Mihari : A Helper To Run OSINT Queries & Manage Results Continuously

Mihari is a helper to run queries & manage results continuously. Mihari can be used for C2, landing page and phishing hunting.

How It Works?

  • Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes) from the results.
  • Mihari checks whether a DB (SQLite3 or PostgreSQL) contains the artifacts or not.
    • If it doesn’t contain the artifacts:
      • Mihari creates an alert on TheHive. (Optional)
      • Mihari sends a notification to Slack. (Optional)
      • Mihari creates an event on MISP. (Optional)

Screenshots

  • TheHive alert example
  • Slack notification example
  • MISP event example

Requirements

  • Ruby 2.6+
  • SQLite3
  • libpq

# For Debian / Ubuntu
apt-get install sqlite3 libsqlite3-dev libpq-dev

Installation

gem install mihari

Or you can use this tool with Docker.

docker pull ninoseki/mihari

Basic Usage

Mihari supports the following services by default.

$ mihari
Commands:
– mihari alerts # Show the alerts on TheHive
– mihari binaryedge [QUERY] # BinaryEdge host search by a query
– mihari censys [QUERY] # Censys IPv4 search by a query
– mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint
– mihari crtsh [QUERY] # crt.sh search by a query
– mihari dnpedia [QUERY] # DNPedia domain search by a query
– mihari dnstwister [DOMAIN] # dnstwister lookup by a domain
– mihari free_text [TEXT] # Cross search with search engines by a free text
– mihari help [COMMAND] # Describe available commands or one specific command
– mihari http_hash # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
– mihari import_from_json # Give a JSON input via STDIN
– mihari onyphe [QUERY] # Onyphe datascan search by a query
– mihari otx [IP|DOMAIN] # OTX lookup by an IP or domain
– mihari passive_dns [IP|DOMAIN] # Cross search with passive DNS services by an ip or domain
– mihari passive_ssl [SHA1] # Cross search with passive SSL services by an SHA1 certificate fingerprint
– mihari passivetotal [IP|DOMAIN|EMAIL|SHA1] # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
– mihari pulsedive [IP|DOMAIN] # Pulsedive lookup by an ip or domain
– mihari reverse_whois [EMAIL] # Cross search with reverse whois services by an email
– mihari securitytrails [IP|DOMAIN|EMAIL] # SecurityTrails lookup by an ip, domain or email
– mihari securitytrails_domain_feed [REGEXP] # SecurityTrails new domain feed search by a regexp
– mihari shodan [QUERY] # Shodan host search by a query
– mihari spyse [QUERY] # Spyse search by a query
– mihari ssh_fingerprint [FINGERPRINT] # Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)
– mihari status # Show the current configuration status
– mihari urlscan [QUERY] # urlscan search by a given query
– mihari virustotal [IP|DOMAIN] # VirusTotal resolutions lookup by an ip or domain
– mihari zoomeye [QUERY] # ZoomEye search by a query
Options:
[–config=CONFIG] # path to config file

Cross Searches

Mihari has cross search features. A cross search is a search across a number of services.

You can get aggregated results by using the following commands.

CommandDesc.
passive_dnsPassive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal
passive_sslPassive SSL lookup with CIRCL passive SSL and PassiveTotal
reverse_whoisRevese Whois lookup with PassiveTotal and SecurityTrails
http_hashHTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3)
free_textFree text lookup with BinaryEdge and Censys
ssh_fingerprintSSH fingerprint lookup with BinaryEdge and Shodan

Http_Hash Command

The usage of http_hash command is a little bit tricky.

$ mihari help http_hash

Usage:
mihari http_hash

Options:
[–title=TITLE] # title
[–description=DESCRIPTION] # description
[–tags=one two three] # tags
[–md5=MD5] # MD5 hash
[–sha256=SHA256] # SHA256 hash
[–mmh3=N] # MurmurHash3 hash

Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)

There are 2 ways to use this command.

