[Analyst Arsenal (A²)™]
A toolkit for Security Researchers
Description
With aa_adhoc
, run through a list of URLs and check sites for malicious files based on predefined file extensions.
With aa_certstream
, find out when a phishing kit has been staged on a domain. With this information, you can be amongst the first to:
- Know
- Block
- Report
- Analyze
With aa_urlscan
, easily search urlscan.io and check sites for malicious files based on predefined file extensions.
With aa_whoisds
, download a list of newly registered domains from WHOIS Domain Search, score the domains, and search for signs of malicious activity.
Prerequisites
- Ubuntu 18.04+ (should work on other Linux distros)
- Python 2.7.14
- DEB Packages:
- gcc
- Git (optional)
- Torsocks (optional: used with flag
--tor
)
Setup
- Open a terminal and run the following command:
git clone https://github.com/ecstatic-nobel/Analyst-Arsenal.git
cd Analyst-Arsenal
bash py_pkg_update.sh
Usage
aa_adhoc
The following command will:
- Make requests to the domains retrieved from a file
- Download files from the site when an open directory is found hosting a file with the desired file extension
1 positional arguments needed:
-
Input File : Path to the file containing URLs
Optional arguments:
-
--directory : Download data to CAP_DIR (default: ./Captures)
-
--level : Recursion depth (default=1, infinite=0)
-
--max-redirect : Maximum redirects (default=0)
-
--quiet : Don't show wget output
-
--threads : Numbers of threads to spawn
-
--timeout : Set the connection timeout to TIMEOUT
-
--tor : Download files via the Tor network
-
--very-verbose : Show error messages
python aa_adhoc.py <INPUT_FILE> [--directory] [--level] [--max-redirect] [--quiet] [--threads] [--timeout] [--tor] [--very-verbose]
aa_certstream
The following command will:
- Stream CT logs via Certstream
- Score and add suspicious domains to a queue while other domains continue to be scored
- Simultaneously make requests to the domains in the queue to search for predefined file extensions
- Recursively download the site when an open directory is found hosting a file with a particular extension
Optional arguments:
-
--ctl-server : Certstream server URL to connect to
-
--dns-twist : Check the twisted keywords found in dns_twisted.yaml
-
--directory : Download data to CAP_DIR (default: ./Captures)
-
--level : Recursion depth (default=1, infinite=0)
-
--log-nc : File to store domains that have not been checked
-
--quiet : Don't show wget output
-
--score : Minimum score to trigger a session (Default: 75)
-
--threads : Numbers of threads to spawn
-
--timeout : Set the connection timeout to TIMEOUT
-
--tor : Download files via the Tor network
-
--verbose : Show domains being scored
-
--very-verbose : Show error messages
python aa_certstream.py [--ctl-server] [--dns-twist] [--directory] [--level] [--log-nc] [--quiet] [--score] [--threads] [--timeout] [--tor] [--verbose] [--very-verbose]
aa_urlscan
The following command will:
- Make requests to the domains retrieved from urlscan.io
- Recursively download the site when an open directory hosting a file with the desired file extension
3 positional arguments needed:
-
Query Type : automatic, manual, certstream, openphish, phishtank, twitter, urlhaus
-
Delta : Number of days back to search (GMT)
-
Query String : String to search (and does not include spaces)
Optional arguments:
-
--directory : Download data to CAP_DIR (default: ./Captures)
-
--level : Recursion depth (default=1, infinite=0)
-
--max-redirect : Maximum redirects (default=0)
-
--quiet : Don't show wget output
-
--threads : Numbers of threads to spawn
-
--timeout : Set the connection timeout to TIMEOUT
-
--tor : Download files via the Tor network
-
--very-verbose : Show error messages
python aa_urlscan.py <QUERY_TYPE> <DELTA> <QUERY_STRING> [--directory] [--level] [--max-redirect] [--quiet] [--threads] [--timeout] [--tor] [--very-verbose]
Note: If the path is a file, it will be automatically downloaded.
aa_whoisds
- Download a list of newly registered domains from WHOIS Domain Search (whoisds.com)
- Score and add suspicious domains to a queue while other domains continue to be scored
- Simultaneously make requests to the domains in the queue to search for predefined file extensions
- Recursively download the site when an open directory is found hosting a file with a particular extension
1 positional argument needed:
-
Delta : Number of days back to search (GMT)
Optional arguments:
-
--dns-twist : Check the twisted keywords found in dns_twisted.yaml
-
--directory : Download data to CAP_DIR (default: ./Captures)
-
--level : Recursion depth (default=1, infinite=0)
-
--log-nc : File to store domains that have not been checked
-
--quiet : Don't show wget output
-
--score : Minimum score to trigger a session (Default: 75)
-
--threads : Numbers of threads to spawn
-
--timeout : Set the connection timeout to TIMEOUT
-
--tor : Download files via the Tor network
-
--verbose : Show domains being scored
-
--very-verbose : Show error messages
python aa_whoisds.py <DELTA> [--dns-twist] [--directory] [--level] [--log-nc] [--quiet] [--score] [--threads] [--timeout] [--tor] [--verbose] [--very-verbose]
Things to know
Please fork, create merge requests, and help make this better.