ninoseki / Mihari
Licence: mit
A helper to run OSINT queries & manage results continuously
Stars: ✭ 239
Programming Languages
ruby
36898 projects - #4 most used programming language
Projects that are alternatives of or similar to Mihari
Osweep
Don't Just Search OSINT. Sweep It.
Stars: ✭ 225 (-5.86%)
Mutual labels: osint, threat-hunting, threat-intelligence
Scrummage
The Ultimate OSINT and Threat Hunting Framework
Stars: ✭ 355 (+48.54%)
Mutual labels: osint, threat-hunting, threat-intelligence
Analyst Arsenal
A toolkit for Security Researchers
Stars: ✭ 112 (-53.14%)
Mutual labels: osint, threat-hunting, threat-intelligence
OSINT-Brazuca
Repositório criado com intuito de reunir informações, fontes(websites/portais) e tricks de OSINT dentro do contexto Brasil.
Stars: ✭ 508 (+112.55%)
Mutual labels: osint, threat-hunting, threat-intelligence
Opensquat
Detection of phishing domains and domain squatting. Supports permutations such as homograph attack, typosquatting and bitsquatting.
Stars: ✭ 149 (-37.66%)
Mutual labels: osint, threat-hunting, threat-intelligence
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+83.68%)
Mutual labels: osint, threat-hunting, threat-intelligence
censys-recon-ng
recon-ng modules for Censys
Stars: ✭ 29 (-87.87%)
Mutual labels: osint, threat-hunting, threat-intelligence
Stalkphish
StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.
Stars: ✭ 256 (+7.11%)
Mutual labels: osint, threat-hunting, threat-intelligence
Threatpinchlookup
Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension
Stars: ✭ 257 (+7.53%)
Mutual labels: osint, threat-hunting, shodan
Dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
Stars: ✭ 3,124 (+1207.11%)
Mutual labels: osint, threat-hunting, threat-intelligence
Intelowl
Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
Stars: ✭ 2,114 (+784.52%)
Mutual labels: osint, threat-hunting, threat-intelligence
Dovehawk
Dovehawk is a Zeek module that automatically imports MISP indicators and reports Sightings
Stars: ✭ 97 (-59.41%)
Mutual labels: threat-hunting, threat-intelligence
Osint San
Framework для сбора данных из открытых источников. В Framework используется большое количество API, их необходимо зарегистрировать самому.
Stars: ✭ 99 (-58.58%)
Mutual labels: osint, shodan
Patrowldocs
PatrOwl - Open Source, Free and Scalable Security Operations Orchestration Platform
Stars: ✭ 105 (-56.07%)
Mutual labels: threat-hunting, threat-intelligence
Xray
XRay is a tool for recon, mapping and OSINT gathering from public networks.
Stars: ✭ 1,666 (+597.07%)
Mutual labels: osint, shodan
Patrowlhears
PatrowlHears - Vulnerability Intelligence Center / Exploits
Stars: ✭ 89 (-62.76%)
Mutual labels: threat-hunting, threat-intelligence
Mthc
All-in-one bundle of MISP, TheHive and Cortex
Stars: ✭ 134 (-43.93%)
Mutual labels: threat-hunting, threat-intelligence
Threatbus
🚌 The missing link to connect open-source threat intelligence tools.
Stars: ✭ 139 (-41.84%)
Mutual labels: threat-hunting, threat-intelligence
Teler
Real-time HTTP Intrusion Detection
Stars: ✭ 1,248 (+422.18%)
Mutual labels: threat-hunting, threat-intelligence
Chatter
internet monitoring osint telegram bot for windows
Stars: ✭ 123 (-48.54%)
Mutual labels: osint, threat-intelligence
mihari
Mihari is a helper to run queries & manage results continuously. Mihari can be used for C2, landing page and phishing hunting.
How it works
- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes).
- Mihari checks whether a DB (SQLite3 or PostgreSQL) contains the artifacts or not.
- If it doesn't contain the artifacts:
- Mihari creates an alert on TheHive.
- Mihari sends a notification to Slack.
- Mihari creates an event on MISP.
