analyst-scripts

Random script I needed at least once for investigations or tests. Mostly python 3 compliant but maybe not. Old and new, useless and useful. If you like that, you may like Harpoon or pe.

Feel free to open issues if you have any question.

Main Folder

• clamav_to_yara.py : Convert ClamAV signature to Yara (from the Malware Analyst's Cookbook)
• cloudcidrs.py : check if an IP is part of a Cloud provider range (for now, only Google Cloud and Amazon AWS, inspired from cloudcidrs)
• disassemble.py : disassemble a binary file using Capstone (mostly for shellcode)
• csv_extract.py : extract a column from a csv file
• hostnametoips.py : resolve a list of hostnames in a text files and return list of uniq IPs
• infect.sh : classic script to create an encrypted zip of a file with password infected (password used to share malware)
• mqtt-get.py : basic script to do get requests to an MQTT service
• parsejpeg.py : Analyze JPEG headers of a file
• parsepng.py : Analyze a PNG file looking for weird things
• scrdec18.c : An old code still useful to decode .jse files (MS Jscript encoded), by MrBrownStone (website archive, source code)

Subfolder

• android : Android stuff (surprising !)
• bitly : bit.ly tools
  • bitly.py : basic tool to request the bit.ly API
• censys : scripts using the censys.io API
  • censyscerts.py : Search for certificates
  • censyscompare.py : Compare several Censys hosts
  • censysip.py : Search in censys IP database
  • censysipentries.py : Display information on an IPv4
  • censyslib.py a file to reuse the function to get the API key from ~/.censys
• certs : scripts to deal with certificates and CT dbs
  • get_crtsh_subdomains.py: list subdomains of a domain based on crt.sh data
  • listcerts.py list certificates from a domain in crt.sh using pycrtsh
• email : scripts to handle emails
• forensic : forensic related scripts
  • filetimeline.py : get a list of files in a folder with their change time, modification time and birth time using stat (which does not give the creation time even if the file system has it)
  • mactime.py : convert this list of files into a csv timeline
• format : convert files in different formats
  • csv2md.py : convert a csv file to a markdown table
  • extract_ttld.py : extract the TLDs from a list of domains
  • punycode.py : convert a punycode domain to its encoded form
• ghidra_scripts : scripts for ghidra
• goo.gl : playing with the now deprecated goo.gl API
  • api.py : API and CLI tool to query Google URL shortener goo.gl (soon deprecated by Google)
• harpoon-extra : some scripts expanding Harpoon features
• web : Web stuff (mostly outdated)
• macos : Mac OSX related scripts
• misp : some scripts helping using MISP servers
• network : network related scripts
• ooni : OONI API scripts
• osint : open source intelligence scripts
• pe : PE scripts (most of them moved to PE)
• pt : scripts using Passive Total API
• resources : interesting infosec resources
• shodan : shodan.io scripts
• threats : threat intelligence scripts
• twilio : scripts related to Twilio
• twitter : Twitter stuff
• visualization : nice graphs everywhere