Automater
Other articles on Automater:
- Automater Output Format and Modifications
- The Exensibility of Automater
- Finally the New Automater Release is Out
Description: Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal.
*Automater is installed on HoneyDrive and Kali by default but currently have an outdated version.
Installation:
Automater comes in two flavors, python script that will work for Linux or Windows, and an exe for Windows.
Windows:
The Windows client is currently in development. In the meantime the python code will work on Windows with a python 2.7 install
Linux:
As this is a python script you will need to ensure you have the correct version of python, which for this script is python 2.7. I used mostly standard libraries, but just incase you don't have them, here are the libraries that are required: httplib2, re, sys, argparse, urllib, urllib2
With the python and the libraries out of the way, you can simply use git to clone the tekdefense code to your local machine.
git clone https://github.com/1aN0rmus/TekDefense-Automater.git
If you don't have git installed you can simply download the script from https://github.com/1aN0rmus/TekDefense-Automater/archive/master.zip
Usage:
Once installed the usage is pretty much the same across Windows, Linux, and Kali.
python Automater.py -h
or if you chmod +x Automater.py you can
./Automater.py -h
usage: Automater.py [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE]
[--p]
target
IP, URL, and Hash Passive Analysis tool
positional arguments:
target List one IP Addresses, URL or Hash to query or pass
the filename of a file containing IP Addresses, URL or
Hash to query each separated by a newline.
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
This option will output the results to a file.
-w WEB, --web WEB This option will output the results to an HTML file.
-c CSV, --csv CSV This option will output the results to a CSV file.
-d DELAY, --delay DELAY
This will change the delay to the inputted seconds.
Default is 2.
-s SOURCE, --source SOURCE
This option will only run the target against a
specific source engine to pull associated domains.
Options are defined in the name attribute of the site
element in the XML configuration file
--p This option tells the program to post information to
sites that allow posting. By default the program will
NOT post to sites that require a post.
To run Automater against a target ip, hash, url, or file simply type
Python Automater.py <target>
python Automater.py 37.221.161.215
[*] Checking https://robtex.com/37.221.161.215
[*] Checking http://www.fortiguard.com/ip_rep/index.php?data=37.221.161.215&lookup=Lookup
[*] Checking http://www.alienvault.com/apps/rep_monitor/ip/37.221.161.215
[*] Checking https://www.virustotal.com/en/ip-address/37.221.161.215/information/
[*] Checking http://www.ipvoid.com/scan/37.221.161.215
____________________ Results found for: 37.221.161.215 ____________________
[+] A records from Robtex.com: vm1033.gigaservers.net
[+] Fortinet URL Category: Unclassified
[+] Found in AlienVault reputation DB: http://www.alienvault.com/apps/rep_monitor/ip/37.221.161.215
No results found for: [+] pDNS data from VirusTotal:
[+] pDNS malicious URLs from VirusTotal: ('2013-12-03', 'http://37.221.161(.)215/')
[+] pDNS malicious URLs from VirusTotal: ('2013-11-30', 'http://37.221.161(.)215/')
[+] pDNS malicious URLs from VirusTotal: ('2013-11-29', 'http://37.221.161(.)215/crypted.exe%5B/')
No results found for: [+] Blacklist from IPVoid:
[+] ISP from IPvoid: Voxility S.R.L.
[+] Country from IPVoid: (RO) Romania
python Automater.py 44A6A7D4A039F7CC2DB6E85601F6D8C1
[*] Checking https://www.virustotal.com/vtapi/v2/file/report
[*] Checking http://www.threatexpert.com/report.aspx?md5=44A6A7D4A039F7CC2DB6E85601F6D8C1
[*] Checking http://vxvault.siri-urz.net/ViriList.php?MD5=44A6A7D4A039F7CC2DB6E85601F6D8C1
____________________ Results found for: 44A6A7D4A039F7CC2DB6E85601F6D8C1 ____________________
[+] MD5 found on VT: 1
[+] Scan date submitted: 2013-11-29 18:49:10
[+] # of virus engines detected on: 18
[+] # of total scan engines: 48
[+] Malware detected on: ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')
[+] Malware detected on: ('Malwarebytes', 'Trojan.Zbot')
[+] Malware detected on: ('Symantec', 'Trojan.Gen.2')
[+] Malware detected on: ('Norman', 'Suspicious_Gen4.FLCRK')
[+] Malware detected on: ('Avast', 'Win32:Agent-ASJS [Trj]')
[+] Malware detected on: ('BitDefender', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('Ad-Aware', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('Sophos', 'Mal/Generic-S')
[+] Malware detected on: ('McAfee-GW-Edition', 'PWSZbot-FKQ!44A6A7D4A039')
[+] Malware detected on: ('Emsisoft', 'Trojan.Downloader.JQGE (B)')
[+] Malware detected on: ('AhnLab-V3', 'Spyware/Win32.Zbot')
[+] Malware detected on: ('GData', 'Trojan.Downloader.JQGE')
[+] Malware detected on: ('Fortinet', 'W32/Injector.ASCL!tr')
[+] Hash found at ThreatExpert: 29 November 2013, 06:03:06
[+] Malicious Indicators from ThreatExpert: Downloads/requests other files from Internet.
