Sooty can Currently:
- Sanitise URL's to be safe to send in emails
- Perform reverse DNS and DNS lookups
- Perform reputation checks from:
- Check if an IP address is a TOR exit node
- Decode Proofpoint URL's and UTF-8 encoded URLS
- Get file hashes and compare them against VirusTotal (see requirements)
- Perform WhoIs Lookups
- Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred.
Version 1.1 - The Reputation Update
- Improved Rep Checker
- Added HaveIBeenPwned Functionality
- Added DNS Tools and WhoIs Functionality
- Added Hash and VirusTotal Checkers
- Added Abuse IPDB, Tor Exit Node, BadIP's to Reputation Checker
- Initial Release
- URL and ProofPoint Decoder
- Initial implementation of Reputation Checker
- Sanitize links to be safe for email
This is an outline of what features will be coming in future versions.
Version 1.2 - The Phishing Update
- Add Ability to extract email addresses and URL's from mail. - Correlate emails and URL's to see if they have been reported for phishing (PhishTank) - Scan email attachments for malicious content, macros, files, scan hashes, etc.
Version 1.3 - The Case Update
- Add a 'New Case' Feature, allowing output of the tool to be output to a txt file.
- Python 3.x
- To use the Hash comparison with VirusTotal requires an API key, replace the key
VT_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key
AB_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
Want to contribute? Great!
- New features / requests should start by opening an issue. This helps track new features and prevent crossover.
- If you wish to work on a feature, leave a comment on the issue page and I will assign you to it.
- All code modifications, enhancements or additions must be done through a pull request.
- Once reviewed and merged, contibutors will be added to the ReadMe
- Aaron J Copley for his code to decode ProofPoint URL's
- James Duarte for adding a hash and auto-check option to the hashing function
- mrpnkt for adding the missing whois requirement to requirements.txt