如何在Kali Linux中使用Automater扫描网站或IP地址以查找病毒，恶意软件和网络钓鱼

本文概述

什么是自动机
测试例
创建自己的分析脚本

许多人问自己, 是否有一种安全的方法来检出可疑的URL？答案很简单, 是的。你可以在互联网上使用许多工具来检查URL是否对浏览器安全。作为开发人员(或Intrusion Analyst), 你不需要在要扫描的每个可用Web工具上提供要扫描的URL即可浪费时间, 而可以使用Automater工具。可在Kali Linux中从命令行使用Automater。
什么是自动机Automater是一个URL /域, IP地址和Md5哈希OSINT工具, 旨在使入侵分析人员的分析过程更加轻松。给定目标(URL, IP或HASH)或充满目标的文件, Automater将从以下来源返回相关结果：IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, 实验室。 Alienvault.com, ThreatExpert, VxVault和VirusTotal。使用此工具, 你可以验证域是否被标记为恶意软件, 以及文件是否被标记为恶意软件。
在此处访问项目的官方Github存储库以获取更多信息。
测试例automater的用法非常简单明了, 因此你可以通过示例了解其工作方式：
扫描网站
automater命令行工具的结构非常简单：

automater [-h] [-o OUTPUT] [-w WEB] [-c CSV] [-d DELAY] [-s SOURCE][--p] target

-h或– help：显示帮助消息并退出。
-o或– output：将结果输出到文件中。
-w或– web：将结果输出到html文件。
-c或– csv：将结果输出到CSV文件。
-d或– delay：这会将延迟更改为输入的秒数。
-s或– source：此选项将仅针对特定的源引擎运行目标以提取关联的域。选项在XML配置文件的siteelement的name属性中定义。

要开始对URL(在本例中为diablo3keygen.net)进行扫描, 你只需执行以下命令即可：

automater diablo3keygen.net

扫描多个网站
要使用自动机同时扫描多个网站, 可以将要扫描的所有地址保存在一个新的文本文件(.txt)中。文件中的每一行都代表一个要扫描的地址(list.txt)：

facebook.comourcodeworld.comdiablo3keygen.net

然后使用以下命令开始扫描：

automater list.txt

通过哈希
我们将使用病毒的哈希标识符来测试自动机。该文件是一种称为” CRDF.Trojan.Virus.Win32.Zbot3182957456″ 的恶意软件, 可以使用以下命令执行测试：

# With the MD5 hashautomater 44A6A7D4A039F7CC2DB6E85601F6D8C1# Or with the sha256 hashautomater 9b8cdbd216044d13413efee6c20c5da080da30a9aacabeeeb5cea66e96104645