- If it doesn't contain the artifacts:
Screenshots
- TheHive alert example
- Slack notification example
- MISP event example
Requirements
- Ruby (2.7 or 3.0)
- SQLite3 or PostgreSQL
# For Debian / Ubuntu
apt-get install sqlite3 libsqlite3-dev libpq-dev
Installation
gem install mihari
Or you can use this tool with Docker.
docker pull ninoseki/mihari
Basic usage
Mihari supports the following services by default.
- BinaryEdge
- Censys
- CIRCL passive DNS / passive SSL
- crt.sh
- DN Pedia
- dnstwister
- Onyphe
- OTX
- PassiveTotal
- SecurityTrails
- Shodan
- Spyse
- urlscan.io
- VirusTotal
- ZoomEye
$ mihari
Commands:
mihari alerts # Show the alerts on TheHive
mihari binaryedge [QUERY] # BinaryEdge host search by a query
mihari censys [QUERY] # Censys IPv4 search by a query
mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint
mihari crtsh [QUERY] # crt.sh search by a query
mihari dnpedia [QUERY] # DNPedia domain search by a query
mihari dnstwister [DOMAIN] # dnstwister lookup by a domain
mihari free_text [TEXT] # Cross search with search engines by a free text
mihari help [COMMAND] # Describe available commands or one specific command
mihari http_hash # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
mihari import_from_json # Give a JSON input via STDIN
mihari onyphe [QUERY] # Onyphe datascan search by a query
mihari otx [IP|DOMAIN] # OTX lookup by an IP or domain
mihari passive_dns [IP|DOMAIN] # Cross search with passive DNS services by an ip or domain
mihari passive_ssl [SHA1] # Cross search with passive SSL services by an SHA1 certificate fingerprint
mihari passivetotal [IP|DOMAIN|EMAIL|SHA1] # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
mihari pulsedive [IP|DOMAIN] # Pulsedive lookup by an ip or domain
mihari reverse_whois [EMAIL] # Cross search with reverse whois services by an email
mihari securitytrails [IP|DOMAIN|EMAIL] # SecurityTrails lookup by an ip, domain or email
mihari securitytrails_domain_feed [REGEXP] # SecurityTrails new domain feed search by a regexp
mihari shodan [QUERY] # Shodan host search by a query
mihari spyse [QUERY] # Spyse search by a query
mihari ssh_fingerprint [FINGERPRINT] # Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)
mihari status # Show the current configuration status
mihari urlscan [QUERY] # urlscan search by a given query
mihari virustotal [IP|DOMAIN] # VirusTotal resolutions lookup by an ip or domain
mihari zoomeye [QUERY] # ZoomEye search by a query
Options:
[--config=CONFIG] # path to config file
Cross searches
Mihari has cross search features. A cross search is a search across a number of services.
You can get aggregated results by using the following commands.
| Command | Desc. |
|---|---|
| passive_dns | Passive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal |
| passive_ssl | Passive SSL lookup with CIRCL passive SSL and PassiveTotal |
| reverse_whois | Revese Whois lookup with PassiveTotal and SecurityTrails |
| http_hash | HTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3) |
| free_text | Free text lookup with BinaryEdge and Censys |
| ssh_fingerprint | SSH fingerprint lookup with BinaryEdge and Shodan |
http_hash command
The usage of http_hash command is a little bit tricky.
$ mihari help http_hash
Usage:
mihari http_hash
Options:
[--title=TITLE] # title
[--description=DESCRIPTION] # description
[--tags=one two three] # tags
[--md5=MD5] # MD5 hash
[--sha256=SHA256] # SHA256 hash
[--mmh3=N] # MurmurHash3 hash
Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
There are 2 ways to use this command.
