Utilize fingerprinting techniques to actively hunt for Command and Control (C2) servers on Shodan.
In addition, incorporate threat feeds from Feodo Tracker, ThreatFox, and URLhaus to generate a personalized, local database of C2 servers.
- the current version requires Linux based operating system
- install Python version >= 3.6
- clone this project with the following command
$ git clone https://github.com/martinkubecka/C2Hunter.git
- in the
config
directory createconfig.yml
file based on theconfig/example.yml
structure
$ pip install -r requirements.txt
- add your Shodan API key to the newly created
config/config.yml
file
Note: Shodan's Freelancer Plan may not be sufficient based on the frequency with which this application is run.
usage: c2hunter.py [-h] [-q] [-c FILE] [-o DIRECTORY] [-s] [-p] [-ds] [-df] [-du] [-dt] [-db]
Utilize fingerprinting techniques to actively hunt for Command and Control (C2) servers on Shodan.
In addition, incorporate threat feeds from Feodo Tracker, ThreatFox, and URLhaus to generate a personalized, local database of C2 servers.
options:
-h, --help show this help message and exit
-q, --quiet do not print a banner
-c FILE, --config FILE config file (default: "config/config.yml")
-o DIRECTORY, --output DIRECTORY output directory (default: "reports/")
-s, --search-country-code search IoCs based on the configured country code
-p, --print-active print filtered active endpoints to the console
disable options:
-ds, --disable-shodan disable querying Shodan
-df, --disable-feodotracker disable querying Feodo Tracker
-du, --disable-urlhaus disable querying URLhaus
-dt, --disable-threatfox disable querying ThreatFox
-db, --disable-backup disable file reports backup
- Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms by @BushidoToken
- Hunting Cobalt Strike C2 with Shodan by @MichalKoczwara
- Hunting C2 by @MichalKoczwara
- use your package manager to install
python-pip
if it is not present on your system - install
virtualenv
- verify installation by checking the
virtualenv
version - inside the project directory create a virtual environment called
venv
- activate it by using the
source
command - you can deactivate the virtual environment from the parent folder of
venv
directory with thedeactivate
command
$ sudo apt-get install python-pip
$ pip install virtualenv
$ virtualenv --version
$ virtualenv --python=python3 venv
$ source venv/bin/activate
$ deactivate