在终端中执行任何先前的命令应生成以下输出：

Results found for: 44A6A7D4A039F7CC2DB6E85601F6D8C1____________________[+] MD5 found on VT: 1[+] Scan date submitted: 2016-03-01 07:38:00[+] Detected Engines: 42[+] Total Engines: 56[+] Vendor | Classification: ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('nProtect', 'Trojan/W32.Blocker.1429504')[+] Vendor | Classification: ('CAT-QuickHeal', 'TrojanPWS.Zbot.Gen')[+] Vendor | Classification: ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')[+] Vendor | Classification: ('Malwarebytes', 'Trojan.Dropper.UPT')[+] Vendor | Classification: ('Zillya', 'Trojan.Zbot.Win32.145968')[+] Vendor | Classification: ('AegisLab', 'Troj.W32.Generic!c')[+] Vendor | Classification: ('BitDefender', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('K7GW', 'Trojan ( 004904bd1 )')[+] Vendor | Classification: ('K7AntiVirus', 'Trojan ( 004904bd1 )')[+] Vendor | Classification: ('Agnitum', 'Trojan.Blocker!tq8JK8ba1bk')[+] Vendor | Classification: ('Symantec', 'Trojan.Gen.2')[+] Vendor | Classification: ('Avast', 'Win32:CeeInject-Y [Trj]')[+] Vendor | Classification: ('Kaspersky', 'HEUR:Trojan.Win32.Generic')[+] Vendor | Classification: ('NANO-Antivirus', 'Trojan.Win32.Zbot.cqnsrz')[+] Vendor | Classification: ('Ad-Aware', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('Sophos', 'Troj/HkMain-DF')[+] Vendor | Classification: ('Comodo', 'TrojWare.Win32.UMal.~A')[+] Vendor | Classification: ('F-Secure', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('DrWeb', 'Trojan.DownLoader9.22851')[+] Vendor | Classification: ('VIPRE', 'Trojan.Win32.Fareit.if (v)')[+] Vendor | Classification: ('TrendMicro', 'TROJ_GEN.R047C0CBT16')[+] Vendor | Classification: ('Emsisoft', 'Trojan.Downloader.JQGE (B)')[+] Vendor | Classification: ('Jiangmin', 'Backdoor/Pushdo.ady')[+] Vendor | Classification: ('Avira', 'TR/Rogue.1428744')[+] Vendor | Classification: ('Microsoft', 'VirTool:Win32/CeeInject.gen!KK')[+] Vendor | Classification: ('Arcabit', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('AhnLab-V3', 'Spyware/Win32.Zbot')[+] Vendor | Classification: ('GData', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('ALYac', 'Trojan.Downloader.JQGE')[+] Vendor | Classification: ('AVware', 'Trojan.Win32.Fareit.if (v)')[+] Vendor | Classification: ('VBA32', 'Trojan.Zbot.2813')[+] Vendor | Classification: ('Tencent', 'Win32.Trojan.Generic.Pdco')[+] Vendor | Classification: ('Ikarus', 'Virus.Win32.CeeInject')[+] Vendor | Classification: ('Fortinet', 'W32/Generic.AC.2250672')[+] Vendor | Classification: ('Baidu-International', 'Trojan.Win32.Injector.ASFC')[+] Vendor | Classification: ('Qihoo-360', 'Win32/Trojan.886')[+] Hash found at ThreatExpert: No results found[+] Malicious Indicators from ThreatExpert: No results found[+] Date found at VXVault: No results found[+] URL found at VXVault: No results found[+] Malc0de Date: No results found[+] Malc0de IP: No results found[+] Malc0de Country: No results found[+] Malc0de ASN: No results found[+] Malc0de ASN Name: No results found[+] Malc0de MD5: No results foundNo results found in the THMD5

使用特定工具进行扫描
你不必运行所有在线工具的分析, 而只能运行所需的工具。例如, 要仅在Virus Total或Threat Expert中对散列进行扫描, 可以使用-s参数指定扫描：

# Run with Virus Totalautomater -s virustotal [URL to scan]# Or with Threat Expertautomater -s threatexpert [URL to scan]

创建自己的分析脚本你可以自动执行此过程, 并在自己的工具中使用它。我们已经编写了一个可以用Node.js执行的脚本, 你只需要替换urlOrHashToScan变量并运行它即可：

