Skip to content

🦅 Use fingerprinting to actively hunt for Command and Control servers on Shodan. Process threat feeds from Abuse.ch services to create a local database of C2 servers.

License

Notifications You must be signed in to change notification settings

martinkubecka/C2Hunter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Logo

Utilize fingerprinting techniques to actively hunt for Command and Control (C2) servers on Shodan.
In addition, incorporate threat feeds from Feodo Tracker, ThreatFox, and URLhaus to generate a personalized, local database of C2 servers.


Table of Contents


📔 Pre-requisites

  • the current version requires Linux based operating system
  • install Python version >= 3.6
  • clone this project with the following command
$ git clone https://github.com/martinkubecka/C2Hunter.git
  • in the config directory create config.yml file based on the config/example.yml structure

📦 Installing Required Packages

$ pip install -r requirements.txt

🗝️ API Key

  • add your Shodan API key to the newly created config/config.yml file

Note: Shodan's Freelancer Plan may not be sufficient based on the frequency with which this application is run.


🦅 Usage

usage: c2hunter.py [-h] [-q] [-c FILE] [-o DIRECTORY] [-s] [-p] [-ds] [-df] [-du] [-dt] [-db]

Utilize fingerprinting techniques to actively hunt for Command and Control (C2) servers on Shodan. 
In addition, incorporate threat feeds from Feodo Tracker, ThreatFox, and URLhaus to generate a personalized, local database of C2 servers.

options:
  -h, --help                        show this help message and exit
  -q, --quiet                       do not print a banner
  -c FILE, --config FILE            config file (default: "config/config.yml")
  -o DIRECTORY, --output DIRECTORY  output directory (default: "reports/")
  -s, --search-country-code         search IoCs based on the configured country code
  -p, --print-active                print filtered active endpoints to the console

disable options:
  -ds, --disable-shodan             disable querying Shodan
  -df, --disable-feodotracker       disable querying Feodo Tracker
  -du, --disable-urlhaus            disable querying URLhaus
  -dt, --disable-threatfox          disable querying ThreatFox
  -db, --disable-backup             disable file reports backup

📂 Resources


🧰 Development

🏢 Virtual environment

  1. use your package manager to install python-pip if it is not present on your system
  2. install virtualenv
  3. verify installation by checking the virtualenv version
  4. inside the project directory create a virtual environment called venv
  5. activate it by using the source command
  6. you can deactivate the virtual environment from the parent folder of venv directory with the deactivate command
$ sudo apt-get install python-pip
$ pip install virtualenv
$ virtualenv --version
$ virtualenv --python=python3 venv
$ source venv/bin/activate
$ deactivate

About

🦅 Use fingerprinting to actively hunt for Command and Control servers on Shodan. Process threat feeds from Abuse.ch services to create a local database of C2 servers.

Topics

Resources

License

Stars

Watchers

Forks

Languages