Submit domain or IP to Shodan and VirusTotal, pull malicious information, find CS beacons based on JARM signature.
- nmap script to check for CS beacons. Place in $NMAPDIR
- https://github.com/whickey-r7/grab_beacon_config/blob/main/grab_beacon_config.nse
- Windows:
C:\Program Files (x86)\Nmap\scripts - Linux:
/usr/share/nmap/scripts - MacOS:
/usr/local/share/nmap/scripts
- Windows:
- https://github.com/whickey-r7/grab_beacon_config/blob/main/grab_beacon_config.nse
API Keys are handled through environment variables.
-
VT_API,URLSCAN_API,SHODAN_API -
For permanent storage, store in
envpath- Windows: Add to system variables or use a PowerShell cmdlet
$env:<API_KEY> = '<value>'- ex.
$env:SHODAN_API = 'apikeyvalues' - check with
$ dir env:
- ex.
- MacOS / Linux: Modify
.bashrc$ export API_KEY=VALUE$ source ~/.bashrc
- Windows: Add to system variables or use a PowerShell cmdlet
-
For temporary storage, a prompt will appear if the command requires an API key. This method does not persist.
A help command will show available commands. Just run ./gollector help .
- MacOS / Linux:
./gollector [command] <ip> - Windows:
gollector.exe [command] <input>