RedSiege/Just-Metadata RedSiege/Just-Metadata

  • Stars
    star
    623
  • Rank 72,088 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 9 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RedSiege/Just-Metadata
github

RedSiege

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.

Just-Metadata

Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata will allow you to quickly find the Top "X" number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily!

Setup

Ideally, you should be able to run the setup script, and it will install everything you need.

For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs like $9 bucks, come on now, it's worth it :).

Usage

As of now, Just metadata is designed to read in a single text file containing IPs, each on their own new line. Create this file from any source (C2 callback IPs, web server logs, etc.). Once you have this file, start Just-Metadata by calling it:

./Just-Metadata.py

Commands

help - Once in the framework, to see a listing of available commands and a description of what they do, type the "help" command.

load <filename> - The load command takes an extra parameter, the file name that you (the user) want Just-Metadata to load IP addresses from. This command will open, and load all IPs within the file to the framework.

Ex: load ipaddresses.txt

save - The save command can be used to save the current working state of Just-Metadata. This is helpful in multiple cases, such as after gathering information about IPs, and wanting to save the state off to disk to be able to work on them at a later point in time. Simply typing "save" will result in Just-Metadata saving the state to disk, and displaying the filename of the saved state.

import <statefile> - The import command can be used to load a previously saved Just-Metadata state into the framework. It will load all IPs that were saved, and all information gathered about the IP addresses. This command will require an extra parameter, the name of the state file that you want Just-Metadata to load.

Ex: import goodfile.state

list <module type> - The list command can be used to list the different types of modules loaded into Just-Metadata. This command will take an extra parameter, either "analysis" or "gather". Just-Metadata will display all mofules of the type that the user requests is listed.

Ex: list analysis

Ex: list gather

gather <gather module name> - The gather command tells Just-Metadata to run the module specified and gather information from that source. This can be used to gather geographical information, Virustotal, whois, and more. It's all based on the module. The data gathered will be stored within the framework in memory and can also be saved to disk with the "save" command.

Ex: gather geoinfo

Ex: gather virustotal

analyze <analysis module name> - The analyze command tells Metadata to run an analysis module against the data loaded into the framework. These modules can be used to find IP addresses that share the same SSH keys or SSL Public Key certificates, or certificate chains. They can also be used to find IP addresses used in the same callbacks by malicious executables.

ip_info <IP Address> - This command is used to dump all information about a specific IP address. This is currently being used after having run analysis modules. For example, after identifying IP addresses that share the same SSH keys, I can dump all information about those IPs. I will see if they have been used by malware, where they are located, etc.

export - The export command will have Just-Metadata dump all information that's been gathered about all IP addresses currently loaded into the framework to CSV.

Thanks

Thanks to Justin Warner (@sixdub) for helping to give me some initial feedback, design ideas, and act as a sounding board during development!

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,899
star
2

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
Python
987
star
3

WMImplant

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
PowerShell
798
star
4

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
610
star
5

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
539
star
6

EXCELntDonut

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Python
498
star
7

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
381
star
8

EDD

Enumerate Domain Data
C#
312
star
9

PersistAssist

Fully modular persistence framework
C#
249
star
10

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems
C#
196
star
11

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
189
star
12

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
173
star
13

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
171
star
14

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
140
star
15

jargon

Python
114
star
16

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
83
star
17

DigDug

Python
66
star
18

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
66
star
19

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
20

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
59
star
21

MiddleOut

A small .NET compression utility
C#
54
star
22

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
44
star
24

rstools

Python
39
star
25

Chromatophore

Utilities for obfuscating shellcode
C
38
star
26

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
36
star
27

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
29
star
28

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
22
star
29

SharpCollectionTemplate

PowerShell
13
star
30

Delta-Encoder

Python
12
star
31

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
32

RansomwareTalks

code for ransomware talks
C#
8
star
33

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star