First one is passing --md5, --sha256 and --mmh3 parameters.
mihari http_hash --md5=881191f7736b5b8cfad5959ca99d2a51 --sha256=b064187ebdc51721708ad98cd89dacc346017cb0fb0457d530032d387f1ff20e --mmh3=-1467534799
Another one is passing --html parameter. In this case, hashes of an HTML file are automatically calculated.
wget http://example.com -O /tmp/index.html
mihari http_hash --html /tmp/index.html
Example usages
# Censys lookup for PANDA C2
mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
# VirusTotal passive DNS lookup of a FAKESPY host
mihari virustotal "jppost-hi.top" --title "FAKESPY passive DNS"
# You can pass a "defanged" indicator as an input
mihari virustotal "jppost-hi[.]top" --title "FAKESPY passive DNS"
Import from JSON
echo '{ "title": "test", "description": "test", "artifacts": ["1.1.1.1", "github.com", "2.2.2.2"] }' | mihari import_from_json
The input is a JSON data should have title, description and artifacts key. tags key is an optional parameter.
{
"title": "test",
"description": "test",
"artifacts": ["1.1.1.1", "github.com"],
"tags": ["test"]
}
| Key | Desc. | Required or optional |
|---|---|---|
| title | A title of an alert | Required |
| description | A description of an alert | Required |
| artifacts | An array of artifacts (supported data types: ip, domain, url, email, hash) | Required |
| tags | An array of tags | Optional |
Configuration
Configuration can be done via environment variables or a YAML file.
| Key | Description | Default |
|---|---|---|
| DATABASE | A path to the SQLite database or a DB URL (e.g. postgres://postgres:[email protected]:5432/somedb) |
mihari.db |
| BINARYEDGE_API_KEY | BinaryEdge API key | |
| CENSYS_ID | Censys API ID | |
| CENSYS_SECRET | Censys secret | |
| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | |
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | |
| MISP_API_ENDPOINT | MISP URL | |
| MISP_API_KEY | MISP API key | |
| ONYPHE_API_KEY | Onyphe API key | |
| OTX_API_KEY | OTX API key | |
| PASSIVETOTAL_API_KEY | PassiveTotal API key | |
| PASSIVETOTAL_USERNAME | PassiveTotal username | |
| PULSEDIVE_API_KEY | Pulsedive API key | |
| SECURITYTRAILS_API_KEY | SecurityTrails API key | |
| SHODAN_API_KEY | Shodan API key | |
| SLACK_CHANNEL | Slack channel name | #general |
| SLACK_WEBHOOK_URL | Slack Webhook URL | |
| SPYSE_API_KEY | Spyse API key | |
| THEHIVE_API_ENDPOINT | TheHive URL | |
| THEHIVE_API_KEY | TheHive API key | |
| URLSCAN_API_KEY | urlscan.io API key | |
| VIRUSTOTAL_API_KEY | VirusTotal API key | |
| ZOOMEYE_PASSWORD | ZoomEye password | |
| ZOOMEYE_USERNAMME | ZoomEye username |
Instead of using environment variables, you can use a YAML file for configuration.
mihari virustotal 1.1.1.1 --config /path/to/yaml.yml
The YAML file should be a YAML hash like below:
database: /tmp/mihari.db
thehive_api_endpoint: https://localhost
thehive_api_key: foo
virustotal_api_key: foo
You can check the configuration status via status command.
mihari status
How to create a custom script
Create a class which extends Mihari::Analyzers::Base and implements the following methods.
| Name | Desc. | @return | Required or optional |
|---|---|---|---|
#title |
A title of an alert | String | Required |
#description |
A description of an alert | String | Required |
#artifacts |
An array of artifacts (supported data types: ip, domain, url, email, hash) | Array | Required |
#tags |
An array of tags | Array | Optional |
require "mihari"
module Mihari
module Analyzers
class Example < Base
def title
"example"
end
def description
"example"
end
def artifacts
["9.9.9.9", "example.com"]
end
def tags
["example"]
end
end
end
end
example = Mihari::Analyzers::Example.new
example.run
See /examples for more.
Using it with Docker
$ docker run --rm ninoseki/mihari
# Note that you should pass configurations via environment variables
$ docker run --rm ninoseki/mihari -e THEHIVE_API_ENDPOINT="http://THEHIVE_URL" -e THEHIVE_API_KEY="API KEY" mihari
# or
$ docker run --rm ninoseki/mihari --env-file ~/.mihari.env mihari
License
The gem is available as open source under the terms of the MIT License.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].