Mostrando entradas con la etiqueta [Script]. Mostrar todas las entradas
Mostrando entradas con la etiqueta [Script]. Mostrar todas las entradas

domingo, 10 de noviembre de 2013

[Script] VirusTotal public and private API v2 with all features


Few days ago I finish to improve previous script and add private API  support, so very big thank to VirusTotal team for this :)

I will show a few options with examples, for all options see usage

Important! Some functions as behaviour have many options, if you want active all of them, just use -v/--verbose. For get more details from report use verbose mode.

You can use options --dump for dump json to file, and after analyse it, you can combine this, so you will can see a report and dump him to file, and after pass file as the parameter instead of hash/scan-id/url/etc...

File scan:
Important, if file has been scanned before, you will get a report, file will not be uploaded
Files with size bigger then 32mb will be ignored and you will see warning with file name

You can use name/path wildcard as: /home/user/malware*/*Zeus*

vt.py -f path_to_file


vt.py -f path_to_file -v #with verbose mode you will see the same more detection by AV's



Url scan and report:

 Depend of API, if you have public API you can scan up to 4 urls. With private api up to 25 urls.
Example for scanning 2 urls/domains

python vt.py -ur google.com virustotal.com



When you trying to get report and url/domain is not scanned before, and you will upload it to scan you can execute it with option:

python vt.py -ur -u google.com virustotal.com

If you directly want add it to scan/rescan just execute it as:

python vt.py -u google.com virustotal.com

Report search

Here you can use md5/sha1/sha256 hash or scan-id


python vt.py -s 99017f6eebbac24f351415dd410d522d

MD5       : 99017f6eebbac24f351415dd410d522d
SHA1     : 4d1740485713a2ab3a4f5822a01f645fe8387f92
SHA256 : 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c

Scan  Date     : 2013-11-02 05:21:11

Detections:
      39/46 Positives/Total


                                   output is very long, so it's just a part of him

Permanent link : https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1383369671/


Domain search:
Get resolver Ip and date  of the domain

python vt.py -d http://027.ru --dump -v #public api



Get domain info with all info: # the same execution but with private api

You can get all info with verbose mode or just activate options what you want to see, see usage



Get IP info:

 python vt.py -i ip/json_dump #public api


Search report
python vt.py -s 99017f6eebbac24f351415dd410d522d #private api example


ExifTool file metadata:


                                                                  <cutted>

Permanent link : https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1382633189/


Cluster info:

python vt.py --cluster 2013-10-01



Distribucion:

python vt.py --distribution-files --report --limit 1



python vt.py --distribution-urls



Permanent link : https://www.virustotal.com/url/6df0f88d03421a4c202bb6151d4b16666be0d8fac3780d387a5b818ca824d6b7/analysis/1383121114/


Get comments:



Behaviour:

it's very cutted output of behaviour, because is very very long






          And much more!

Process Tree

pid:484
name:82a4d0467f93e3ddec3b51a66dbd55cfce3f6c5725d2759850fb4b3b37c28304
children:[]


You need to see usage for all options

python vt.py -h

Enjoy it!
Publicado por en 8 comentarios:
Etiquetas: , ,

sábado, 9 de noviembre de 2013

[How-to] Backdoor + DDNS + VM as server


This day I played with ¿Backdoor?, As I notices a principal module for creating a secure channel for communication between server<>client is outdated and don't work with lates version of python Crypto library (missed Iniciacion Vector in AES implementation), so I work for the update full this script to python 2.7.x and updated parts with AES encryption, so soon I hope I will send updated source to author and he will update it, and small bug fixes :)

But return to the initial theme, as I see many of the people have the problem with connections between DDNS(example: no-ip.com) with forwarding traffic from the router to the virtual machine.

After a bit of research I get the solution.

For start by parts:
1) How to Create a Free Redirect Domain With No IP

2) IMPORTANT: Set your virtual machine static ip address  and put this machine in DMZ, and configure network card in bridge mode, for get the same ip range what and the rest of machines on your lan.

3) Set Up Port Forwarding on a Router

Finally as you can see everything work perfect :)



Best regards :)

Publicado por en No hay comentarios:
Etiquetas: , , , , ,

lunes, 21 de octubre de 2013

[Script] VirusTotal public API v2 with all features


Yesterday a just finish to write this script: VirusTotalPublicApi

Right now, this public script is the only one supporting all VirusTotal API v2 features.
This script was made public into the official VT API documentation page.


Some screenshots of usage:

     Search by hash
   Search by hash verbose mode

Verbose mode will give you a lot of information if you search Domain/Ip address

For all features, check usage mode.



Best regards
Publicado por en No hay comentarios:
Etiquetas: , ,
Suscribirse a: Entradas (Atom)