본문으로 바로가기

HKWT-2013-0002 / GeoIP + Matploitlib

category Defensive Security/Linux 2013.01.03 15:39

1. GeoIP가 지원하는 언어

  • C Library
  • Perl Module
  • PHP Module
  • Apache Module (mod_geoip)
  • Java Class
  • Python Class
  • C# Class
  • Ruby Module
  • MS COM Object?(ASP, ColdFusion, Pascal, PHP, Perl, Python, and Visual Basic code)
  • VB.NET?(Only works with GeoIP Country)
  • Pascal
  • JavaScript 

2. GeoIP 설치


git clone git://github.com/appliedsec/pygeoip.git
cd pygeoip
python setup.py build
sudo python setup.py install

3. GeoIP에 사용될 IP 데이터베이스 다운로드


wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz

4. IP 데이터베이스 업데이트 쉘 스크립트 만들기

: chmod +x 를 잊지 않기, tor를 사용하기 때문에 모듈 설치가 필요함.


#!/bin/sh
sudo apt-get install -y torsocks
GUNZIP="/bin/gunzip"
MAXMINDURL="http://geolite.maxmind.com/download/geoip/database"
WGET="/usr/bin/wget"
TOR="/usr/bin/usewithtor"
DATADIR=`pwd`
TMPDIR=$(mktemp -d)
if [ ! -d "\$DATADIR" ] ;
then echo "Data directory $DATADIR/ doesn't exist!" exit 1 fi if [ ! -w "\$DATADIR" ] ;
then echo "Can't write to \$DATADIR directory!" exit 1 fi
cd "${TMPDIR}"
echo ${WGET} "${MAXMINDURL}/GeoLiteCity.dat.gz" ${TOR} \${WGET} "${MAXMINDURL}/GeoLiteCity.dat.gz" ${GUNZIP} -c "
./GeoLiteCity.dat.gz" > GeoLiteCity.dat if [ \$? != 0 ] ;
then echo "Can't download a free GeoLite City database!" exit 1 fi mv -f "GeoLiteCity.dat" "${DATADIR}/"
if [ \$? != 0 ] ;
then echo "Can't move databases file to ${DATADIR}/" exit 1 fi exit 0

5. 테스트


import pygeoip
gi = pygeoip.GeoIP('GeoLiteCity.dat')
rec = gi.record_by_name('google.com')
for code,val in rec.items():
...     print "%s: %s" % (code,val)

city: Mountain View
region_name: CA
area_code: 650
time_zone: America/Los_Angeles
dma_code: 807
metro_code: San Francisco, CA
country_code3: USA
latitude: 37.4192
postal_code: 94043
longitude: -122.0574
country_code: US
country_name: United States

6. Matploitlib를 이용하여 지도에 표시


sudo apt-get install -y python-tk python-numpy python-matplotlib python-dev
wget http://downloads.sourceforge.net/project/matplotlib/matplotlib-toolkits/basemap-1.0.5/basemap-1.0.5.tar.gz
tar -xvzf basemap-1.0.5.tar.gz
cd basemap-1.0.5/geos-3.3.3<
make
sudo make install
cd ..
python setup.py build
sudo python setup.py install

7. mapper.py 받기


svn cat http://malwarecookbook.googlecode.com/svn/trunk/5/13/mapper.py > mapper.py

8. 사용하기


python mapper.py -a 222.122.195.6,74.125.128.101

222.122.195.6 : naver.com

74.125.128.101 : google.com

9. Bash Shell로 설치


#!/bin/sh
sudo apt-get install -y subversion git-core python-tk python-numpy python-matplotlib python-dev torsocks

service tor restart
HOME_PWD=`pwd`

cd /tmp/
git clone git://github.com/appliedsec/pygeoip.git
cd pygeoip
python setup.py build
sudo python setup.py install
cd ..

wget http://downloads.sourceforge.net/project/matplotlib/matplotlib-toolkits/basemap-1.0.5/basemap-1.0.5.tar.gz
tar -xvzf basemap-1.0.5.tar.gz
cd basemap-1.0.5/geos-3.3.3
./configure
make
sudo make install
cd ..
python setup.py build
sudo python setup.py install
cd $HOME_PWD

mkdir pygeoip
cd pygeoip

cat > GeoLiteCityUpdate.sh << EOF

#!/bin/sh
GUNZIP="/bin/gunzip"
MAXMINDURL="http://geolite.maxmind.com/download/geoip/database"
WGET="/usr/bin/wget "
TOR="/usr/bin/usewithtor "
DATADIR=\`pwd\`
TMPDIR=\$(mktemp -d)
if [ ! -d "\$DATADIR" ] ; then
echo "Data directory \$DATADIR/ doesn't exist!"
exit 1
fi
if [ ! -w "\$DATADIR" ] ; then
echo "Can't write to \$DATADIR directory!"
exit 1
fi
cd "\${TMPDIR}"
echo \${WGET} "\${MAXMINDURL}/GeoLiteCity.dat.gz"
\${TOR} \${WGET} "\${MAXMINDURL}/GeoLiteCity.dat.gz" 
\${GUNZIP} -c "./GeoLiteCity.dat.gz" > GeoLiteCity.dat         
if [ \$? != 0 ] ; then
echo "Can't download a free GeoLite City database!"
exit 1
fi
mv -f "GeoLiteCity.dat" "\${DATADIR}/"
if [ \$? != 0 ] ; then
echo "Can't move databases file to \${DATADIR}/"
exit 1
fi
exit 0
EOF

chmod +x GeoLiteCityUpdate.sh
./GeoLiteCityUpdate.sh

svn cat http://malwarecookbook.googlecode.com/svn/trunk/5/13/mapper.py > mapper.py

10. 정리

GeoIP는 위와 같이 pygeoip를 설치해도 되고, 'sudo apt-get install python-geoip'로 설치해도 무관하다.

다만 악성코드 비법서에 나오는 mapper.py는 pygeoip를 사용하므로 이것을 선택햇다.

pygeoip와 python-geoip의 기능은 같지만 사용하는 명령어 모습이 아주 근소하게 다르다는 점만 알고 있으면 된다.

11. Reference

  • http://www.pointlessrants.com/2010/05/python-geoip-python-geoip-cities-tutorial/
  • 악성코드 분석가의 비법서
저작자 표시 비영리 동일 조건 변경 허락
신고

'Defensive Security > Linux' 카테고리의 다른 글

HKWT-2013-0004 / iScanner  (1) 2013.01.16
HKWT-2013-0003 / Pygoogle.py  (1) 2013.01.10
HKWT-2013-0002 / GeoIP + Matploitlib  (1) 2013.01.03
HKWT-2013-0001 / thug  (1) 2013.01.02
Phoneyc  (1) 2012.12.18
Yara-Project  (1) 2012.11.15

댓글을 달아 주세요

  1. BlogIcon 김진영 신고">2015.06.25 06:12 신고

    완전좋아

티스토리 툴바