C2 Tracker
Free to use IOC feed for various tools/malware. It started out for just C2 tools but has morphed into tracking infostealers and botnets as well. It uses Shodan searches to collect the IPs. The most recent collection is always stored in data; the IPs are broken down by tool and there is an all.txt.
The feed should update daily. Actively working on making the backend more reliable
Honorable Mentions
Many of the Shodan queries have been sourced from other CTI researchers:
Huge shoutout to them!
Thanks to BertJanCyber for creating the KQL query for ingesting this feed
And finally, thanks to Y_nexro for creating C2Live in order to visualize the data
What do I track?
- C2’s
- Malware
- AcidRain Stealer
- Misha Stealer (AKA Grand Misha)
- Patriot Stealer
- RAXNET Bitcoin Stealer
- Titan Stealer
- Collector Stealer
- Mystic Stealer
- Gotham Stealer
- Meduza Stealer
- Quasar RAT
- ShadowPad
- AsyncRAT
- DcRat
- BitRAT
- DarkComet Trojan
- XtremeRAT Trojan
- NanoCore RAT Trojan
- Gh0st RAT Trojan
- DarkTrack RAT Trojan
- njRAT Trojan
- Remcos Pro RAT Trojan
- Poison Ivy Trojan
- Orcus RAT Trojan
- ZeroAccess Trojan
- HOOKBOT Trojan
- Tools
- Botnets
Running Locally
If you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY
echo SHODAN_API_KEY=API_KEY >> ~/.bashrc bash python3 -m pip install -r requirements.txt python3 tracker.py
ps: bash您可以通过 及其 dotfile 随心所欲地自定义它。有两种方法可以自定义 Bash。通过.bash_profile或 .bashrc。前者仅用于它所属的用户,后者用于系统中的每个人、
下面是一个示例 .bashrc 文件。
# Example .bashrc file alias ll='ls -alF' alias h='history' export PATH=$PATH:/usr/local/bin export EDITOR=vim
您可以创建别名。它们基本上是简称缩写。与其编写长命令,不如创建一个别名来缩短它。
Contributing
I encourage opening an issue/PR if you know of any additional Shodan searches for identifying adversary infrastructure. I will not set any hard guidelines around what can be submitted, just know, fidelity is paramount (high true/false positive ratio is the focus).
References
- Hunting C2 with Shodan by Michael Koczwara
- Hunting Cobalt Strike C2 with Shodan by Michael Koczwara
- https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA
- BushidoToken’s OSINT-SearchOperators
- https://twitter.com/MichalKoczwara/status/1641119242618650653
- https://twitter.com/MichalKoczwara/status/1641676761283850241
- https://twitter.com/_montysecurity/status/1643164749599834112
- https://twitter.com/ViriBack/status/1713714868564394336
- https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd
- https://twitter.com/Glacius_/status/1731699013873799209
仓库代码:https://github.com/montysecurity/C2-Tracker/tree/main
主程序代码,结果保存在data目录,可以用于网络连接威胁情报
import os
from dotenv import load_dotenv
from shodan import Shodan, exception
def shodan():
api_key = os.environ["SHODAN_API_KEY"].strip()
api = Shodan(api_key)
# https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f
# https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
# https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA
# https://github.com/BushidoUK/OSINT-SearchOperators/blob/main/ShodanAdversaryInfa.md
# https://twitter.com/MichalKoczwara/status/1641119242618650653
# https://twitter.com/MichalKoczwara/status/1641676761283850241
queries = {
"Cobalt Strike C2": [
"ssl.cert.serial:146473198",
"hash:-2007783223 port:50050",
"ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2",
"product:'Cobalt Strike Beacon'",
"ssl:foren.zik"
],
"Metasploit Framework C2": [
"ssl:MetasploitSelfSignedCA",
"http.favicon.hash:-127886975",
"product:Metasploit"
],
"Covenant C2": [
"ssl:Covenant http.component:Blazor",
"http.favicon.hash:-737603591",
"product:Covenant"
],
"Mythic C2": [
"ssl:Mythic port:7443",
"http.favicon.hash:-859291042",
"product:Mythic"
],
"Brute Ratel C4": [
"http.html_hash:-1957161625",
"product:'Brute Ratel C4'"
],
"Posh C2": [
"ssl:P18055077",
"product:PoshC2"
],
"Sliver C2": [
"ssl:multiplayer ssl:operators",
'"HTTP/1.1 404 Not Found" "Cache-Control: no-store, no-cache, must-revalidate" "Content-Length: 0" -"Server:" -"Pragma:"',
