Elyzer is an e-mail header analyzer capable of detecting potential spoofing attempts. It will give you general information about the e-mail, the route it took, important security headers and the phishing / spoofing results.
- Before using this tool, make sure the e-mail header is formated correctly. This tool will parse the header according to RFC 822.
- This tool can ONLY utilize the spoofing / phishing function if the header contains the sender's SMTP Server IPv4 address. IPv6 addresses are currently not supported.
- Microsoft e-mail services are using IPv6 addresses, which on top of that are proxys. Finding the source address is very difficult if not simply impossible.
- PLEASE DO NOT RELY ONLY ON THIS TOOL. Elyzer cannot garantuee you 100% accuracy.
For Unix users:
git clone https://github.com/B0lg0r0v/Elyzer.git
cd Elyzer
python -m pip install -r requirements.txt
To use the -pa argument, you need one API key from Driftnet:
- Driftnet API Key (https://driftnet.io)
Create an environment variable called DRIFTNET_API and insert your key as a value.
# On Unix systems
export DRIFTNET_API=<YOUR KEY>
# On Windows
set DRIFTNET_API=<YOUR KEY>
Using Elyzer is quite intuitive. Give with the -f argument the header file.
Unix:
python3 elyzer.py -f <FILE>
Full Elyzer options:
options:
-h, --help show this help message and exit
-f FILE, --file FILE Give the E-Mail Header as a file.
-pa, --passive Enables the passive mode. DNS resolution is performed passively through Driftnet
for better OPSEC. You need to add "DRIFTNET_API" as an environment variable to
use this feature.
-nd, --no-dns Enables the no-dns mode. No DNS resolution is performed for best OPSEC. This heavily affects
the results !
-q, --quiet Quiet mode. Disables banner.
-j, --json EXPERIMENTAL FEATURE. Output the results in JSON format.
-v, --version show program's version number and exit
-a ATTACHEMENT, --attachement ATTACHEMENT
Check if the file is malicious.
Elyzer performs various DNS lookups to compare values for the spoofing function. This could raise OPSEC concerns, especially when dealing with a targeted attack.
If you have OPSEC concerns, you can now use the -pa argument to perform DNS lookups passively. This way, you’re no longer directly interacting with potential malicious domains, but indirectly, making it harder for an adversary to track. However, this CAN impact the results.
python3 elyzer.py -f <FILE> -pa
If you want the best OPSEC, you can use the -nd argument, which enables 'No DNS / Paranoid' mode. This will disable all DNS lookups, allowing you to use Elyzer entirely offline. However, be aware that this will significantly impact the results !
python3 elyzer.py -f <FILE> -nd
Additionally you can give a file with the -a argument to Elyzer. It will then generate you a VirusTotal Link where you can see if the file is potentially malicious or not.
python3 elyzer.py -f <MAIL_HEADER_FILE> -a <SUSPICIOUS_FILE>
Here's a quick overview of Elyzer's features:
- Print general e-mail informations
- Print relay routing with timestamps
- Print security headers and check if set correctly
- Print interesting headers such as "Envelope-From"
- Print MS-Exchange Headers
- Spoofing / Phishing analyzer with optional passive DNS lookup
Spoofing / Phishing detection feature:
- Add JSON output functionality.
- Add a functionality to be able to passively query DNS information to reduce OPSEC concerns.
- Switching entirely to the Driftnet API
- Optimize my garbage code :D
Credits for the getReceivedFields & the getFields functions goes to "spcnvdr" spcnvdrr@protonmail.com, Copyright 2020.
Also, thanks to @triggerfx for the custom Logo !
This tool is primarly created for me as a project to enhance my coding skills and start creating some red team / blue team tools. It is not considered to be the most efficient tool out there.