First one is passing --md5, --sha256 and --mmh3 parameters.

mihari http_hash –md5=881191f7736b5b8cfad5959ca99d2a51 –sha256=b064187ebdc51721708ad98cd89dacc346017cb0fb0457d530032d387f1ff20e –mmh3=-1467534799

Another one is passing --html parameter. In this case, hashes of an HTML file are automatically calculated.

wget http://example.com -O /tmp/index.html mihari http_hash –html /tmp/index.html

Example Usages

#Censys lookup for PANDA C2
mihari censys ‘(“PANDA” AND “SMAdmin” AND “layui”)’ –title “PANDA C2”

#VirusTotal passive DNS lookup of a FAKESPY host
mihari virustotal “jppost-hi.top” –title “FAKESPY passive DNS”

#You can pass a “defanged” indicator as an input
mihari virustotal “jppost-hi[.]top” –title “FAKESPY passive DNS”

Import From JSON

echo ‘{ “title”: “test”, “description”: “test”, “artifacts”: [“1.1.1.1”, “github.com”, “2.2.2.2”] }’ | mihari import_from_json

The input is a JSON data should have title, description and artifacts key. tags key is an optional parameter.

{
“title”: “test”,
“description”: “test”,
“artifacts”: [“1.1.1.1”, “github.com”],
“tags”: [“test”]
}

KeyDesc.Required or optional
titleA title of an alertRequired
descriptionA description of an alertRequired
artifactsAn array of artifacts (supported data types: ip, domain, url, email, hash)Required
tagsAn array of tagsOptional

Configuration

Configuration can be done via environment variables or a YAML file.

KeyDescriptionDefault
DATABASEA path to the SQLite database or a DB URL (e.g. postgres://postgres:pass@db.host:5432/somedb)mihari.db
BINARYEDGE_API_KEYBinaryEdge API key
CENSYS_IDCensys API ID
CENSYS_SECRETCensys secret
CIRCL_PASSIVE_PASSWORDCIRCL passive DNS/SSL password
CIRCL_PASSIVE_USERNAMECIRCL passive DNS/SSL username
MISP_API_ENDPOINTMISP URL
MISP_API_KEYMISP API key
ONYPHE_API_KEYOnyphe API key
OTX_API_KEYOTX API key
PASSIVETOTAL_API_KEYPassiveTotal API key
PASSIVETOTAL_USERNAMEPassiveTotal username
PULSEDIVE_API_KEYPulsedive API key
SECURITYTRAILS_API_KEYSecurityTrails API key
SHODAN_API_KEYShodan API key
SLACK_CHANNELSlack channel name#general
SLACK_WEBHOOK_URLSlack Webhook URL
SPYSE_API_KEYSpyse API key
THEHIVE_API_ENDPOINTTheHive URL
THEHIVE_API_KEYTheHive API key
URLSCAN_API_KEYurlscan.io API key
VIRUSTOTAL_API_KEYVirusTotal API key
ZOOMEYE_PASSWORDZoomEye password
ZOOMEYE_USERNAMMEZoomEye username

Instead of using environment variables, you can use a YAML file for configuration.

mihari virustotal 1.1.1.1 –config /path/to/yaml.yml

The YAML file should be a YAML hash like below:

database: /tmp/mihari.db
thehive_api_endpoint: https://localhost
thehive_api_key: foo
virustotal_api_key: foo

You can check the configuration status via status command.

mihari status

How To Create A Custom Script?

Create a class which extends Mihari::Analyzers::Base and implements the following methods.

NameDesc.@returnRequired or optional
#titleA title of an alertStringRequired
#descriptionA description of an alertStringRequired
#artifactsAn array of artifacts (supported data types: ip, domain, url, email, hash)ArrayRequired
#tagsAn array of tagsArrayOptional

Using it with Docker

$ docker run –rm ninoseki/mihari
#Note that you should pass configurations via environment variables
$ docker run –rm ninoseki/mihari -e THEHIVE_API_ENDPOINT=”http://THEHIVE_URL” -e THEHIVE_API_KEY=”API KEY” mihari
#or
$ docker run –rm ninoseki/mihari –env-file ~/.mihari.env mihari

R K

Recent Posts

Website OSINT: Tools and Techniques for Reconnaissance

Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…

9 hours ago

Top OSINT Tools to Find Emails, Usernames and Passwords

Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…

22 hours ago

Google Dorking in Cybersecurity: A Complete Guide

Introduction In the vast ocean of the internet, the most powerful tool you already have…

1 day ago

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

2 weeks ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 weeks ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 weeks ago