Github Repo: https://github.com/ChrisTruncer/Just-Metadata
For some time now, I’ve been working on a tool which aggregates data about IP addresses from publicly available sources. Three separate events prompted this project. First, I began noticing a large number of IP addresses attempting to brute force their way into my mail server. Second, a large number of systems/IPs scanned my web server for vulnerable web applications (Tomcat, phpMyAdmin, etc). Finally, ATD sometimes will receive spam email that contains malware. Justin Warner (@sixdub), ATD’s resident reverse engineer, investigated one of the malware sample in a spam message we received and was able to extract the IP addresses of the callback domain.
I wanted to see if there was anything I could learn about the systems/IPs targeting my server and the malware callback domains we were seeing. Specifically, I wanted to collect the following:
- IP Whois Information
- Geographical Information
- Shodan information (Ports, keys, certificates, etc.)
- VirusTotal
- Various Threat Feeds
- etc…
After a couple conversations with Justin, I decided to write a tool to do just that. Justin and I brainstormed functionality that would be useful, and the type of information we would want to gather. However, just simply gathering the information isn’t necessarily enough to provide any sort of value. It’s the analysis of the available data where I can get something useful. Are the systems that are scanning me owned by the same person/company/etc.? Are they located in the same country? To answer these questions, I wrote Just-Metadata, which I am happy to release today.
Let’s walk through some of the features, and how Just-Metadata works.
To start off using Just-Metadata, create a text file containing a list of IP addresses (each on a new line). To get the IPs into the Just-Metadata, you’ll use the load command, and provide the path to the file containing the IP addresses, similar to either of the following:
load ips.txt – If ips.txt is in the same directory as Just-Metadata
load /home/SonofFlynn/iplist.txt – Full path to file is also accepted
You should soon see a message indicating that X number of IPs have been loaded.
Now that the IPs we want to investigate have been loaded into the framework, we can begin the information gathering process. Just-Metadata can connect to and gather information from a variety of different sources. To see the different sources that Just-Metadata grabs from, simply run the command “list gather”, and you should see something similar to the following:
The information left of the “=>” is the module name, and the information to the right gives a description of what it gathers. To actually collect information from each source, you would use the “gather” command. As an example, to grab information from Shodan about the loaded IPs, I would run “gather shodan”. I would then see Just-Metadata querying Shodan (or the selected source) for information. NOTE: Shodan is the only source within Just-Metadata that requires an API key. Be sure to place your API key into the shodan module. To do this, open the shodan module (located at Just-Metadata/module/intelgathering/get_shodan.py and add your API key in line 16, for the self.api_key variable. All other modules work without any requirement other than an internet connection.
I will typically follow this process for all available intelligence gathering sources within Just-Metadata. One item to note is that some sources are rate-limited, so certain intelgathering modules can take time to complete depending upon the number of IPs that need to be investigated. Once all of the different intelgathering sources have completed gathering information, the meat of the tool can be put to use, the analysis modules.
Just-Metadata can be used to perform automated analysis against the gathered data. The goal of these modules should be to analyze patterns across all of the gathered data, and attempt to find, and display, meaningful data for consumption by the user. This is what I consider to be the most valuable part of the tool. Collecting data is important, but extrapolating meaning from it is where the actual good stuff lies. Analysis modules have full access to all data collected by the framework, and should be used to identify patterns in data, or anything that can be used to find useful data in an otherwise large dataset. To start off, you can list all of the different analysis modules by using the “list analysis” command. When running this, you should see something similar to the following:
To use any of the available analysis modules, just use the “analyze” command. For example, if we want to view the top X cities, countries, timezones, ISPs, etc. that are included within the loaded IP addresses, you can use the “Geo” module. To run this module, just type “analyze geoinfo”. You will be prompted for the number of results you want back per category, I usually choose 10, but feel free to adjust as you see fit. Once you provide the total number of results per category, you should see something similar to the following (amongst additional data):
Another module that I find useful is the “keys” module. This module works by parsing the data from Shodan, and looks for shared SSH keys, or HTTPS certificates across all IPs loaded into Just-Metadata. The keys module will then ask the number of keys you want displayed, and will show any SSH keys, HTTPS certificates, etc. that is shared across any of the loaded IP addresses. When running “analyze keys” you might see something similar to the following:
In this limited number of IPs, there weren’t any systems that shared the same SSH keys, however there are three different IPs that have a shared https certificate.
Another analysis option is the “feedhits” module. This will compare all of the IPs loaded into the framework with a variety of different threat intel feeds that are available on the internet. If an IP is in any of the threat intel feeds, it will highlight and call them out. When comparing the loaded IPs to different threat intel feeds, these were some of my results:
If at any point you would like to see all the information gathered about a single IP address, you can do that by using the “ip_info” command along with the IP address. So the command may look like “ip_info 180.253.10.125” and your output might be similar to the following:
Another feature that I wanted in this tool is the ability to save the current state, and then reload it for analysis later. Just-Metadata can do this with the “save” and “import” functions. To save your current state (after you’ve gathered any data you wish to have saved along with the state), simply type “save” at the command prompt. You should see something similar to:
You can now safely exit Just-Metadata without losing any of the data you’ve gathered.
To import any state that’s been saved to disk, just use the import command, along with the path to a Just-Metadata state file. Your command could be something like “import metadata06082015_172032.state” and once run, should look similar to:
I believe that this covers most of the functionality in Just-Metadata. If there’s anything that’s missing that would be helpful to have explained, let me know and I’ll be sure to add to this post. I’m available at @christruncer on Twitter or in #veil on Freenode!
Robtex provide some very useful information (see the shared section) e.g. https://www.robtex.com/en/advisory/ip/8/8/8/8/
It would be awesome to have some of those (although I think that right now they don’t have an API)
Do you have plans for exporting by individual IP and in bulk? I like the ip_info query but it would be most useful to be able export that easily. Also, can I chain gather and analyze commands together? Thanks for a very cool tool.
so, ip_info right now is useful for a single IP. I can definitely add in a command that will dump all the information for all IPs.
It would also be very useful to be able to select a string of actions to take and run it against all IPs from a script and the UI. That could run up against timeouts for the various APIs being called but if a delay can be selected/set between the calls, that could be avoidable.
So something like metasploit resource scripts, where you feed it a script that executes all the commands inside it?
Yes, that would work.
I don’t have an answer file, but I did just add in the ability to run Just-Metadata from the CLI. So you can essentially automate the different gathering and analysis modules via a script if you’re like.
Any thoughts on making this into an Request Tracker tool? It’d be extremely useful in that sense.
Also as a one shot command? I think this is what Chris suggested…
What do you mean by a request tracker tool?
Sorry should have linked!
https://www.bestpractical.com/rtir/
Basically when you lookup an IP it provides you with a list of lookup tools a bit like Just-Metadata, but not so detailed and useful…!
Looks interesting but what is the benefit over existing tools like Automater (http://www.tekdefense.com/automater/) or recon-ng?
That does look somewhat similar to Automater. This is more focused on trying to identify relationships between multiple IP addresses IMO, but there definitely are similarities. Same thing with Recong-NG. Recon-ng is a great tool, but this just does something a little different.
Hello,
This looks like an awesome tool. I am getting the following error in Ubuntu when attempting to execute:
Traceback (most recent call last):
File “./justmetadata.py”, line 12, in
from common import helpers
File “/mnt/hgfs/VolShare/Python/common/__init__.py”, line 4
^
SyntaxError: invalid syntax
Any thoughts?
Thanks!
Kris
Hi, I really don’t know on that. Can you try running this on Kali? Also, did you run the setup script?