Kali Linux Tutorials

Miteru is an experimental phishing kit detection tool. Following are the features that can be used for the tool;

• Phishing kit detection & collection.
• Slack notification.
• Threading.

How it works?

• It collects phishy URLs from the following feeds:
  • CertStream-Suspicious feed via urlscan.io
  • OpenPhish feed via urlscan.io
  • PhishTank feed via urlscan.io
  • Ayashige feed
• It checks each phishy URL whether it enables directory listing and contains a phishing kit (compressed file) or not.
  • Note: compressed file = *.zip, *.rar, *.7z, *.tar and *.gz.

Also Read : Mquery : YARA Malware Query Accelerator

Installation

$ gem install miteru

Usage

$ miteru
Commands:
miteru execute # Execute the crawler
miteru help [COMMAND] # Describe available
commands or one specific command

$ miteru help execute
Usage:
miteru execute

Options:
[–auto-download], [–no-auto-download] # Enable or disable auto-download of phishing kits
[–directory-traveling], [–no-directory-traveling] # Enable or disable directory traveling
[–download-to=DOWNLOAD_TO] # Directory to download file(s)
# Default: /tmp
[–post-to-slack], [–no-post-to-slack] # Post a message to Slack if it detects a phishing kit
[–size=N] # Number of urlscan.io’s results. (Max: 10,000)
# Default: 100
[–threads=N] # Number of threads to use
# Default: 10
[–verbose], [–no-verbose]
# Default: true

Execute the crawler
$ miteru execute
…
https://dummy1.com: it doesn’t contain a phishing kit.
https://dummy2.com: it doesn’t contain a phishing kit.
https://dummy3.com: it doesn’t contain a phishing kit.
https://dummy4.com: it might contain a phishing kit (dummy.zip).

Using Docker (alternative if you don’t install Ruby)

$ git clone https://github.com/ninoseki/miteru.git
$ cd miteru/docker
$ docker build -t miteru .
$ docker run miteru
ex. auto-download detected phishing kit(s) into host machines’s /tmp directory
$ docker run -v /tmp:/tmp miteru execute –auto-download

Aasciinema Cast

Note

For using --post-to-slack feature, you should set the following environment variables:

• SLACK_WEBHOOK_URL: Your Slack Webhook URL.
• SLACK_CHANNEL: Slack channel to post a message (default: “#general”).