WithSecureLabs/snake WithSecureLabs/snake

  • Stars
    star
    205
  • Rank 190,139 (Top 4 %)
  • Language
    Shell
  • License
    BSD 3-Clause "New...
  • Created over 6 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
WithSecureLabs/snake
github

WithSecureLabs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

snake - a malware storage zoo

banner

Introduction

Snake is a malware storage zoo that was built out of the need for a centralised and unified storage solution for malicious samples that could seamlessly integrate into the investigation pipeline.

Snake is designed to provide just enough information to allow analysts to quickly and efficiently pivot to the most suitable tools for the task at hand. That being said there will be times where the information provided by Snake is more than sufficient. It is a Python based application built on top of Tornado and MongoDB. Scales provide Snake with a variety of functionality from static analysis through to interaction with external services.

For more information, please see: Wiki

The Snake Family

There is more to Snake than just the above, below is a summary:

  • snake: The malware storage zoo.
    • core: The main guts of Snake and the RESTful API.
    • pit: The celery based workers that are used to execute static based commands.
  • snake-charmer: The regression based test suite.
  • snake-scales: The official repository of snake scales (plugins).
  • snake-skin: The Web UI.
  • snake-tail: The UNIX based command line UI.

Install

There are a few ways to install Snake, but the install scripts below will install Snake and the Web UI (Snake Skin).

Note: To install these components individually refer to their respective repositories.

Docker

Snake can be run simply with the following commands:

# Get the lastest version of Snake
git clone https://github.com/countercept/snake.git
git submodule init
git submodule update

# Run Snake
sudo docker-compose up

Snake scales can be installed by exec'ing into the Snake container and running snake install:

# Exec into the Snake container
sudo docker exec -it snake_snake_1 /entrypoint.sh /bin/bash

# Install a scale
snake install SCALE_NAME

Production

This is the preferred method and will install Snake and the Web UI (Snake Skin) into the UNIX system.

Dependencies

There are a few dependencies to install Snake and Web UI (Snake Skin).

Required

  • (Snake) LibYAML
  • (Snake) MongoDB 3.4 or greater
  • (Snake) Python 3.5 or greater
  • (Snake) Redis
  • (Snake Skin) NodeJS 8 or greater
  • (Snake Skin) NPM

Optional

  • (Snake) libfuzzy & ssdeep

The above can be installed like so:

Ubuntu 17.10

# Install dependencies
sudo apt-get install libyaml-dev mongodb nodejs npm python3-dev python3-pip redis-server libfuzzy-dev ssdeep

Ubuntu 16.04

# Install cURL
sudo apt-get install curl

# Add repository for MongoDB 3.6
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list

# Add repository for nodejs 8
curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -

# Install dependencies
sudo apt-get update
sudo apt-get install libyaml-dev mongodb-org nodejs python3-dev python3-pip redis-server libfuzzy-dev ssdeep

# Update pip and setuptools
sudo -H pip3 install --upgrade pip setuptools
git clone https://github.com/countercept/snake.git
cd snake
sys/install.sh

To start Snake:

# Start Snake Pit and Snake services
systemctl start snake-pit
systemctl start snake

To serve Snake Skin (port: 3000):

# Start Snake Skin
systemctl start snake-skin

Scales (Plugins)

By default Snake only provides three core scales:

  • hashes: a command based scale used to perform a variety of hashing techniques on a sample.
  • strings: a command based module to run strings on a sample.
  • url: an upload based component used to upload samples to Snake from URLs.

Installing Additional Scales

Additional Scales are available at snake-scales

Snake provides a wrapper around pip to ease the installation of scales. A scale can be installed with this utility like so:

snake install virustotal

A scale can be checked at any time to see if it will successfully load in Snake.

snake check virustotal

Note: Whenever a new scale is installed, Snake and Celery must be restarted.

To create a scale, please see Scale Documentation

Usage

Both installations will serve Snake on port 5000 (API) and Snake Skin on port 8000.

To communicate with the WebUI:

Visit http://127.0.0.1:8000

To communicate with the API:

curl http://127.0.0.1:5000

Screenshots

Details View

An overview of a sample that has been uploaded to Snake, with additional data enrichment from Cuckoo and VirusTotal.

details

Notes View

Stores an user written notes about the sample.

notes

Analysis View

This view is used to execute and view commands on a sample.

analysis

Interfaces View

This view is used to communicate with external services in relation to a sample.

interfaces

Configuration

For an overview of Snake's settings, please see Snake

For an overview of Snake Skin's settings, please see Snake Skin

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,743
star
2

chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
Rust
2,713
star
3

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
C++
1,478
star
4

needle

The iOS Security Testing Framework
Python
1,322
star
5

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
6

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
898
star
7

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
8

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
9

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
10

android-keystore-audit

JavaScript
355
star
11

Jandroid

Python
300
star
12

CallStackSpoofer

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
C++
294
star
13

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
14

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
15

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
16

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
17

IAMSpy

Python
169
star
18

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
19

IceKube

Python
161
star
20

peas

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.
Python
152
star
21

damn-vulnerable-llm-agent

Python
145
star
22

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
23

detectree

Data visualization for blue teams
Svelte
122
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
115
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
100
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
47
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
23
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

volatility-plugins

Python
11
star
42

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
43

snake-core

snake-core - the real snake
Python
11
star
44

jdiesel

jdiesel fuels the drozer
Java
10
star
45

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
7
star
46

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
47

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
48

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
49

datamate

Python
6
star
50

deject

Memory dump and Sample analysis tool
Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star