srcmini本文概述
许多人问自己, 是否有一种安全的方法来检出可疑的URL?答案很简单, 是的。你可以在互联网上使用许多工具来检查URL是否对浏览器安全。作为开发人员(或Intrusion Analyst), 你不需要在要扫描的每个可用Web工具上提供要扫描的URL即可浪费时间, 而可以使用Automater工具。可在Kali Linux中从命令行使用Automater。
什么是自动机
Automater是一个URL /域, IP地址和Md5哈希OSINT工具, 旨在使入侵分析人员的分析过程更加轻松。给定目标(URL, IP或HASH)或充满目标的文件, Automater将从以下来源返回相关结果:IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, 实验室。 Alienvault.com, ThreatExpert, VxVault和VirusTotal。使用此工具, 你可以验证域是否被标记为恶意软件, 以及文件是否被标记为恶意软件。
在此处访问项目的官方Github存储库以获取更多信息。
测试例
automater的用法非常简单明了, 因此你可以通过示例了解其工作方式:
扫描网站
automater命令行工具的结构非常简单:
automater [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE][--p] target- -h或–help:显示帮助消息并退出。
- -o或–output:将结果输出到文件中。
- -w或–web:将结果输出到html文件。
- -c或–csv:将结果输出到CSV文件。
- -d或–delay:这会将延迟更改为输入的秒数。
- -s或–source:此选项将仅针对特定的源引擎运行目标以提取关联的域。选项在XML配置文件的siteelement的name属性中定义。
要开始对URL(在本例中为diablo3keygen.net)进行扫描, 你只需执行以下命令即可:
automater diablo3keygen.net扫描多个网站
要使用自动机同时扫描多个网站, 可以将要扫描的所有地址保存在一个新的文本文件(.txt)中。文件中的每一行都代表一个要扫描的地址(list.txt):
facebook.com
ourcodeworld.com
diablo3keygen.net然后使用以下命令开始扫描:
automater list.txt通过哈希
我们将使用病毒的哈希标识符来测试自动机。该文件是一种称为” CRDF.Trojan.Virus.Win32.Zbot3182957456″的恶意软件, 可以使用以下命令执行测试:
# With the MD5 hash
automater 44A6A7D4A039F7CC2DB6E85601F6D8C1
# Or with the sha256 hash
automater 9b8cdbd216044d13413efee6c20c5da080da30a9aacabeeeb5cea66e96104645在终端中执行任何先前的命令应生成以下输出:
Results found for: 44A6A7D4A039F7CC2DB6E85601F6D8C1 ____________________
[+] MD5 found on VT: 1
[+] Scan date submitted: 2016-03-01 07:38:00
[+] Detected Engines: 42
[+] Total Engines: 56
[+] Vendor | Classification: ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('nProtect', 'Trojan/W32.Blocker.1429504')
[+] Vendor | Classification: ('CAT-QuickHeal', 'TrojanPWS.Zbot.Gen')
[+] Vendor | Classification: ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')
[+] Vendor | Classification: ('Malwarebytes', 'Trojan.Dropper.UPT')
[+] Vendor | Classification: ('Zillya', 'Trojan.Zbot.Win32.145968')
[+] Vendor | Classification: ('AegisLab', 'Troj.W32.Generic!c')
[+] Vendor | Classification: ('BitDefender', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('K7GW', 'Trojan ( 004904bd1 )')
[+] Vendor | Classification: ('K7AntiVirus', 'Trojan ( 004904bd1 )')
[+] Vendor | Classification: ('Agnitum', 'Trojan.Blocker!tq8JK8ba1bk')
[+] Vendor | Classification: ('Symantec', 'Trojan.Gen.2')
[+] Vendor | Classification: ('Avast', 'Win32:CeeInject-Y [Trj]')
[+] Vendor | Classification: ('Kaspersky', 'HEUR:Trojan.Win32.Generic')
[+] Vendor | Classification: ('NANO-Antivirus', 'Trojan.Win32.Zbot.cqnsrz')
[+] Vendor | Classification: ('Ad-Aware', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('Sophos', 'Troj/HkMain-DF')
[+] Vendor | Classification: ('Comodo', 'TrojWare.Win32.UMal.~A')
[+] Vendor | Classification: ('F-Secure', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('DrWeb', 'Trojan.DownLoader9.22851')
[+] Vendor | Classification: ('VIPRE', 'Trojan.Win32.Fareit.if (v)')
[+] Vendor | Classification: ('TrendMicro', 'TROJ_GEN.R047C0CBT16')
[+] Vendor | Classification: ('Emsisoft', 'Trojan.Downloader.JQGE (B)')
[+] Vendor | Classification: ('Jiangmin', 'Backdoor/Pushdo.ady')
[+] Vendor | Classification: ('Avira', 'TR/Rogue.1428744')
[+] Vendor | Classification: ('Microsoft', 'VirTool:Win32/CeeInject.gen!KK')
[+] Vendor | Classification: ('Arcabit', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('AhnLab-V3', 'Spyware/Win32.Zbot')
[+] Vendor | Classification: ('GData', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('ALYac', 'Trojan.Downloader.JQGE')
[+] Vendor | Classification: ('AVware', 'Trojan.Win32.Fareit.if (v)')
[+] Vendor | Classification: ('VBA32', 'Trojan.Zbot.2813')
[+] Vendor | Classification: ('Tencent', 'Win32.Trojan.Generic.Pdco')
[+] Vendor | Classification: ('Ikarus', 'Virus.Win32.CeeInject')
[+] Vendor | Classification: ('Fortinet', 'W32/Generic.AC.2250672')
[+] Vendor | Classification: ('Baidu-International', 'Trojan.Win32.Injector.ASFC')
[+] Vendor | Classification: ('Qihoo-360', 'Win32/Trojan.886')
[+] Hash found at ThreatExpert: No results found
[+] Malicious Indicators from ThreatExpert: No results found
[+] Date found at VXVault: No results found
[+] URL found at VXVault: No results found
[+] Malc0de Date: No results found
[+] Malc0de IP: No results found
[+] Malc0de Country: No results found
[+] Malc0de ASN: No results found
[+] Malc0de ASN Name: No results found
[+] Malc0de MD5: No results found
No results found in the THMD5使用特定工具进行扫描
你不必运行所有在线工具的分析, 而只能运行所需的工具。例如, 要仅在Virus Total或Threat Expert中对散列进行扫描, 可以使用-s参数指定扫描:
# Run with Virus Total
automater -s virustotal [URL to scan]
# Or with Threat Expert
automater -s threatexpert [URL to scan]创建自己的分析脚本
你可以自动执行此过程, 并在自己的工具中使用它。我们已经编写了一个可以用Node.js执行的脚本, 你只需要替换urlOrHashToScan变量并运行它即可:
var exec = require('child_process').exec;
var fs = require('fs');
var outputFile = "/root/hacking/report.csv";
var urlOrHashToScan = "44A6A7D4A039F7CC2DB6E85601F6D8C1";
exec(`automater ${urlOrHashToScan} --csv ${outputFile}`, (error, stdout, stderr) => {
if (error) {
console.error(`exec error: ${error}`);
return;
}
if (fs.existsSync(outputFile)) {
var CSV_DATA = fs.readFileSync(outputFile, "utf8");
