Debugging Toolbar For Rack Applications Implemented As Middleware - Rack-Bug

Rack::Bug adds a diagnostics toolbar to Rack apps. When enabled, it injects a floating div allowing exploration of logging, database queries, template rendering times, etc.


Features

• Password-based security
• IP-based security
• Rack::Bug instrumentation/reporting is broken up into panels.
  • Panels in default configuration:
    • Rails Info
    • Timer
    • Request Variables
    • SQL
    • Active Record
    • Cache
    • Templates
    • Log
    • Memory
  • Other bundled panels:
    • Redis
    • Sphinx
  • The API for adding your own panels is simple and powerful

Rails quick start

script/plugin install git://github.com/brynary/rack-bug.git

In config/environments/development.rb, add:

config.middleware.use "Rack::Bug",
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring"

Add the bookmarklet to your browser:

open http://RAILS_APP/__rack_bug__/bookmarklet.html

Using with non-Rails Rack apps

Just 'use Rack::Bug' as any other middleware. See the SampleApp in the spec/fixtures folder for an example Sinatra app.
If you wish to use the logger panel define the LOGGER constant that is a ruby Logger or ActiveSupport::BufferedLogger


Configuring custom panels

Specify the set of panels you want, in the order you want them to appear:

require "rack/bug"

ActionController::Dispatcher.middleware.use Rack::Bug,
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :panel_classes => [
    Rack::Bug::TimerPanel,
    Rack::Bug::RequestVariablesPanel,
    Rack::Bug::RedisPanel,
    Rack::Bug::TemplatesPanel,
    Rack::Bug::LogPanel,
    Rack::Bug::MemoryPanel
  ]

Running Rack::Bug in staging or production

We have have found that Rack::Bug is fast enough to run in production for specific troubleshooting efforts.

Configuration

Add the middleware configuration to an initializer or the appropriate environment files, taking the rest of this section into consideration.

Security

Restrict access to particular IP addresses:

require "ipaddr"

ActionController::Dispatcher.middleware.use "Rack::Bug"
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :ip_masks   => [IPAddr.new("2.2.2.2/0")]

Restrict access using a password:

ActionController::Dispatcher.middleware.use "Rack::Bug",
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :password   => "yourpassword"

Authors

• Maintained by Bryan Helmkamp
• Contributions from Luke Melia, Joey Aghion, Tim Connor, and more

Development

For development, you'll need to install the following gems: rspec, rack-test, webrat, sinatra

Download Rack-Bug

Read More

Automated Security Assessment Reporting Tool - Guinevere

This tool works with Gauntlet (a private tool) to automate assessment reporting.

Main features include:

• Generate Assessment Report
• Export Assessment
• Generate Retest Report
• Generate Pentest Checklist

Generate Assessment Report

This option will generate you .docx report based on the vulnerabilities identified during an assessment. The report will contain a bullet list of findings, the vulnerability report write-up, and a table of interesting hosts to include host names and ports. Each report write up automatically calculates the number of affected hosts and updates the report verbiage accordingly.

Export Assessment

An SQL dump of the assessment data from gauntlet will be export to a .sql file. This file can later be imported into by other analysts.

Generate Retest Report

A .docx retest report will be generated. The tool will evaluate the original assessment findings against the retest findings. The retest findings don't need to be ranked as only the severity level of a vulnerability found in the orginial assessment will be used. New vulnerabilities and new hosts found during the retest will also be ignored. The report will contain a list of vulnerabilities along with their status (Remediated, Partially Remediated, or Not Remediated). A table will also be provided that contains hosts that are still vulnerable. A statistics table is also provided to be used with building graphs or charts.

Generate Pentest Checklist - BETA

The Pentest Checklist is an HTML document used for information managment while conducting a pentest. The generated report provides the analyst with a list of host and their open ports along with space for note taking. This is stil under development and provides basic functionalty. The data is retrieved from the Gauntlet database. The "-T" flag can be used to display out from tools such as Nessus but is very verbose.

