Framework for analysis of suspicious website

! UNDER DEVELOPMENT !

• Launch a VM and open a website with multiple browsers.
• For each browser, do a screenshot of the loaded webpage.
• Take a PCAP of the full browsing session
• Pass all requests through a proxy (currently mitmdump)
• Automate the full process

1. Install mitmproxy: $ sudo apt-get install mitmproxy
2. Check that tcpdump is installed

1. Install operating system of choice (dev/test on Windows 10)
2. Install Python 2.7
3. pip install selenium
4. pip install Bottle
5. Install Firefox
6. Install Selenium drivers for Internet Explorer and Firefox
7. Set a password for user (required to run remotely script)
8. Enable auto-logon of user
9. Copy payload-rest.py to C:\Scripts and run the script
10. While the script is still RUNNING, take a snapshot namedwebshot

Define the configuration in configuration.py. A skeleton of configuration is offered in default-configuration.py.

When configuration is defined, execution is done with:

sudo python ./webshot.py -u "http://www.autopsit.org"

In ./cases, you fill have the following structure:

• A sub-directory with the FQDN
• A sub directory per run of the script
• A capture of all the traffic passing through proxy: proxy_traffic.txt
• A logfile of the proxy output (MITMPROXY format): proxy.log
• A full tcpdump capture: capture.pcap
• A zip file with screenshots of the website for each browser selected in payload-rest.py

Note for Proxy users, to use PIP, set proxy with the following command

	set HTTP_PROXY=http://[username]:[password]@[proxy address]:[port]

• When HTTP_PROXY is defined, it interfere with normal script behaviour. Variables should be unset for the execution:

	unset HTTP_PROXY
	unset HTTPS_PROXY
	unset http_proxy
	unset https_proxy