDiscoveryApi(APIURL, APIKEY)
+inventories_json: Dict[str, Any] = {}
+try:
+    inventories_json = api.find_inventories(OFFSET, LIMIT)
+except:
+    print("API call failed. Try again later.")
+    exit(1)
+
+# TODO: maybe remove iteration if we cannot add to multiple inventories
+inventories: Dict[str, str] = {inventories_json['actualInventory']['inventory_name']: APIKEY}
+
+for entityname in inventories:
+    jsondata = []
+    # TODO: this is never used, why do we have to keep this (merge_two_dicts too)
+    inventoryips = {}
+
+    print(f"Starting sources for: {entityname}.")
+
+    sourcesdata: List[Dict[str, Any]] = []
+
+    # Collect every source from Bit Discovery inventory with pagination
+    lastid: str = ''
+    offset: int = OFFSET
+    while True:
+        result: Optional[Dict[str, Any]] = try_multiple_times(
+            lambda: api.search_for_source(LIMIT, lastid, ""),
+            max_tries=5
+        )
+
+        if result is None:
+            print("\tAPI call failed too many times. Try again later.")
+            exit(1)
+
+        sourcesdata.append(result)
+        lastid = get_lastid(result)
+        offset += LIMIT
+        total: int = int(sourcesdata[0]['total'])
+
+        if offset > total:
+            break
+
+    # Collect all source IPs that aren't CIDRs
+    sourceips: Dict[str, int] = {}
+    for sources in sourcesdata:
+        for source in sources.get('searches', []):
+            if 'search_type' in source and source['search_type'] == 'iprange':
+                ipcandidate = source['keyword'].lower()
+                if '-' in ipcandidate or '/' in ipcandidate:
+                    continue
+                else:
+                    # Number 2 indicates it's a source, not an asset
+                    sourceips[ipcandidate] = 2
+
+    # TODO: if inventoryips is to be deleted this can be removed as well
+    superset: Dict[str, int] = merge_two_dicts(sourceips, inventoryips)
+    for ips in superset:
+        if ips in sourceips and ips in inventoryips:
+            # Number 3 saying the IP address is found in both
+            superset[ips] = 3
+
+    # Find all IPs in cloud
+    addednum = 0
+
+    provider: CloudProvider = get_provider(CLOUD_PROVIDER)
+
+    # Get provider IP ranges from the provider
+    # TODO: why is this read? we don't use this for anything
+    print(f"\tWe're on {provider.name}, so processing accordingly")
+    print(f"\t\tGetting and parsing all of {provider.name}'s public IP space")
+    prefixes: Dict[str, int] = provider.get_ip_ranges()
+
+    # Get your ips from the provider
+    print("\t\tGetting and parsing your public IPs")
+    ips: Dict[str, int] = provider.get_instance_ips()
+
+    # If IPs in cloud match Bit Discovery remove them from list to do further checks on (they haven't changed)
+    print("\t\tIgnorning assets that haven't changed.")
+    ips_new, old_ips = remove_matches(superset, inventoryips, sourceips, ips)
+
+    # If IPs are not in Bit Discovery but they are in cloud add them
+    print("\t\tAdding new IPs")
+    for new_ip in ips_new:
+        # Try to add the new IPs to the Bit Discovery inventory
+        result: Optional[bool] = try_multiple_times(
+            lambda: api.add_ip(new_ip),
+            max_tries=5
+        )
+
+        if result is None:
+            print("\tAPI call failed too many times. Try again later.")
+            exit(1)
+
+        # Increment added count
+        addednum += 1
+
+    print(f"\tAdded a total of {str(addednum)} {provider.name} IPs.")
+
+    # If provider is AWS, then we can also retrieve the buckets
+    if type(provider) == AWSProvider:
+        print("\t\tFinding s3 buckets.")
+        buckets = AWSProvider().find_s3_buckets()
+
+        print("\t\tAdding s3 buckets.")
+        addedbucket = 0
+        for bucket in buckets:
+            url = AWSProvider().find_s3_region(bucket)
+
+            # Try to add bucket URLs to the Bit Discovery inventory
+            success: Optional[bool] = try_multiple_times(
+                lambda: api.add_source(url),
+                max_tries=5
+            )
+
+            if result is None:
+                print("\tAPI call failed too many times. Try again later.")
+                exit(1)
+
+            # Increment bucket count
+            addedbucket += 1
+
+        print("\tAdded a total of " + str(addedbucket) + " S3 buckets.")
+
+print("Done.")

bitdiscovery/api.py

@@ -0,0 +1,126 @@
+import requests
+from typing import Any, Callable, Dict, Optional, List
+
+
+def try_multiple_times(fn: Callable[..., Any], max_tries: int) -> Optional[Any]:
+    """
+    Retry a function multiple times if it fails.