# https://twitter.com/Glacius_/status/1731699013873799209
'product:"Sliver C2"'
],
"Deimos C2": [
"http.html_hash:-14029177",
"product:'Deimos C2'"
],
"PANDA C2": [
"http.html:PANDA http.html:layui",
"product:'Panda C2'"
],
"NimPlant C2" : [
"http.html_hash:-1258014549"
],
"Havoc C2": [
"X-Havoc: true",
"product:Havoc"
],
# https://twitter.com/ViriBack/status/1713714868564394336
"Caldera C2": [
"http.favicon.hash:-636718605",
"http.html_hash:-1702274888",
'http.title:"Login | CALDERA"'
],
"GoPhish": [
"http.title:'Gophish - Login'",
],
"AcidRain Stealer": [
'http.html:"AcidRain Stealer"'
],
"Misha Stealer": [
"http.title:misha http.component:UIKit"
],
"Patriot Stealer": [
"http.favicon.hash:274603478",
"http.html:patriotstealer"
],
"RAXNET Bitcoin Stealer": [
"http.favicon.hash:-1236243965"
],
"Titan Stealer": [
"http.html:'Titan Stealer'"
],
"Collector Stealer": [
'http.html:"Collector Stealer"',
'http.html:getmineteam'
],
"Mystic Stealer": [
"http.title:'Mystic Stealer'",
"http.favicon.hash:-442056565"
],
"Gotham Stealer": [
"http.title:'Gotham Stealer'",
"http.favicon.hash:-1651875345"
],
# https://twitter.com/g0njxa/status/1717563999984717991?t=rcVyVA2zwgJtHN5jz4wy7A&s=19
"Meduza Stealer": [
"http.html_hash:1368396833",
"http.title:'Meduza Stealer'"
],
"XMRig Monero Cryptominer": [
"http.html:XMRig",
"http.favicon.hash:-782317534",
"http.favicon.hash:1088998712"
],
# https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd
"7777 Botnet": [
"hash:1357418825"
],
"Quasar RAT": [
"product:'Quasar RAT'"
],
"ShadowPad" : [
"product:ShadowPad"
],
"AsyncRAT": [
"product:AsyncRAT"
],
"DcRat": [
"product:DcRat"
],
"BitRAT": [
"product:BitRAT"
],
"Empire C2": [
"product:'Empire C2'"
],
"DarkComet Trojan": [
"product:'DarkComet Trojan'"
],
"XtremeRAT Trojan": [
"product:'XtremeRAT Trojan'"
],
"NanoCore RAT Trojan": [
"product:'NanoCore RAT Trojan'"
],
"Gh0st RAT Trojan": [
"product:'Gh0st RAT Trojan'"
],
"DarkTrack RAT Trojan": [
"product:'DarkTrack RAT Trojan'"
],
"njRAT Trojan": [
"product:'njRAT Trojan'"
],
"Remcos Pro RAT Trojan": [
"product:'Remcos Pro RAT Trojan'"
],
"Poison Ivy Trojan": [
"product:'Poison Ivy Trojan'"
],
"Orcus RAT Trojan": [
"product:'Orcus RAT Trojan'"
],
"Ares RAT C2": [
"product:'Ares RAT C2'"
],
"ZeroAccess Trojan": [
"product:'ZeroAccess Trojan'"
],
"Hookbot": [
"http.title:'Hookbot Panel'"
]
}
# https://www.techiedelight.com/delete-all-files-directory-python/
dir_to_clean = "data"
for file in os.scandir(dir_to_clean):
os.remove(file.path)
ip_set_from_all_products = set()
count_of_all_ips = 0
count_of_products = 0
for product in queries:
count_of_products += 1
count_of_product_ips = 0
ip_set_from_product = set()
product_ips_file = open(f"data/{product} IPs.txt", "a")
for query in queries[product]:
print(f"Product: {product}, Query: {query}")
results = api.search_cursor(query)
# Catch Shodan Query Errors and pass onto the next C2
# TODO: make it restart main() while keeping track of what was already documented
try:
for result in results:
ip = str(result["ip_str"])
ip_set_from_product.add(ip)
ip_set_from_all_products.add(ip)
except exception.APIError:
continue
for ip in ip_set_from_product:
product_ips_file.write(f"{ip}\n")
count_of_product_ips += 1
print(f"- Created data/{product} IPs.txt")
if count_of_product_ips == 1:
print(f"- Documented {count_of_product_ips} IP address\n\n")
elif count_of_product_ips > 1:
print(f"- Documented {count_of_product_ips} unique IP addresses\n\n")
all_ips_file = open("data/all.txt", "a")
for ip in ip_set_from_all_products:
all_ips_file.write(f"{ip}\n")
count_of_all_ips += 1
print("\n- Created data/all.txt")
print(f"- Searched for {count_of_products} different tools/malware")
if count_of_all_ips == 1:
print(f"- Documented {count_of_all_ips} IP address")
elif count_of_all_ips > 1:
print(f"- Documented {count_of_all_ips} unique IP addresses")
def main():
load_dotenv()
shodan()
if __name__ == '__main__':
main()
转载请注明:jinglingshu的博客 » C2-Tracker: Live Feed of C2 servers, tools, and botnets