Usage

usage: Guinevere.py [-h] [-H DB_HOST] [-U DB_USER] [-P DB_PASS] [-p DB_PORT]
                    [-l LINES] [-A] [-V] [-sC] [-sH] [-sM] [-sL] [-sI] [-aD]
                    [-T]

optional arguments:
  -h, --help            show this help message and exit
  -H DB_HOST, --db-host DB_HOST
                        MySQL Database Host. Default set in script
  -U DB_USER, --db-user DB_USER
                        MySQL Database Username. Default set in script
  -P DB_PASS, --db-pass DB_PASS
                        MySQL Database Password. Default set in script
  -p DB_PORT, --db-port DB_PORT
                        MySQL Database Port. Default set in script
  -l LINES, --lines LINES
                        Number of lines to display when selecting an engagement. Default is 10
  -A, --all-vulns       Include all vulnerability headings when there are no associated report narratives
  -V, --all-verb        Include all vureto vulnerability verbiage when there are no associated report narratives
  -sC                   Exclude Critical-Severity Vulnerabilities
  -sH                   Exclude High-Severity Vulnerabilities
  -sM                   Exclude Medium-Severity Vulnerabilities
  -sL                   Include Low-Severity Vulnerabilities
  -sI                   Include Informational-Severity Vulnerabilities
  -aD, --assessment-date
                        Include the date when selecting an assessment to report on
  -T, --tool-output     Include Tool Output When Printing G-Checklist

Download Guinevere

Read More

Tool for easy use of Human Interface Devices for offensive security and penetration testing - Kautilya

 

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.

List of Payloads

Windows

Gather

• Gather Information
• Hashdump and Exfiltrate
• Keylog and Exfiltrate
• Sniffer
• WLAN keys dump
• Get Target Credentials
• Dump LSA Secrets
• Dump passwords in plain
• Copy SAM
• Dump Process Memory
• Dump Windows Vault Credentials

Execute

• Download and Execute
• Connect to Hotspot and Execute code
• Code Execution using Powershell
• Code Execution using DNS TXT queries
• Download and Execute PowerShell Script
• Execute ShellCode
• Reverse TCP Shell

Backdoor

• Sethc and Utilman backdoor
• Time based payload execution
• HTTP backdoor
• DNS TXT Backdoor
• Wireless Rogue AP
• Tracking Target Connectivity
• Gupt Backdoor

Escalate

• Remove Update
• Forceful Browsing

Manage

• Add an admin user
• Change the default DNS server
• Edit the hosts file
• Add a user and Enable RDP
• Add a user and Enable Telnet
• Add a user and Enable Powershell Remoting

Drop Files

• Drop a MS Word File
• Drop a MS Excel File
• Drop a CHM (Compiled HTML Help) file
• Drop a Shortcut (.LNK) file
• Drop a JAR file

Misc

• Browse and Accept Java Signed Applet
• Speak on Target

Linux

• Download and Execute
• Reverse Shells using built in tools
• Code Execution
• DNS TXT Code Execution
• Perl reverse shell (MSF)

OSX

• Download and Execute
• DNS TXT Code Execution
• Perl Reverse Shell (MSF)
• Ruby Reverse Shell (MSF)

Payloads Compatibility

• The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.
  
• The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
  
• The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare
  

Usage

Run kautilya.rb and follow the menus. Kautilya asks for your inputs for various options. The generated payload is copied to the output directory of Kautilya.
The generated payload is an arduino sketch, ready to be used with Arduino IDE. Burn it to Human Interface Device of your choice and have fun!

Supported Human Interface Devices

In principal Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++2.0 and Teensy 3.0 from pjrc.com. Updates about Kautilya can be found most of the times at my blog http://labofapenetrationtester.com/ and google group.

User Group

For any queries, discussions and feedback, post to official google group http://groups.google.com/group/kautilya-users or mail me at nikhil d0t uitrgpv at gmail.com

Bugs and Feature requests

Raise an issue or post to the google group.

Dependencies

Kautilya needs colored, highline and artii (and win32console on Windows) gems. Use
bundle install
to install all the required gems.

Download Kautilya

Read More

A JavaScript Static Security Analysis Tool - Jsprime

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:

• JS Library Aware Source & Sinks
• Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.
• Variable & Function Tracing (This feature is a part of our code flow analysis algorithm)
• Variable & Function Scope Aware analysis (This feature is a part of our code flow analysis algorithm)
• Known filter function aware
• OOP & Protoype Compliant
• Minimum False Positive alerts
• Supports minified JavaScript
• Blazing fast performance
• Point and Click :-) (my personal favorite)

Upcoming features:

• Automatic code de-obfuscation & decompression through Hybrid Analysis (Ra.2 improvisation; http://code.google.com/p/ra2-dom-xss-scanner )
• ECMAScript family support (ActionScript 3, Node.JS, WinJS)

Links

• Test Cases
• Sources & Sinks
• BlackHat Slides

Usage

Web Client

Open "index.html" in your browser.

Server-Side (Node.JS)

1. In the terminal type "node server.js"
2. Go to 127.0.0.1:8888 in your browser.

Download Jsprime

Read More

A tool to find and exploit servers vulnerable to Shellshock - Shocker

A tool to find and exploit servers vulnerable to Shellshock

Help Text

usage: shocker.py
-h, --help show this help message and exit
--Host HOST, -H HOST A target hostname or IP address
--file FILE, -f FILE File containing a list of targets
--port PORT, -p PORT The target port number (default=80)
--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)
--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'
--ssl, -s Use SSL (default=False)
--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)
--verbose, -v Be verbose in output

Usage Examples

./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi
Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat /etc/passwd
./shocker.py -H www.example.com -p 8001 -s
Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found
./shocker.py -f ./hostlist
Scans all hosts listed in the file ./hostlist with the default options

Dependencies

Python 2.7+

Change Log

Changes in version 0.72 (December 2014)

• Minor corrections to logic and typos

Changes in version 0.71 (December 2014)

• Added timeout to urllib2.urlopen requests using a global 'TIMEOUT'

Changes in version 0.7 (November 2014)

• Add interactive 'psuedo console' for further exploitation of a chosen vulnerable server
• Attemped to clean up output buffering issues by wrapping sys.stdout in a class which flushes on every call to write
• Added a progress indicator for use in time consuming tasks to reassure non vebose users

Changes in version 0.6 (October 2014)

• Preventing return codes other than 200 from being considered successes
• Added ability to specify multiple targets in a file
• Moved the 'cgi_list' list of scripts to attempt to exploit to a file
• Fixed some output formatting issues
• Fixed valid hostname/IP regex to allow single word hostnames

Changes in version 0.5 (October 2014)

• Added ability to specify a single script to target rather than using cgi_list
• Introduced a timeout on socket operations for host_check
• Added some usage examples in the script header
• Added an epilogue to the help text indicating presence of examples

Changes in version 0.4 (October 2014)

• Introduced a thread count limit defaulting to 10
• Removed colour support until I can figure out how to make it work in Windows and *nix equally well
• Spelling corrections
• More comprehensive cgi_list
• Removes success_flag from output

Pre 0.4 (October 2014)

• No idea

TODO

• Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
• Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
• Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
• Change verbose to integer value - quiet, normal, verbose, debug?
• Add option to skip initial host checks for the sake of speed?
• Add a summary of results before exiting
• Save results to a file? Format?
• Eventually the idea is to include multiple possible vectors but currently only one is checked.
• Add Windows and *nix colour support - Low priority/prettiness
• Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
• Prettify - Low priority/pretinness (obviously)
• Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
• Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
• Other stuff. Probably.

Download Shocker

Read More

Public Malware Techniques Used In The Wild - Al-Khaser

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.

Possible uses

• You are making an anti-debug plugin and you want to check its effectiveness.
• You want to ensure that your sandbox solution is hidden enough.
• Or you want to ensure that your malware analysis environement is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

• IsDebuggerPresent
• CheckRemoteDebuggerPresent
• Process Environement Block (BeingDebugged)
• Process Environement Block (NtGlobalFlag)
• ProcessHeap (Flags)
• ProcessHeap (ForceFlags)
• NtQueryInformationProcess (ProcessDebugPort)
• NtQueryInformationProcess (ProcessDebugFlags)
• NtQueryInformationProcess (ProcessDebugObject)
• NtSetInformationThread (HideThreadFromDebugger)
• NtQueryObject (ObjectTypeInformation)
• NtQueryObject (ObjectAllTypesInformation)
• CloseHanlde (NtClose) Invalide Handle
• UnhandledExceptionFilter
• OutputDebugString (GetLastError())
• Hardware Breakpoints (SEH / GetThreadContext)
• Software Breakpoints (INT3 / 0xCC)
• Memory Breakpoints (PAGE_GUARD)
• Interrupt 0x2d
• Interrupt 1
• Parent Process (Explorer.exe)
• SeDebugPrivilege (Csrss.exe)
• NtYieldExecution / SwitchToThread

