Cont3xt intends to centralize and simplify a structured approach to gathering contextual intelligence in support of technical investigations.
- MacOS - (it takes about 6 minutes to get up and running the first time)
git clone https://github.com/TobySalusky/cont3xt.git
cp cont3xt/.env.template cont3xt/.env
cd cont3xt/docker
docker-compose create
export BASE_DIR=`dirname \`pwd\``
docker run -d -p 127.0.0.1:4000:4000 --name c3b docker_c3b
docker run -d -p 127.0.0.1:3001:3001 --env-file=../.env --volume="${BASE_DIR}/public/config:/opt/cont3xt/public/config:ro" --name cont3xt docker_cont3xt
- Linux
git clone https://github.com/TobySalusky/cont3xt.git
cp cont3xt/.env.template cont3xt/.env
cd cont3xt/docker
docker-compose up
Edit your .env file for API Keys
Point your browser at localhost:3001
- Install NodeJS (~5-6 minutes)
git clone https://github.com/TobySalusky/cont3xt.git
cd cont3xt
npm ci install
npm audit fix --force
npm audit fix --force ;# Yes, run it twice in order to resolve most vulnerable packages. Right now, there will still be 10 moderate.
;# Add your API Keys to `.env` (after renaming from .env.template), and you can make customizations to /public/config/*.txt configs at any time.
- If you add/change API Keys, the NodeJS service must restart.
- Changes to configurations in public/config do not require a restart
( This backend/proxy process is necessary to work around CORS issues )
npx --package express-generator express c3b
git clone https://github.com/TobySalusky/cont3xtbackend.git
cp -Rp cont3xtbackend/* c3b
cd c3b
npm ci install
npm audit fix --force
I recommend running this only on your local machine to avoid exposing the interface to any larger/public network. In a separate window, with two different terminal tabs.
- In your 1st window/tab; # The backend
cd c3b
export HOST=127.0.0.1
npm start
- In your 2nd window/tab; # The UI
cd cont3xt
export HOST=127.0.0.1
export PORT=3001
npm start
** Note: First time you try to 'Open All' from a reporting section, you'll need to approve the popup-blocker
===========
===========
Cont3xt will attempt to auto enrich supported iTypes of IP, domain/hostname, email address, hashes, phone numbers (not just yet) and sooner or later URL's.
Enter an indicator in the search bar on top. The search bar supports refanging input and identifies the iType. Search does not currently support bulk lookups, but will in the future.
For Domains/hostnames:
- Use of Cloudflare DNS over HTTPS to perform resolution of records types including A, AAAA, NS, MX, TXT, SPF/DMARC, CAA and SOA. Any explicit IP's resolved will have the IP iType enrichment performed.
- Direct/Public Whois request. This can be valuable over other third party commercial services which will offer results, but may be cached or not current when dealing with freshly registered domains.
- PassiveTotal Whois query
- PassiveTotal PDNS query
- PassiveTotal subdomains query
- URLScan 'contains' query
- VirusTotal 'contains' query
- Anomali ThreatStream search query
For IP's:
- RDAP query identifying RIR, and link to detail.
- SPUR.us query for IP context
- Censys IP query
- Shodan IP query
- PassiveTotal IP PDNS query
- VirusTotal IP query
- Anomali ThreatStream IP query
For Email:
- Perform a direct connection SMTP sender receipt verification. This is the only heavy touch that cont3xt currently performs. We'll make it an option to NOT perform in the future.
- Anomali ThreatStream email query
- Extract the base domain, and perform all relevant Domain enrichment.
For Hashes:
- VirusTotal Hash query
- Anomali ThreatStream query
There is a share link option next to the search bar, which will base64 encode the indicator so you can share links without too much worry of tripping network events based on well known indicators.
There is a basic report generation feature that will drop results into a ${indicator}_${TIMESTAMP}.txt file.
You can add custom query external links to your own resources as long as you can craft a URL query string with the available format strings: (see public/config/*.txt files)
${indicator}
${startDate}
${numDays}
${numHours}
${type}
${subType}
Credit:
WhoIs Icon: https://thenounproject.com/term/whois/1581154/
Censys Icon: https://censys.io/
Share Icon: https://iconify.design/icon-sets/fe/share.html
Report Icon: https://www.flaticon.com/free-icon/file_1508964
UrlScan Icon: https://urlscan.io/about/
VirusTotal Icon: https://vecta.io/symbols/100/brands-va-vz/45/virustotal-icon
Outside-external-link Icon: https://commons.wikimedia.org/wiki/File:Icon_External_Link.svgs
Anomali Icon: https://www.programmableweb.com/api/anomali-threatstream-rest-api-v10
Shodan Icon:
So many thank you's to @MattCarothers for all of the docker configuration help.