When trying to search the IOC (Indicator of Compromise) for IP addresses, domains, hash values, etc. with OSINT services (Shodan, Censys, VirusTotal, etc.), do you find it a little troublesome?
For example, in the following cases.
- Troublesome to copy and paste the IOC
- Troublesome to solve the defang
https://www.google[.]comIn order to prevent problems even if you click the URL by mistake, the technique of enclosing the dots in brackets to make them harmless is called defang. On the contrary, the technique of solving the defang is called refang.
I made a tool as an extension of Chrome to eliminate such a little troublesome smell. The name is Mitaka.
What can i do
Mitaka is a Chrome extension that parses the string selected on the browser (or the destination URL if a link is selected) and works according to the type of IOC contained in that string. Generates a context menu.
For example, if 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0fyou right-click with the SHA256 hash value ( ) selected and open the context menu, the services that support the hash value search (VirusTotal, Hybrid Analysis, etc.) will be displayed. Clicking this will take you to the search results page for that service.
Mitaka implements the refanging feature mentioned above https://www.google[.]com, which is automatically https://www.google.com converted and handled when you select.
This allows you to try digging the IOC by resolving the annoying odor I mentioned earlier.
Supported services
The current version supports 5 types of IOC (+ free-form Text) and 14 types of OSINT services: IP, Domain, URL, Email, and Hash.
| name | url | supported types |
|---|---|---|
| Censys | https://censys.io | text |
| DomainBigData | https://domainbigdata.com | domain |
| FindSubDomains | https://findsubdomains.com | domain |
| Hybrid Analysis | https://www.hybrid-analysis.com | hash (sha256 only) |
| ONYPHE | https://www.onyphe.io | ip |
| PublicWWW | https://publicwww.com | text |
| Pulsedive | https://pulsedive.com | ip / domaion / url / hash |
| RiskIQ | http://community.riskiq.com | ip / domain / email |
| SecurityTrails | https://securitytrails.com | ip / domain |
| Shodan | https://www.shodan.io | text |
| Urlscan | https://urlscan.io | ip / domain / url |
| ViewDNS | https://viewdns.info | ip, domain, email |
| VirusTotal | https://www.virustotal.com | ip / domain / url / hash |
| X-Force Exchange | https://exchange.xforce.ibmcloud.com | ip / domain / hash |
These can be enabled / disabled as desired from the extension options.
It also implements the ability to scan IP, Domain, and URLs only for urlscan.io and VirusTotal.
| name | url | supported types |
|---|---|---|
| Urlscan | https://urlscan.io | ip / domain / url |
| VirusTotal | https://www.virustotal.com | url |
Installation method
Mitaka can be downloaded from the Chrome Web Store.
Finally
By using Mitaka, you can analyze the OSINT information crisply. I praise myself, but personally, it’s a tool I use almost every day. Please try it if you like.
Also, in implementing Mitaka, I created an npm package to extract the IOC from the text. The name is ioc-extractor.