Wojciech

@woj_ciech

OSINT tool for visualizing relationships between domains, IPs and email addresses.

September 22nd 2018

TL;DR

I wrote a script, which takes domain, IP or email address as input and search it in various services like: Whois, Reverse whois, Historical whois,VirusTotal, Threatcrowd and others.
Everything is logged into Elasticsearch and json files. Additionally, at the end it creates graph which illustrates all of the connections between resources.

https://github.com/woj-ciech/Danger-zone

Introduction

I showed how to collect malware samples, analyze them and get command and control servers, now it’s time to going deeper.

There are many cases when you need to map infrastructure used in attack based only on one email address or single domain. It’s tedious work to check everything manually and then connect the dots. Visualizing helps you to get full picture of attacker’s network and then you can go deeper to track as many leads as you can. Every information may be valuable in order to track identity of the threat actor, so if we are able to search for it in multiple sources there is better chance to get some more useful info. In addition, connecting all of this sources and making connections between gathered data allows to fully understand what you are dealing with.

“printed sticky notes glued on board” by Daria Nepriakhina on Unsplash

Danger Zone

Kudos for Archer fans

During tracking malicious behavior in Internet, lots of tools are used and main goal of Danger Zone is to connect it into one, give you easy readable output, visualize it as a graph and store rest of data in Elasticsearch and JSON files.

I tried to use as many free of charge services as possible to do it in classic OSINT style and good news is that you need only two keys for using the tool. First of them is Whoxy, which gives you free credits after registration and second is very known VirusTotal (free version allows only 4 requests per minute). Rest of the services are totally free like Trumail for email validation, Extreme IP for IP geolocation or Username Check for checking presence of username in social media sites.

Script goes only 2–3 levels down and shows 3 newest results, just to give you insight, for example what is actually hosted on that IP but all results are saved for further review. It can be used for small-scale investigation or just as a part of bigger ones. Personally, I used it in three investigations, which I will show you next.

Pedophile network

Idea for this kind of tool, starts when I came across this disgusting paste:

Someone was sharing CP and left his email for ‘support’. I wonder how much useful information can be gathered to track his identity.

Network started from “.net” emaill

I started from “.net” email address which is located at the center of the graph. With help of reverse Whois module, it found associated “.top”,”.com” and “.biz” domains. They are blurred because of obvious reasons. Then these domains are checked for emails and IPs to give you insight to what IP domain was resolved and what is hosted there right now. Additional information are displayed to console. Last edges show you newest domains hosted on that IP and don’t have to be connected to your target.

Snippet of console output

The email and username are very unique so I can connect Twitter account to email with medium confidence. We see that this user posted links to google URL shortener (disabled already) with bot-like behavior. Last post was in 2012 but as we can see he still operates.

Twitter account connected to email

With help of this tool and other semi-automatic techniques I was able to build network of this kind of websites including emails, records from whois (telephone numbers, address and others), IPs and domains (some of them are still running and sharing disturbing content).

Betabot case

Remember C2 server from my previous article? It were goog[.]com and onedriveservice[.]com. Let’s find out how it looks like on the graph

Graph for goog[.]com

Here we started from goog[.]com domain. Script found associated IP and one email address, which next is associated with another domains. At the end we can spot that “yahoo.com” address is connected to “.com” email, which then is related to our initial domain goog[.]com.

Graph for onedriveservice[.]com looks like this, we can see it was hosted on 185.106.120[.]202 and this IP is linked to other malicious domains like fakeavhelp[.]website or other weird looking TLD domains.

Scams everywhere

Spamming campaigns, fake tech supports sites or various other scams have to be hosted somewhere and under some names and emails. I read article about fximperium[.]net case, which originally was posted on one of the polish security sites. Half of the work can be automated here, graph below presents results for domain fximperium[.]net

Graph for fximperium[.]net

It is connected to email address gabriel[at]fximperium.com and we found another domain associated with this particular email.

If you need more information like address, surname or other associated domains, you can always reach Kibana. You just need to choose o module (on the left) and then provide your query.

Reverse whois module in Kibana

Of course if you don’t have Elasticsearch in place, you can read JSON files, which are created for every checked resource. Example check for module Whois history for fximperium[.]biz.

JSON output

https://github.com/woj-ciech/Danger-zone

Conclusion

Based on above cases, you saw how easy and fast mapping infrastructure and tracking individuals can be. You can also discover some new leads like historical data from Whois and connect it to new email addresses. This tool can be part of bigger cases as well as separate small tries to identify new potential leads or uncover malicious actors in Internet.

More by Wojciech

More Related Stories