[+] Date found at VXVault: 11-29
[+] URL found at VXVault: 37.221.161.215/crypted(.)exe
Automater.py diablo3keygen(.)net
[*] Checking http://www.fortiguard.com/ip_rep/index.php?data=diablo3keygen.net&lookup=Lookup
[*] Checking http://unshort.me/index.php?r=diablo3keygen.net
[*] Checking http://www.urlvoid.com/scan/diablo3keygen.net
[*] Checking https://www.virustotal.com/en/domain/diablo3keygen.net/information/
____________________ Results found for: diablo3keygen(.)net ____________________
[+] Fortinet URL Category: Unclassified
[+] URL redirects to: http://diablo3keygen(.)net
[+] IP from URLVoid: 182.18.143.140
[+] Blacklist from URLVoid: http://www.mywot.com/en/scorecard/diablo3keygen.net"
[+] Blacklist from URLVoid: http://trafficlight.bitdefender.com/info?url=http://diablo3keygen.net"
[+] Domain Age from URLVoid: 2013-08-26 (3 months ago)
[+] Geo Coordinates from URLVoid: 20 / 77
[+] Country from URLVoid: (IN) India
[+] pDNS data from VirusTotal: ('2013-11-28', '182.18.143.140')
[+] pDNS data from VirusTotal: ('2012-12-01', '31.3.152.106')
[+] pDNS malicious URLs from VirusTotal: ('2013-12-02', 'http://diablo3keygen(.)net/')
[+] pDNS malicious URLs from VirusTotal: ('2013-11-28', 'http://diablo3keygen(.)net/')
Checking a single source can be done by using –s
python Automater.py -s ipvoid 11.11.11.11
[*] Checking http://www.ipvoid.com/scan/11.11.11.11
____________________ Results found for: 11.11.11.11 ____________________
No results found for: [+] Blacklist from IPVoid:
[+] ISP from IPvoid: DoD Network Information Center
[+] Country from IPVoid: (US) United States
By default, if Automater does not find data available it will not submit the target to that site to get data. If you would like Automater to use an HTTP POST to send target data to a source like IPVoid or URLVoid use –p
c:\downloads\TekDefense-Automater-Private-master\TekDefense-Automater-Private-master>python Automater.py 11.11.12.56 --p
[*] Checking https://robtex.com/11.11.12.56
[*] Checking http://www.fortiguard.com/ip_rep/index.php?data=11.11.12.56&lookup=Lookup
[*] Checking http://www.alienvault.com/apps/rep_monitor/ip/11.11.12.56
[*] Checking https://www.virustotal.com/en/ip-address/11.11.12.56/information/
[*] Checking http://www.ipvoid.com/scan/11.11.12.56
[-] This target requires a submission. Submitting now, this may take a moment.
____________________ Results found for: 11.11.12.56 ____________________
No results found in the RobTex DNS
[+] Fortinet URL Category: Unclassified
[+] Found in AlienVault reputation DB: http://www.alienvault.com/apps/rep_monitor/ip/11.11.12.56
No results found for: [+] pDNS data from VirusTotal:
No results found for: [+] pDNS malicious URLs from VirusTotal:
No results found for: [+] Blacklist from IPVoid:
[+] ISP from IPvoid: DoD Network Information Center
[+] Country from IPVoid: (US) United States
There are also new output methods. –o will output to a file in the same format that is printed to screen, -c will output a csv, and –w will output an html file.
python Automater.py test.txt -o test.out -c test.csv -w test.html
As you may have noticed, it does take Automater a little longer to run then it used to. That is because we implemented a delay of 2 seconds between requests to ensure we don’t bog down the sources. You can modify this delay with a –d <number of seconds>.
python Automater.py test.txt -o test.out -c test.csv -w test.html –d 5
Sites.xml
Automater is now very easily extensible even for those that are not familiar with python. All the sources that are queried and what they are queried for are contained in sites.xml. This must be in the same directory as Automater.py and all the other .py’s that Automater ships with. I will update this page soon with instructions on how to modify the xml file, but in the meantime if you take a look at the current entries it is pretty self-explanatory.