Skip to content
Neto | A tool to analyse browser extensions
Python
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin v0.5 release May 7, 2018
config Add user-defined wrappers May 28, 2018
doc Update CHANGES.md Jan 15, 2019
neto Add more suspicious strings and categories Jan 15, 2019
.gitignore Plugin update May 21, 2018
AUTHORS.md v0.5 release May 7, 2018
COPYING
MANIFEST.in Add user-defined wrappers May 28, 2018
README.md Update README.md May 7, 2018
setup.py Plugin update May 21, 2018

README.md

Project Neto: A Toolkit for Analysing Browser Plugins

Overview

Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like manifest.json, localization folders or Javascript and HTML source files.

Installation

To install the package, the user can choose pip3.

pip3 install -e . --user

Optionally, it can also be installed with administrator privileges using sudo:

sudo pip3 install -e .

A successfull installation can be checked using:

python3 -c "import neto; print(neto.__version__)"

Quick Start

To perform the analysis of an extension, the analyst can type the following:

neto analysis -u https://yoururl.com/extension-name.xpi

The extension will be automatically downloaded and unzipped by default in the system's temporal folder.

However, the analyst can also launch de analysis towards a locally stored extension:

neto analysis -e ./my-extension-name.xpi

After the static analysis is performed, it will generate a Json file that is stored by default in a newly created folder named output.

If you use Python, you can also import the package as a library in your own Python modules:

>>> from neto.lib.extensions import Extension
>>> my_extension = Extension ("./sample.xpi")
>>> my_extension.filename
'adblock_for_firefox-3.8.0-an+fx.xpi'
>>> my_extension.digest
'849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'

Apart from accesing to the elements found in the extension using properties, the analyst can always have access to it as a dictionary:

>>> my_extension.__dict__
{'_analyser_version': '0.0.1', '_digest': '849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'…

If you are not using Python, you can use the JSON RPC daemon:

$ neto daemon

         ____            _           _      _   _      _
        |  _ \ _ __ ___ (_) ___  ___| |_   | \ | | ___| |_ ___
        | |_) | '__/ _ \| |/ _ \/ __| __|  |  \| |/ _ \ __/ _ \ 
        |  __/| | | (_) | |  __/ (__| |_   | |\  |  __/ || (_) |
        |_|   |_|  \___// |\___|\___|\__|  |_| \_|\___|\__\___/
                      |__/

                                    Developed by @ElevenPaths
                                    Version: 0.5.0b


 * Running on http://localhost:14041/ (Press CTRL+C to quit)

You can then run commands using your preferred JSON RPC library to write a client (we have written a short demo in the bin folder) or even curl:

 curl --data-binary '{"id":0, "method":"remote", "params":["https://example.com/myextension.xpi"], "jsonrpc": "2.0"}'  -H 'content-type:text/json;' http://localhost:14041

Features

The following is a non-exhaustive list of the features included in this package are the following:

  • Manifest analysis.
  • Internal file hashing.
  • Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
  • Comments extraction from HTML, CSS and JS files.
  • Cryptojacking detection engine based on known mining domains and expressions.
  • Suspicious Javascript code detection such as eval().
  • Certificate analysis if provided.
  • Batch analysis of previously downloaded extensions.
You can’t perform that action at this time.