var exec = require('child_process').exec; var fs = require('fs'); var outputFile = "/root/hacking/report.csv"; var urlOrHashToScan = "44A6A7D4A039F7CC2DB6E85601F6D8C1"; exec(`automater ${urlOrHashToScan} --csv ${outputFile}`, (error, stdout, stderr) => {if (error) {console.error(`exec error: ${error}`); return; }if (fs.existsSync(outputFile)) {var CSV_DATA = http://www.srcmini.com/fs.readFileSync(outputFile,"utf8"); var ParsedCSV = parseCSV(CSV_DATA); // Print every item in the arrayParsedCSV.forEach((item) => {console.log(item.join(" | ")); }); }else{console.log(`stderr: ${stderr}`); }}); /** * Wrapped csv line parser * @param s string delimited csv string * @param sep separator override * @attribution : http://www.greywyvern.com/?post=258 (comments closed on blog :( ) */function parseCSV(s, sep) {// http://stackoverflow.com/questions/1155678/javascript-string-newline-charactervar universalNewline = /\r\n|\r|\n/g; var a = s.split(universalNewline); for (var i in a) {for (var f = a[i].split(sep = sep || ", "), x = f.length - 1, tl; x > = 0; x--) {if (f[x].replace(/"\s+$/, '"').charAt(f[x].length - 1) == '"') {if ((tl = f[x].replace(/^\s+"/, '"')).length > 1 & & tl.charAt(0) == '"') {f[x] = f[x].replace(/^\s*"|"\s*$/g, '').replace(/""/g, '"'); } else if (x) {f.splice(x - 1, 2, [f[x - 1], f[x]].join(sep)); } else f = f.shift().split(sep).concat(f); } else f[x].replace(/""/g, '"'); } a[i] = f; }return a; }

具有给定哈希值的脚本的输出将如下所示：

Target | Type | Source | Result44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Found | 144A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Date | 2016-03-01 07:38:0044A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Detected | 4244A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Engines | 5644A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('MicroWorld-eScan', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('nProtect', 'Trojan/W32.Blocker.1429504')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('CAT-QuickHeal', 'TrojanPWS.Zbot.Gen')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('McAfee', 'PWSZbot-FKQ!44A6A7D4A039')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Malwarebytes', 'Trojan.Dropper.UPT')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Zillya', 'Trojan.Zbot.Win32.145968')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AegisLab', 'Troj.W32.Generic!c')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('BitDefender', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('K7GW', 'Trojan ( 004904bd1 )')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('K7AntiVirus', 'Trojan ( 004904bd1 )')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Agnitum', 'Trojan.Blocker!tq8JK8ba1bk')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Symantec', 'Trojan.Gen.2')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Avast', 'Win32:CeeInject-Y [Trj]')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Kaspersky', 'HEUR:Trojan.Win32.Generic')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('NANO-Antivirus', 'Trojan.Win32.Zbot.cqnsrz')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Ad-Aware', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Sophos', 'Troj/HkMain-DF')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Comodo', 'TrojWare.Win32.UMal.~A')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('F-Secure', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('DrWeb', 'Trojan.DownLoader9.22851')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('VIPRE', 'Trojan.Win32.Fareit.if (v)')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('TrendMicro', 'TROJ_GEN.R047C0CBT16')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Emsisoft', 'Trojan.Downloader.JQGE (B)')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Jiangmin', 'Backdoor/Pushdo.ady')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Avira', 'TR/Rogue.1428744')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Microsoft', 'VirTool:Win32/CeeInject.gen!KK')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Arcabit', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AhnLab-V3', 'Spyware/Win32.Zbot')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('GData', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('ALYac', 'Trojan.Downloader.JQGE')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('AVware', 'Trojan.Win32.Fareit.if (v)')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('VBA32', 'Trojan.Zbot.2813')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Tencent', 'Win32.Trojan.Generic.Pdco')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Ikarus', 'Virus.Win32.CeeInject')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Fortinet', 'W32/Generic.AC.2250672')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Baidu-International', 'Trojan.Win32.Injector.ASFC')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | VT Vendor_Class | ('Qihoo-360', 'Win32/Trojan.886')44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | TE Date | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | TE Indicators | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | Vx Date | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | Vx URL | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC Date | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC IP | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC Country | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC ASN | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC ASN Name | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | MC MD5 | No results found44A6A7D4A039F7CC2DB6E85601F6D8C1 | md5 | THMD5 | No results found

你会看到自动机是非常有用的工具, 可用于调查你认为可能是恶意软件的可疑URL。由于你无需访问所有这些网站来手动扫描URL, 它将为你节省大量的研究时间。
【如何在Kali Linux中使用Automater扫描网站或IP地址以查找病毒，恶意软件和网络钓鱼】快乐分析！