Anti-virtualization

• Virtualbox registry key values artifacts:
  • "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
  • HARDWARE\Description\System (SystemBiosVersion)
  • HARDWARE\Description\System (VideoBiosVersion)
  • HARDWARE\Description\System (SystemBiosDate)
• Virtualbox registry Keys artifacts
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "HARDWARE\ACPI\FADT\VBOX__"
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "SOFTWARE\Oracle\VirtualBox Guest Additions"
  • "SYSTEM\ControlSet001\Services\VBoxGuest"
  • "SYSTEM\ControlSet001\Services\VBoxMouse"
  • "SYSTEM\ControlSet001\Services\VBoxService"
  • "SYSTEM\ControlSet001\Services\VBoxSF"
  • "SYSTEM\ControlSet001\Services\VBoxVideo"
• Virtualbox file system artifacts:
  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
• Virtualbox directories artifacts:
  • "oracle\virtualbox guest additions\"
• Virtualbox MAC Address:
  • "\x08\x00\x27"
• Virtualbox virtual devices:
  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
• Virtualbox Windows Class
  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd
• Virtualbox network share
  • VirtualBox Shared Folders
• Virtualbox process list
  • vboxservice.exe
  • vboxtray.exe

Anti Dumping

• Erase PE header from memory

Code/DLL Injections techniques

• CreateRemoteThread
• SetWindowsHooksEx
• NtCreateThreadEx
• RtlCreateUserThread
• APC (QueueUserAPC / NtQueueApcThread)
• RunPE (GetThreadContext / SetThreadContext)

Timing Attacks

• Sleep -> SleepEx -> NtDelayExecution
• SetTimer (Standard Windows Timers)
• timeSetEvent (Multimedia Timers)

Download Al-Khaser

Read More

Tiny banker aka Tinba Source - Trojan Banker

Obs. I am not responsible for their actions, test in the virtual machine for not damage your real system.


Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy.

The program  encrypted with pass code and key file to security

Pass: offensivesec

Download Tiny Banker

Read More

Security Intelligence Collector - Machinae

Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints. It was inspired by Automater , another excellent tool for collecting information. The Machinae project was born from wishing to improve Automater in 4 areas:

1. Codebase - Bring Automater to python3 compatibility while making the code more pythonic
2. Configuration - Use a more human readable configuration format (YAML)
3. Inputs - Support JSON parsing out-of-the-box without the need to write regular expressions, but still support regex scraping when needed
4. Outputs - Support additional output types, including JSON, while making extraneous output optional

Installation

Machinae can be installed using pip3:

pip3 install machinae

Or, if you're feeling adventurous, can be installed directly from github:

pip3 install git+https://github.com/HurricaneLabs/machinae.git

You will need to have whatever dependencies are required on your system for compiling Python modules (on Debian based systems, python3-dev ), as well as the libyaml development package (on Debian based systems, libyaml-dev ).
You'll also want to grab the latest configuration file and place it in /etc/machinae.yml.

Configuration File

Machinae supports a simple configuration merging system to allow you to make adjustments to the configuration without modifying the machinae.yml we provide you, making configuration updates a snap. This is done by finding a system-wide default configuration (default /etc/machinae.yml ), merging into that a system-wide local configuration ( /etc/machinae.local.yml ) and finally a per-user local configuration ( ~/.machinae.yml ). The system-wide configuration can also be located in the current working directory, can be set using the MACHINAE_CONFIG environment variable, or of course by using the -c or --config command line options. Configuration merging can be disabled by passing the --nomerge option, which will cause Machinae to only load the default system-wide configuration (or the one passed on the command line).
As an example of this, say you'd like to enable the Fortinet Category site, which is disabled by default. You could modify /etc/machinae.yml , but these changes would be overwritten by an update. Instead, you can put the following in either /etc/machinae.local.yml or ~/.machinae.yml:

fortinet_classify:
  default: true

Or, conversely, to disable a site, such as Virus Total pDNS:

vt_ip:
  default: false
vt_domain:
  default: false

Usage

Machinae usage is very similar to Automater:

usage: machinae [-h] [-c CONFIG] [-d DELAY] [-f FILE] [--nomerge] [-o {D,J,N}]
                [-O {ipv4,ipv6,fqdn,email,sslfp,hash,url}] [-q] [-s SITES]
                targets [targets ...]