+
+    :param fn: The function to run (it should return on success, throw on failure)
+    :param max_tries: The number of times after failure is registered, and None returned.
+    :return: Either the returned value on success, or None on failure.
+    """
+    result = None
+    i = 0
+    while result is None and i < max_tries:
+        try:
+            result = fn()
+        except Exception as e:
+            print("ERROR: " + str(e))
+            result = None
+        i += 1
+
+    return result
+
+
+def get_lastid(assets: Dict[str, List[Dict[str, str]]]) -> str:
+    """
+    Finds the last asset's ID so you know where you left off
+
+    :param assets: The list of assets as got back from the API.
+    :return: The last asset from the list.
+    """
+    lastid = ''
+    if "assets" in assets:
+        for asset in assets["assets"]:
+            if "id" in asset:
+                lastid = str(asset["id"])
+    return lastid
+
+
+class BitDiscoveryApi:
+    """
+    Initializes an object to call the Bit Discovery API with a base URL and API key.
+    """
+    apiurl: str
+    apikey: str
+
+    def __init__(self, apiurl: str, apikey: str):
+        self.apiurl = apiurl
+        self.apikey = apikey
+
+    def find_inventories(self, offset: int, limit: int) -> Dict[str, Any]:
+        url = f'{self.apiurl}/inventories/list?offset={str(offset)}&limit={str(limit)}&forcescreenshots=false'
+        headers = {'Accept': 'application/json', 'Authorization': self.apikey}
+        r = requests.get(url, headers=headers)
+        return r.json()
+
+    def get_dashboard(self, querytypes: str) -> Dict[str, Any]:
+        url = f'{self.apiurl}/dashboard?columns={str(querytypes)}'
+        payload = '[ { "column": "bd.original_hostname", "type": "ends with", "value": "" } ]'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+
+        r = requests.post(url, data=payload, headers=headers)
+        return r.json()
+
+    def search_inventory(self, limit: int, after: str) -> Dict[str, Any]:
+        payload = '[ { "column": "bd.original_hostname", "type": "ends with", "value": "" } ]'
+
+        if after == '':
+            url = f'{self.apiurl}/inventory?limit={str(limit)}&offset=0&sortorder=true&inventory=false'
+        else:
+            url = f'{self.apiurl}/inventory?limit={str(limit)}&after={str(after)}&sortorder=true&inventory=false'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+
+        r = requests.post(url, data=payload, headers=headers)
+        return r.json()
+
+    def search_for_ip_address(self, limit: int, after: str, ip: str) -> Dict[str, Any]:
+        payload = '[ {"column": "bd.ip_address", "type": "is", "value": "' + str(ip) + '" } ]'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+
+        if after == '':
+            url = f'{self.apiurl}/inventory?limit={limit}&sortorder=true&columns=id,bd.ip_address'
+        else:
+            url = f'{self.apiurl}/inventory?limit={limit}&after={after}&sortorder=true&columns=id,bd.ip_address'
+
+        r = requests.post(url, data=payload, headers=headers)
+        return r.json()
+
+    def search_for_source(self, limit: int, after: str, search: str) -> Dict[str, Any]:
+        headers = {'Accept': 'application/json', 'Authorization': self.apikey}
+
+        if after == '':
+            url = f'{self.apiurl}/sources?offset=0&limit={limit}&search={search}'
+        else:
+            url = f'{self.apiurl}/sources?offset=0&offset={after}&limit={limit}&search={search}'
+
+        r = requests.get(url, headers=headers)
+        return r.json()
+
+    def add_ip(self, new_ip: str) -> bool:
+        payload = '{ "ip": "' + str(new_ip) + '" }'
+        url = f'{self.apiurl}/source/ip/add'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+        requests.post(url, data=payload, headers=headers)
+        return True
+
+    def add_source(self, new_source: str) -> bool:
+        payload = '{ "keyword": "' + str(new_source) + '" }'
+        url = f'{self.apiurl}/source/add?as_subdomain=true&dont_discover=true'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+        requests.post(url, data=payload, headers=headers)
+        return True
+
+    def archive_ip(self, old_id: str) -> bool:
+        payload = '[ {"id": "' + old_id + '", "hidden": true } ]'
+        url = f'{self.apiurl}/asset/hide'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+        requests.post(url, data=payload, headers=headers)
+        return True
+
+    def delete_source(self, old_source_id: str) -> bool:
+        url = f'{self.apiurl}/source/{old_source_id}/delete'
+        headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': self.apikey}
+        requests.post(url, headers=headers)
+        return True