martinkubecka/C2Hunter

:eagle: Use fingerprinting to actively hunt for Command and Control servers on Shodan. Process threat feeds from Abuse.ch services to create a local database of C2 servers.

Utilize fingerprinting techniques to actively hunt for Command and Control (C2) servers on Shodan.
In addition, incorporate threat feeds from Feodo Tracker, ThreatFox, and URLhaus to generate a personalized, local database of C2 servers.

---

Table of Contents

• 📔 Pre-requisites
  • 📦 Installing Required Packages
  • 🗝️ API Key
• 🦅 Usage
• 📂 Resources
• 🧰 Development
  • 🏢 Virtual environment

---

📔 Pre-requisites

• the current version requires Linux based operating system
• install Python version >= 3.6
• clone this project with the following command

$ git clone https://github.com/martinkubecka/C2Hunter.git

• in the config directory create config.yml file based on the config/example.yml structure

📦 Installing Required Packages

$ pip install -r requirements.txt

🗝️ API Key

• add your Shodan API key to the newly created config/config.yml file

Note: Shodan's Freelancer Plan may not be sufficient based on the frequency with which this application is run.

---

🦅 Usage

usage: c2hunter.py [-h] [-q] [-c FILE] [-o DIRECTORY] [-s] [-p] [-ds] [-df] [-du] [-dt] [-db]

Utilize fingerprinting techniques to actively hunt for Command and Control (C2) servers on Shodan. 
In addition, incorporate threat feeds from Feodo Tracker, ThreatFox, and URLhaus to generate a personalized, local database of C2 servers.

options:
  -h, --help                        show this help message and exit
  -q, --quiet                       do not print a banner
  -c FILE, --config FILE            config file (default: "config/config.yml")
  -o DIRECTORY, --output DIRECTORY  output directory (default: "reports/")
  -s, --search-country-code         search IoCs based on the configured country code
  -p, --print-active                print filtered active endpoints to the console

disable options:
  -ds, --disable-shodan             disable querying Shodan
  -df, --disable-feodotracker       disable querying Feodo Tracker
  -du, --disable-urlhaus            disable querying URLhaus
  -dt, --disable-threatfox          disable querying ThreatFox
  -db, --disable-backup             disable file reports backup

---

📂 Resources

• Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms by @BushidoToken
  • Shodan search operators
• Hunting Cobalt Strike C2 with Shodan by @MichalKoczwara
• Hunting C2 by @MichalKoczwara

---

🧰 Development

🏢 Virtual environment

1. use your package manager to install python-pip if it is not present on your system
2. install virtualenv
3. verify installation by checking the virtualenv version
4. inside the project directory create a virtual environment called venv
5. activate it by using the source command
6. you can deactivate the virtual environment from the parent folder of venv directory with the deactivate command

$ sudo apt-get install python-pip
$ pip install virtualenv
$ virtualenv --version
$ virtualenv --python=python3 venv
$ source venv/bin/activate
$ deactivate

---

[ Table of Contents ]