var ParsedCSV = parseCSV(CSV_DATA);
// Print every item in the array
ParsedCSV.forEach((item) => {
console.log(item.join(" | "));
});
}else{
console.log(`stderr: ${stderr}`);
}
});
/**
* Wrapped csv line parser
* @param s string delimited csv string
* @param sep separator override
* @attribution : http://www.greywyvern.com/?post=258 (comments closed on blog :( )
*/
function parseCSV(s, sep) {
// http://stackoverflow.com/questions/1155678/javascript-string-newline-character
var universalNewline = /\r\n|\r|\n/g;
var a = s.split(universalNewline);
for (var i in a) {
for (var f = a[i].split(sep = sep || ", "), x = f.length - 1, tl; x >= 0; x--) {
if (f[x].replace(/"\s+$/, '"').charAt(f[x].length - 1) == '"') {
if ((tl = f[x].replace(/^\s+"/, '"')).length > 1 && tl.charAt(0) == '"') {
f[x] = f[x].replace(/^\s*"|"\s*$/g, '').replace(/""/g, '"');
} else if (x) {
f.splice(x - 1, 2, [f[x - 1], f[x]].join(sep));
} else f = f.shift().split(sep).concat(f);
} else f[x].replace(/""/g, '"');
} a[i] = f;
}
return a;
}具有给定哈希值的脚本的输出将如下所示:
Target | Type | Source | Result
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Found | 1
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Date | 2016-03-01 07:38:00
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Detected | 42
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Engines | 56
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('nProtect', 'Trojan/W32.Blocker.1429504')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('CAT-QuickHeal', 'TrojanPWS.Zbot.Gen')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Malwarebytes', 'Trojan.Dropper.UPT')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Zillya', 'Trojan.Zbot.Win32.145968')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AegisLab', 'Troj.W32.Generic!c')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('BitDefender', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('K7GW', 'Trojan ( 004904bd1 )')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('K7AntiVirus', 'Trojan ( 004904bd1 )')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Agnitum', 'Trojan.Blocker!tq8JK8ba1bk')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Symantec', 'Trojan.Gen.2')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Avast', 'Win32:CeeInject-Y [Trj]')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Kaspersky', 'HEUR:Trojan.Win32.Generic')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('NANO-Antivirus', 'Trojan.Win32.Zbot.cqnsrz')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Ad-Aware', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Sophos', 'Troj/HkMain-DF')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Comodo', 'TrojWare.Win32.UMal.~A')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('F-Secure', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('DrWeb', 'Trojan.DownLoader9.22851')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('VIPRE', 'Trojan.Win32.Fareit.if (v)')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('TrendMicro', 'TROJ_GEN.R047C0CBT16')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Emsisoft', 'Trojan.Downloader.JQGE (B)')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Jiangmin', 'Backdoor/Pushdo.ady')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Avira', 'TR/Rogue.1428744')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Microsoft', 'VirTool:Win32/CeeInject.gen!KK')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Arcabit', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AhnLab-V3', 'Spyware/Win32.Zbot')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('GData', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('ALYac', 'Trojan.Downloader.JQGE')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AVware', 'Trojan.Win32.Fareit.if (v)')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('VBA32', 'Trojan.Zbot.2813')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Tencent', 'Win32.Trojan.Generic.Pdco')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Ikarus', 'Virus.Win32.CeeInject')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Fortinet', 'W32/Generic.AC.2250672')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Baidu-International', 'Trojan.Win32.Injector.ASFC')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Qihoo-360', 'Win32/Trojan.886')
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | TE Date | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | TE Indicators | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | Vx Date | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | Vx URL | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC Date | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC IP | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC Country | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC ASN | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC ASN Name | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC MD5 | No results found
44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | THMD5 | No results found
你会看到自动机是非常有用的工具, 可用于调查你认为可能是恶意软件的可疑URL。由于你无需访问所有这些网站来手动扫描URL, 它将为你节省大量的研究时间。
快乐分析!
评论前必须登录!
注册