needmorecowbell/Hamburglar needmorecowbell/Hamburglar

  • Stars
    star
    315
  • Rank 132,292 (Top 3 %)
  • Language YARA
  • License
    GNU General Publi...
  • Created about 6 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
needmorecowbell/Hamburglar
github

needmorecowbell

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hamburglar -- collect useful information from urls, directories, and files

The Hamburglar

Setup

There are 2 versions of hamburglar, full and lite. The main branch is the full version, and hamburglar lite is on a separate branch.

Hamburglar

Full fledged scraping tool for artifact retrieval from multiple sources. There are some dependencies, so install them first:

pip3 install -r requirements.txt

Hamburglar also has the option of checking against file signatures during a hexdump. It will get skipped if not set up. To get it working, you will need to first create the database and a user:

CREATE DATABASE 
CREATE USER 'hamman'@'localhost' IDENTIFIED BY 'deadbeef';
GRANT ALL PRIVILEGES ON fileSign.signatures TO 'hamman'@'localhost';

Then, run magic_sig_scraper. This can be run on a cronjob to regularly update it, or just run it once:

python3 magic_sig_scraper.py

Hamburglar Lite

Multithreaded and recursive directory scraping script. Stores useful information with the filepath and finding. Hamburglar lite will never require external packages, and will always remain as a single script. Setup is as simple as requesting the file and using it:

wget https://raw.githubusercontent.com/needmorecowbell/Hamburglar/hamburglar-lite/hamburglar-lite.py

This is designed to be quickly downloaded and executed on a machine.

Operation

usage: hamburglar.py [-h] [-g] [-x] [-v] [-w] [-i] [-o FILE] [-y YARA] path

positional arguments:
  path                  path to directory, url, or file, depending on flag
                        used

optional arguments:
  -h, --help            show this help message and exit
  -g, --git             sets hamburglar into git mode
  -x, --hexdump         give hexdump of file
  -v, --verbose         increase output verbosity
  -w, --web             sets Hamburgler to web request mode, enter url as path
  -i, --ioc             uses iocextract to parse contents
  -o FILE, --out FILE   write results to FILE
  -y YARA, --yara YARA  use yara ruleset for checking

Directory Traversal

  • python3 hamburglar.py ~/Directory/
    • This will recursively scan for files in the given directory, then analyzes each file for a variety of findings using regex filters

Single File Analysis

  • python3 hamburglar.py ~/Directory/file.txt
    • This will recursively scan for files in the given directory, then analyzes each file for a variety of findings using regex filters

YARA Rule Based Analysis

  • python3 hamburglar.py -y rules/ ~/Directory
    • This will compile the yara rule files in the rules directory and then check them against every item in Directory.

Git Scraping Mode

  • python3 hamburglar.py -g https://www.github.com/needmorecowbell/Hamburglar
    • Adding -y <rulepath> will allow the repo to be scraped using yara rules

Web Request Mode

  • python3 hamburglar.py -w https://google.com
    • Adding a -w to hamburgler.py tells the script to handle the path as a url.
    • Currently this does not spider the page, it just analyzes the requested html content

IOC Extraction

  • python3 hamburglar.py -w -i https://pastebin.com/SYisR95m
    • Adding a -i will use iocextract to extract any ioc's from the requested url

Hex Dump Mode

  • python3 hamburglar.py -x ~/file-to-dump
    • This just does a hex dump and nothing more right now -- could be piped into a file
    • This will eventually be used for binary analysis

Tips

  • Adding -v will set the script into verbose mode, and -h will show details of available arguments
  • Adding -o FILENAME will set the results filename, this is especially useful in scripting situations where you might want multiple results tables (ie github repo spidering)

Settings

  • whitelistOn: turns on or off whitelist checking
  • maxWorkers: number of worker threads to run concurrently when reading file stack
  • whitelist: list of files or directories to exclusively scan for (if whitelistOn=True)
  • blacklist: list of files, extensions, or directories to block in scan
  • regexList: dictionary of regex filters with filter type as the key

The Hamburglar can find

  • ipv4 addresses (public and local)
  • emails
  • private keys
  • urls
  • ioc's (using iocextract)
  • cryptocurrency addresses
  • anything you can imagine using regex filters and yara rules

Example output:

{
    "/home/adam/Dev/test/email.txt": {
        "emails": "{'[email protected]'}"
    },
    "/home/adam/Dev/test/email2.txt": {
        "emails": "{'[email protected]'}"
    },
    "/home/adam/Dev/test/ips.txt": {
        "ipv4": "{'10.0.11.2', '192.168.1.1'}"
    },
    "/home/adam/Dev/test/test2/email.txt": {
        "emails": "{'[email protected]', '[email protected]'}"
    },
    "/home/adam/Dev/test/test2/ips.txt": {
        "ipv4": "{'10.0.11.2', '192.168.1.1'}"
    },
    "/home/adam/Dev/test/test2/links.txt": {
        "site": "{'http://login.web.com'}"
    }
}

Contributions

More Repositories

1

giggity

Wraps github api for openly available information about an organization, user, or repo
Python
127
star
2

Funnel

Funnel is a lightweight yara-based feed scraper
Python
39
star
3

jumper

Automated Reverse TCP tunneling using a digitalocean instance and aploium's shootback repo (https://github.com/aploium/shootback)
Python
13
star
4

pindrop

GPSD Command Line Client
Python
9
star
5

exif-pp

A tool for injecting json objects into the exif data of images
Python
7
star
6

dookie-slinger

Batch Templated e-mail sender
Python
6
star
7

CryptoScripts

Collection of scripts designed for the purpose of crypto currency analysis, trend spotting, and automation.
Python
4
star
8

Igor

the network tool that can act like a worm
Python
3
star
9

gmail2md

Sync your Gmail messages labeled as receipts into your obsidian vault
Python
3
star
10

neptune-apex-dashboard

bootstrap website for data visualization and statistics coming from the Neptune Apex Reef Aquarium Controller. Using an admin dashboard template for a base to get it running faster.
JavaScript
3
star
11

gc2md

Google Contacts CSV to Markdown Contacts
Python
2
star
12

yara-simple-scanner

Compiles all files in rules folder, then matches them against any files in target folder
Python
2
star
13

EMLHound

Collect and Analyze Emails
Python
2
star
14

isExitNode

Simple script for checking if an ip is known to be a tor exit node
Python
1
star
15

hq

Plugin-oriented Data Logging Headquarters
Python
1
star
16

wotd

CLI script for Merriam Webster's Word of The Day
Python
1
star
17

obsidian-react-force-directed-graph

JavaScript
1
star
18

RandomPythonScripts

A collection of a few random python programs I've done and forgot about.
Python
1
star
19

ProxyRot

Proxy Rotation wrapper for the request library
Python
1
star
20

tunnel_dash

reverse tunnel monitor
JavaScript
1
star
21

CS122-final-hw

Data Structures and Algorithms Class: A Complicated Calculator
Python
1
star
22

spotify_playlist_to_markdown

Syncs a spotify playlist to individual markdown files for each track
Python
1
star
23

email-threatkb

use cloudflare's email routing, a worker,KV, and a golang yara processor to selectively forward email.
JavaScript
1
star