Github Repo: https://github.com/ChrisTruncer/Just-Metadata
For some time now, I’ve been working on a tool which aggregates data about IP addresses from publicly available sources. Three separate events prompted this project. First, I began noticing a large number of IP addresses attempting to brute force their way into my mail server. Second, a large number of systems/IPs scanned my web server for vulnerable web applications (Tomcat, phpMyAdmin, etc). Finally, ATD sometimes will receive spam email that contains malware. Justin Warner (@sixdub), ATD’s resident reverse engineer, investigated one of the malware sample in a spam message we received and was able to extract the IP addresses of the callback domain.
I wanted to see if there was anything I could learn about the systems/IPs targeting my server and the malware callback domains we were seeing. Specifically, I wanted to collect the following:
- IP Whois Information
- Geographical Information
- Shodan information (Ports, keys, certificates, etc.)
- Various Threat Feeds
After a couple conversations with Justin, I decided to write a tool to do just that. Justin and I brainstormed functionality that would be useful, and the type of information we would want to gather. However, just simply gathering the information isn’t necessarily enough to provide any sort of value. It’s the analysis of the available data where I can get something useful. Are the systems that are scanning me owned by the same person/company/etc.? Are they located in the same country? To answer these questions, I wrote Just-Metadata, which I am happy to release today.
Let’s walk through some of the features, and how Just-Metadata works.
To start off using Just-Metadata, create a text file containing a list of IP addresses (each on a new line). To get the IPs into the Just-Metadata, you’ll use the load command, and provide the path to the file containing the IP addresses, similar to either of the following: