[YouTube] TekTip ep30 - Automater XML
TekDefense-Automater 툴에 대한 시현 영상입니다. IP 주소, URL 및 해시를 분석하는 영상입니다.
주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.
Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.
Automater is a tool that I originally created to automate the OSINT analysis of IP addresses. It quickly grew and became a tool to do analysis of IP Addresses, URLs, and Hashes. Unfortunately though, this was my first python project and I made a lot of mistakes, and as the project grew it bacame VERY hard for me to maintain.
Luckily, a mentor and friend of mine (@jameshub3r) offered his time and expertise to do an enitre re-write of the code that would focus on a modular extensible framework. The new code hits the mark as far as that is concerned. The real power of Automater is how easy it is to modify what sources are checked and what data is taken from them without having to modify the python code. To modify sources simply open up the sites.xml file and modify away. I'll do another post later that goes into more detail there.
** Usage:
Once installed the usage is pretty much the same across Windows, Linux, and Kali.
python Automater.py -h
or if you chmod +x Automater.py you can
** ./Automater.py -h
usage: Automater.py [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE]
[--p]
target
IP, URL, and Hash Passive Analysis tool
positional arguments:
target List one IP Addresses, URL or Hash to query or pass
the filename of a file containing IP Addresses, URL or
Hash to query each separated by a newline.
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
This option will output the results to a file.
-w WEB, --web WEB This option will output the results to an HTML file.
-c CSV, --csv CSV This option will output the results to a CSV file.
-d DELAY, --delay DELAY
This will change the delay to the inputted seconds.
Default is 2.
-s SOURCE, --source SOURCE
This option will only run the target against a
specific source engine to pull associated domains.
Options are defined in the name attribute of the site
element in the XML configuration file
--p This option tells the program to post information to
sites that allow posting. By default the program will
NOT post to sites that require a post.
To run Automater against a target ip, hash, url, or file simply type
Python Automater.py <target>
** python Automater.py 37.221.161.215
[*] Checking https://robtex.com/37.221.161.215
[*] Checking http://www.fortiguard.com/ip_rep/index.php?data=37.221.161.215&lookup=Lookup
[*] Checking http://www.alienvault.com/apps/rep_monitor/ip/37.221.161.215
[*] Checking https://www.virustotal.com/en/ip-address/37.221.161.215/information/
[*] Checking http://www.ipvoid.com/scan/37.221.161.215
____________________ Results found for: 37.221.161.215 ____________________
[+] A records from Robtex.com: vm1033.gigaservers.net
[+] Fortinet URL Category: Unclassified
[+] Found in AlienVault reputation DB: http://www.alienvault.com/apps/rep_monitor/ip/37.221.161.215
No results found for: [+] pDNS data from VirusTotal:
[+] pDNS malicious URLs from VirusTotal: ('2013-12-03', 'http://37.221.161(.)215/')
[+] pDNS malicious URLs from VirusTotal: ('2013-11-30', 'http://37.221.161(.)215/')
[+] pDNS malicious URLs from VirusTotal: ('2013-11-29', 'http://37.221.161(.)215/crypted.exe%5B/')
No results found for: [+] Blacklist from IPVoid:
[+] ISP from IPvoid: Voxility S.R.L.
