ZoomEye: Extending TheTHE With More Plugins

Carlos Ávila    3 November, 2020
ZoomEye: Extending TheTHE With More Plugins

Those who follow the developments carried out by the Innovation and Laboratory team will be familiar with our theTHE platform, which specialises in Threat Hunting, IoC analysis and is very useful specially for equipment and SOCs. Even if this tool does not fit all needs, new plugins can always be developed. If you dare… Keep reading!

At ElevenPaths we have developed over 30 plugins that you can use from now on and that are included in the latest version of the platform in our GitHub repository. We also have a more advanced private version for SOCs. In any case, creating a plugin is very easy, let’s see it with a practical example. In this case we will work on a simple plugin that allows us to consult the API of the ZoomEye search service by means of some IP address that we are investigating.

The structure of the project and the files you should create should be as follows:

  1. The first thing is to clone the code repository from the ElevenPaths GitHub: git clone https://github.com/ElevenPaths/thethe
  2. Regarding the structure of the project, it must be taken into account that the tool is “dockerised” and mainly developed in Python3 as a backend. VueJS is used to display the data on the web (frontend) and the data is stored in a MongoDB database. This way, we have:
  • Backend (the-the/thethe_server/server/plugins/): this directory is where they store the plugins developed in Python for the platform. In the same directory you have a ‘TEMPLATE.py’ file with all the respective documentation to take as a basis for the development of a new plugin.
  • Frontend (the-the/thethe_frontend/src/components/templates/): in this directory you must create a folder with the name of the plugin and within it generate a index.vue file  where we will develop the part where the data will be shown through VueJS on the web.

Backend Development

We generate a zoomeye.py file with all the appropriate programming for the consumption of the platform´s API based on the ZoomEye API service documentation. For the interaction with this API, we use the official ZoomEye SDK:

At the end, the data from the consultation carried out is stored in the project’s Mongo base. Then, basically the backend sends as a result a JSON type object from Python to be displayed in the frontend.

Frontend Development

A folder is created with the name of the plugin, in this case zoomeye, and inside it an index.vue file must be generated, where the part where the data will be shown through VueJS on the web will be developed. The data shown come from the file developed in the backend.

We Try the Plugin

We hope that this mini-guide will encouraged many more people to create plugins that will contribute to the project and the community. In fact, you can not only use third party APIs, but also create your own scripts that consume own services as we have done with our DIARIO and Tacyt platforms. We will continue developing the tool and, in the same way, we hope that the diverse experiences of the community and their comments will help to enrich it.

Leave a Reply

Your email address will not be published.