• See above for details on the -c / --config and --nomerge options.
  
• Machinae supports a -d / --delay option, like Automater. However, Machinae uses 0 by default.
  
• Machinae output is controlled by two arguments:
  
  • -o controls the output format, and can be followed by a single character to indicated the desired type of output:
    • N is the default output ("Normal")
    • D is the default output, but dot characters are replaced
    • J is JSON output
  • -f / --file specifies the file where output should be written. The default is "-" for stdout.
• Machinae will attempt to auto-detect the type of target passed in (Machinae refers to targets as "observables" and the type as "otype"). This detection can be overridden with the -O / --otype option. The choices are listed in the usage
  
• By default, Machinae operates in verbose mode. In this mode, it will output status information about the services it is querying on the console as they are queried. This output will always be written to stdout, regardless of the output setting. To disable verbose mode, use -q
  
• By default, Machinae will run through all services in the configuration that apply to each target's otype and are not marked as "default: false". To modify this behavior, you can:
  
  • Pass a comma separated list of sites to run (use the top level key from the configuration).
  • Pass the special keyword all to run through all services including those marked as "default: false"
  Note that in both cases, otype validation is still applied.
  
• Lastly, a list of targets should be passed. All arguments other than the options listed above will be interpreted as targets.
  

Out-of-the-Box Data Sources

Machinae comes with out-of-the-box support for the following data sources:

• IPVoid
• URLVoid
• URL Unshortener ( http://www.toolsvoid.com/unshorten-url )
• Malc0de
• SANS
• Telize GeoIP
• Fortinet Category
• VirusTotal pDNS (via web scrape - commented out)
• VirusTotal pDNS (via JSON API)
• VirusTotal URL Report (via JSON API)
• VirusTotal File Report (via JSON API)
• Reputation Authority
• ThreatExpert
• VxVault
• ProjectHoneypot
• McAfee Threat Intelligence
• StopForumSpam
• Cymru MHR
• ICSI Certificate Notary
• TotalHash (disabled by default)
• DomainTools Parsed Whois (Requires API key)
• DomainTools Reverse Whois (Requires API key)
• DomainTools Reputation
• IP WHOIS (Using RIR REST interfaces)

With additional data sources on the way.

Disabled by default

The following sites are disabled by default

• Fortinet Category ( fortinet_classify )
• TotalHash ( totalhash_ip )
• DomainTools Parsed Whois ( domaintools_parsed_whois )
• DomainTools Reverse Whois ( domaintools_reverse_whois )
• DomainTools Reputation ( domaintools_reputation )

Output Formats

Machinae comes with a limited set of output formats: normal, normal with dot escaping, and JSON. We plan to add additional output formats in the future.

Adding additional sites

*** COMING SOON ***

Known Issues

• Some ISP's on IPvoid contain double-encoded HTML entities, which are not double-decoded

Upcoming Features

• Add IDS rule search functionality (VRT/ET)
• Add "More info" link for sites
• Add "dedup" option to parser settings
• Add option for per-otype request settings
• Add custom per-site output for error codes

Version History

Version 1.2.0 (2016-02-16)

• New features
  • Support for sites returning multiple JSON documents
  • Ability to specify time format for relative time parameters
  • Ability to parse Unix timestamps in results and display in ISO-8601 format
  • Ability to specify status codes to ignore per-API
• New sites
  • DNSDB - FarSight Security Passive DNS Data base (premium)

Version 1.1.2 (2015-11-26)

• New sites
  • Telize (premium) - GeoIP site (premium)
  • Freegeoip - GeoIP site (free)
  • CIF - CIFv2 API support, from csirtgadgets.org
• New features
  • Ability to specify labels for single-line multimatch JSON outputs
  • Ability to specify relative time parameters using relatime library

Version 1.0.1 (2015-10-13)

• Fixed a false-positive bug with Spamhaus (Github#10)

Version 1.0.0 (2015-07-02)

• Initial release

Download Machinae

Read More