[+] Country from IPVoid: (RO) Romania
** python Automater.py 44A6A7D4A039F7CC2DB6E85601F6D8C1
[*] Checking https://www.virustotal.com/vtapi/v2/file/report
[*] Checking http://www.threatexpert.com/report.aspx?md5=44A6A7D4A039F7CC2DB6E85601F6D8C1
[*] Checking http://vxvault.siri-urz.net/ViriList.php?MD5=44A6A7D4A039F7CC2DB6E85601F6D8C1
____________________ Results found for: 44A6A7D4A039F7CC2DB6E85601F6D8C1 ____________________
[+] MD5 found on VT: 1
[+] Scan date submitted: 2013-11-29 18:49:10
[+] # of virus engines detected on: 18
[+] # of total scan engines: 48
[+] Malware detected on: ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')
[+] Malware detected on: ('Malwarebytes', 'Trojan.Zbot')
[+] Malware detected on: ('Symantec', 'Trojan.Gen.2')
[+] Malware detected on: ('Norman', 'Suspicious_Gen4.FLCRK')
[+] Malware detected on: ('Avast', 'Win32:Agent-ASJS [Trj]')
[+] Malware detected on: ('BitDefender', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('Ad-Aware', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('Sophos', 'Mal/Generic-S')
[+] Malware detected on: ('McAfee-GW-Edition', 'PWSZbot-FKQ!44A6A7D4A039')
[+] Malware detected on: ('Emsisoft', 'Trojan.Downloader.JQGE (B)')
[+] Malware detected on: ('AhnLab-V3', 'Spyware/Win32.Zbot')
[+] Malware detected on: ('GData', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('Fortinet', 'W32/Injector.ASCL!tr')
[+] Hash found at ThreatExpert: 29 November 2013, 06:03:06
[+] Malicious Indicators from ThreatExpert: Downloads/requests other files from Internet.
[+] Date found at VXVault: 11-29
[+] URL found at VXVault: 37.221.161.215/crypted(.)exe
** Automater.py diablo3keygen(.)net
[*] Checking http://www.fortiguard.com/ip_rep/index.php?data=diablo3keygen.net&lookup=Lookup
[*] Checking http://unshort.me/index.php?r=diablo3keygen.net
[*] Checking http://www.urlvoid.com/scan/diablo3keygen.net
[*] Checking https://www.virustotal.com/en/domain/diablo3keygen.net/information/
____________________ Results found for: diablo3keygen(.)net ____________________
[+] Fortinet URL Category: Unclassified
[+] URL redirects to: http://diablo3keygen(.)net
[+] IP from URLVoid: 182.18.143.140
[+] Blacklist from URLVoid: http://www.mywot.com/en/scorecard/diablo3keygen.net"
[+] Blacklist from URLVoid: http://trafficlight.bitdefender.com/info?url=http://diablo3keygen.net"
[+] Domain Age from URLVoid: 2013-08-26 (3 months ago)
[+] Geo Coordinates from URLVoid: 20 / 77
[+] Country from URLVoid: (IN) India
[+] pDNS data from VirusTotal: ('2013-11-28', '182.18.143.140')
[+] pDNS data from VirusTotal: ('2012-12-01', '31.3.152.106')
[+] pDNS malicious URLs from VirusTotal: ('2013-12-02', 'http://diablo3keygen(.)net/')
[+] pDNS malicious URLs from VirusTotal: ('2013-11-28', 'http://diablo3keygen(.)net/')
Checking a single source can be done by using –s
** python Automater.py -s ipvoid 11.11.11.11
[*] Checking http://www.ipvoid.com/scan/11.11.11.11
____________________ Results found for: 11.11.11.11 ____________________
No results found for: [+] Blacklist from IPVoid:
[+] ISP from IPvoid: DoD Network Information Center
[+] Country from IPVoid: (US) United States
There are also new output methods. –o will output to a file in the same format that is printed to screen, -c will output a csv, and –w will output an html file.
python Automater.py test.txt -o test.out -c test.csv -w test.html
As you may have noticed, it does take Automater a little longer to run then it used to. That is because we implemented a delay of 2 seconds between requests to ensure we don’t bog down the sources. You can modify this delay with a –d <number of seconds>.
python Automater.py test.txt -o test.out -c test.csv -w test.html –d 5
Sites.xml
Automater is now very easily extensible even for those that are not familiar with python. All the sources that are queried and what they are queried for are contained in sites.xml. This must be in the same directory as Automater.py and all the other .py’s that Automater ships with. I will update this page soon with instructions on how to modify the xml file, but in the meantime if you take a look at the current entries it is pretty self-explanatory.
TekDefense-Automater Home Page : http://www.tekdefense.com/automater/
Github Site : https://github.com/1aN0rmus/TekDefense-Automater