Framework for analysis of suspicious website
! UNDER DEVELOPMENT !
- Launch a VM and open a website with multiple browsers.
- For each browser, do a screenshot of the loaded webpage.
- Take a PCAP of the full browsing session
- Pass all requests through a proxy (currently mitmdump)
- Automate the full process
- Install mitmproxy: $ sudo apt-get install mitmproxy
- Check that tcpdump is installed
- Install operating system of choice (dev/test on Windows 10)
- Install Python 2.7
- pip install selenium
- pip install Bottle
- Install Firefox
- Install Selenium drivers for Internet Explorer and Firefox
- Set a password for user (required to run remotely script)
- Enable auto-logon of user
- Copy payload-rest.py to C:\Scripts and run the script
- While the script is still RUNNING, take a snapshot namedwebshot
Define the configuration in configuration.py. A skeleton of configuration is offered in default-configuration.py.
When configuration is defined, execution is done with:
sudo python ./webshot.py -u "http://www.autopsit.org"
In ./cases, you fill have the following structure:
- A sub-directory with the FQDN
- A sub directory per run of the script
- A capture of all the traffic passing through proxy: proxy_traffic.txt
- A logfile of the proxy output (MITMPROXY format): proxy.log
- A full tcpdump capture: capture.pcap
- A zip file with screenshots of the website for each browser selected in payload-rest.py
Note for Proxy users, to use PIP, set proxy with the following command
set HTTP_PROXY=http://[username]:[password]@[proxy address]:[port]
- When HTTP_PROXY is defined, it interfere with normal script behaviour. Variables should be unset for the execution:
unset HTTP_PROXY unset HTTPS_PROXY unset http_proxy unset https_proxy