GithubHelp home page GithubHelp logo

hartl3y94 / ph0neutria Goto Github PK

View Code? Open in Web Editor NEW

This project forked from phage-nz/ph0neutria

0.0 0.0 0.0 30.3 MB

ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.

License: Apache License 2.0

Python 97.93% Shell 2.07%

ph0neutria's Introduction

ph0neutria

ph0neutria malware crawler
v1.0.1
https://github.com/phage-nz/ph0neutria

Note: This project is not actively maintained.

About

ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.

This project was inspired by Ragpicker (https://github.com/robbyFux/Ragpicker, formerly known as "Malware Crawler"). However, ph0neutria aims to:

  • Limit the scope of crawling to only frequently updated and reliable sources.
  • Maximise the effectiveness of individual indicators.
  • Offer a single, reliable and well organised storage mechanism.
  • Not do work that can instead be done by Viper.

What does the name mean? "Phoneutria nigriventer" is commonly known as the Brazillian Wandering Spider: https://en.wikipedia.org/wiki/Brazilian_wandering_spider

Sources

As of version 1.0.0 all sources are created as 'plugins', found in the plugin sub-directory of the core scripts folder. Default sources are:

  • 0xffff0800's Malware Library (credit: http://0day.coffee).
  • CleanMX (requires approved user-agent).
  • Cymon, which includes: Abuse.ch trackers, Bambenek C2 feed, Cyber Crime Tracker, Malc0de, URLVir and VX Vault.
  • Hybrid Analysis (requires vetted API key).
  • OTX.
  • Shodan, using the Malware Hunter search facility.
  • URLhaus.

Each plugin has parameters that must be completed prior to operation. You'll find these at the top of each plugin file.

VirusTotal is a core component of ph0neutria that cannot be disabled. IP lists are fed into it to discover URL's that are known for the IP's. If you have a standard 5 request/minute API key then I'd encourage being conservative with what you feed it. You can do this by:

  • Reducing the number of Cymon feeds.
  • Reducing your OTX subscription count.
  • Setting the Hybrid Analysis SCORE_MIN parameter to 100.

Screenshots

CLI
CLI
CLI
Web
Web
Web

Version Notes

  • 0.6.0: Tor proxying requires pysocks (pip install pysocks) and at least version 2.10.0 of python requests for SOCKS proxy support.
  • 0.9.0: OSINT functionality pulled from Phage Malware Tracker (private project) - requires VirusTotal API key. More robust retrieval of wild files. Local URL and hash caching (reduces API load).
  • 0.9.1: Updated to use V3 Viper API. No longer compatiable with V2.
  • 1.0.0: Major update. Pull from Safari Guide malware pipeline. Plugin architecture. Python 3.0.
  • 1.0.1: Source update (added 0xffff0800's library). Samples can now be tagged with VirusTotal sourced classification.

Installation

The following script will install ph0neutria along with Viper and Tor:

wget https://raw.githubusercontent.com/phage-nz/ph0neutria/master/install.sh  
chmod +x install.sh  
sudo ./install.sh

Simple as that!

Optional:

Configure additional ClamAV signatures:

cd /tmp  
git clone https://github.com/extremeshok/clamav-unofficial-sigs  
cd clamav-unofficial-sigs  
cp clamav-unofficial-sigs.sh /usr/local/bin  
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh  
mkdir /etc/clamav-unofficial-sigs  
cp config/* /etc/clamav-unofficial-sigs  
cd /etc/clamav-unofficial-sigs

Rename os..conf to os.conf, for example:

mv os.ubuntu.conf os.conf

Modify configuration files:

  • master.conf: search for "Enabled Databases" and enable/disable desired sources.
  • user.conf: uncomment the required lines for sources you have enabled and complete them. user.conf overrides master.conf. You must uncomment user_configuration_complete="yes" once you've completed setup for the following commands to succeed.

For more configuration info see: https://github.com/extremeshok/clamav-unofficial-sigs

mkdir /var/log/clamav-unofficial-sigs  
clamav-unofficial-sigs.sh --install-cron  
clamav-unofficial-sigs.sh --install-logrotate  
clamav-unofficial-sigs.sh --install-man  
clamav-unofficial-sigs.sh  
cd /tmp/clamav-unofficial-sigs  
cp systemd/\* /etc/systemd  
cd ..  
rm -rf clamav-unofficial-sigs*

It'll take a while to pull down the new signatures - during which time ClamAV may not be available.

Usage

Take precautions when piecing together your malware zoo:

Ensure Tor is started:

service tor restart

Start the Viper API and web interface:

cd /opt/viper  
sudo -H -u spider python3 viper-web

Take note of the admin password that is created when Viper is started. Use this to log into http://<viper IP\>:<viper port>/admin (default: http://127.0.0.1:8080/admin) and retrieve the API token from the Tokens page.

The main Viper web interface will be available at http://<viper IP>:<viper port> (default: http://127.0.0.1:8080).

  • Complete the config file at: /opt/ph0neutria/core/config/settings.conf
  • Complete the parameters at the top of each plugin. If you wish to disable the plugin, set DISABLED = True: /opt/ph0neutria/core/plugins/*.py

Start ph0neutria:

cd /opt/ph0neutria  
sudo -H -u spider python3 run.py

You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you'd like - you can't end up with database duplicates.

To run this daily, create a script in /etc/cron.daily with the following:

#!/bin/bash  
cd /opt/ph0neutria && sudo -H -u spider python3 run.py*

Tags and Notes

Tags:
{1},{2},{3}

  • Date stamp.
  • Sample domain.
  • Host ASN.
  • Host country.

Notes:
{1)({2}) via {3}

  • Sample URL.
  • Host IP address.
  • URL source.

The original name of the file forms the identifying name within Viper.

References

ph0neutria's People

Contributors

daemon604 avatar maxou56800 avatar phage-nz avatar rmarsollier avatar srcr avatar the-c0d3r avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.