sysgoblin/PSURLScanio sysgoblin/PSURLScanio

API Wrapper
  • This repository has been archived on 17/Dec/2021
  • Stars
    star
    33
  • Rank 758,692 (Top 16 %)
  • Language
    PowerShell
  • Created almost 5 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sysgoblin/PSURLScanio
github

sysgoblin

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔎 Use urlscan.io with PowerShell!

This repo is no longer actively maintained, however PR's are welcome!

Build Status Powershell Gallery

🔍 PSURLScanio

A Powershell module for using the urlscan.io API.

PSURLScanio/PSUrlScanio is a Powershell module/wrapper for the urlscan.io API. The module allows you to quickly query/submit data to the service and incorporate it in to your automated threat hunting/intel processes using PoSh.

For example, let's hunt for some potential HSBC phishing pages that have embedded the companies logo! 🕵️‍ demo1

From here we could loop through each result to grab more data, or even retrieve live screenshots!

📦 Install

Head over to urlscan.io and get yourself an API key (https://urlscan.io/user/apikey/new/), install the module and then run Connect-UrlScanio to set your key.

Install-Module -Name PSUrlScanio -Repository PSGallery
Connect-UrlScanio -ApiKey "2126abb6-3686-47ef-bae5-9daf6c9e0888"

📜 Examples

Search for the last scan for the domain github.com.

Search-Urlscanio -Domain github.com -Limit 1 -Specific

TaskDate   : 28/08/2019 19:01:45
Submission : api
id         : 3313e096-3f4a-496f-9e9c-b0924e4d6824
URL        : https://github.com/
ApiResult  : https://urlscan.io/api/v1/result/3313e096-3f4a-496f-9e9c-b0924e4d6824
ResultPage : https://urlscan.io/result/3313e096-3f4a-496f-9e9c-b0924e4d6824

(Omitting -Specific will return any scans where github.com is called in any http request while loading the page)

Do the same but return the entire response rather than basic details.

Search-Urlscanio -Domain github.com -Limit 1 -Specific -Raw Object

task           : @{visibility=public; method=api; ...}
stats          : @{uniqIPs=3; consoleMsgs=0; dataLength=746649; ...}
page           : @{country=US; server=GitHub.com; city=; ...}
uniq_countries : 2
_id            : 3313e096-3f4a-496f-9e9c-b0924e4d6824
result         : https://urlscan.io/api/v1/result/3313e096-3f4a-496f-9e9c-b0924e4d6824

Get results from a specific scan id.

Get-UrlScanioScan -uuid 03ba7a78-e779-4743-ae37-2b683ee9ec74

data     : @{requests=System.Object[]; cookies=System.Object[]; ...}
stats    : @{resourceStats=System.Object[]; protocolStats=System.Object[]; ...}
meta     : @{processors=}
task     : @{uuid=03ba7a78-e779-4743-ae37-2b683ee9ec74; ...}
page     : @{url=https://www.google.com/?gws_rd=ssl; domain=www.google.com; ...}
lists    : @{ips=System.Object[]; countries=System.Object[]; ...}
verdicts : @{overall=; urlscan=; engines=; community=}

Get results from a scan but only return hash information

Get-UrlScanioScan -id 03ba7a78-e779-4743-ae37-2b683ee9ec74 -DataType Hashes

type      size    hash                                                              url
----      ----    ----                                                              ---
Document  237303  3bd8b5dc1430a1cf1bb26c08d7553f9ec2ee2d09b466dcb38e5674e7c368bf9b  https://www.google.com/?...
Image       7960  5776cd87617eacec3bc00ebcf530d1924026033eda852f706c1a675a98915826  https://www.google.com/images/...
Image       9768  a0e3b4584e7c0eb991bd5668a7495674dadccd5d1261dcba749d03700c5bceaa  https://ssl.gstatic.com/gb/...
Image        864  68d641e6402d4fbf0ddd37c95af75afdfad913dd9a7e7c6d3d9589b81512a12e  https://www.gstatic.com/images/...
Image          0  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  https://consent.google.com/...

Kick off a scan on the chosen domain/URL and return the scan results.

Start-UrlScanioScan -Url google.com -ShowResults

data     : @{requests=System.Object[]; cookies=System.Object[]; ...}
stats    : @{resourceStats=System.Object[]; protocolStats=System.Object[]; tlsStats=System.Object[]; ...}
meta     : @{processors=}
task     : @{uuid=781d9c96-7638-4393-b504-3cbc1ef5adfc; time=28/08/2019 19:58:22; ...}
page     : @{url=http://www.google.com/sorry/index?continue=http://google.com/&q=EhAqAQT4AZJUFAAAAAAAAAACGN65m-sFIhkA8aeDS4ML-09ouMDyyvDlbF81DD9ZWHvMMgFy; ...}
lists    : @{ips=System.Object[]; countries=System.Object[]; asns=System.Object[]; domains=System.Object[]; servers=System.Object[]; urls=System.Object[]; linkDomains=System.Object[]; certificates=System.Object[]; hashes=System.Object[]}
verdicts : @{overall=; urlscan=; engines=; community=}

(Example results have been truncated)

❓ FAQ

  • Can I contribute?
    • Yes please! Feel free to clone/test/add features and submit a PR or enhancement suggestion. Help yourself to the project board if you feel like it!
  • Why can I only get 10000 results? There are way more for this domain!
    • 10k results is the max limit for the API, and I haven't figured out a magical way around it (yet...).
  • Something's broke.
    • Please submit an issue for it and I'll take a look!

Support

Feel free to reach out to me via twitter @sysgoblin.

If you fancy supporting me and what I'm working on you can always buy me a sfw beer (aka coffee) by the sponsor button on this repo. ☕👌

More Repositories

1

log4shell-honeypot

Log4j honeypot to capture payloads within HTTP headers, query parameters and POST requests.
Go
14
star
2

PSPDQ

PowerShell module for PDQ Deploy/Inventory administration.
PowerShell
9
star
3

PSUmbrella

Powershell module for administering Cisco Umbrella.
PowerShell
7
star
4

generateAPT.py

For when you need someone to point the finger at.
Python
5
star
5

google-search-scraper

Google Search scraper built in Python 3.
Python
4
star
6

PSWEF

Powershell module for Windows Event Forwarding management.
PowerShell
1
star