EKFiddle v.0.8.2 – A Framework Based On The Fiddler Web Debugger To Study Exploit Kits, Malvertising And Malicious Traffic In General

0
29
EKFiddle v.0.8.2 - A Framework Based On The Fiddler Web Debugger To Study Exploit Kits, Malvertising And Malicious Traffic In General

A framework primarily based on the Fiddler net debugger to check Exploit Kits, malvertising and malicious visitors generally.

Installation

Download and set up the most recent model of Fiddler
https://www.telerik.com/fiddler
Special directions for Linux and Mac right here:
https://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
https://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1

Enable C# scripting (Windows solely)
Launch Fiddler, and go to Tools -> Options
In the Scripting tab, change the default (JScript.NET) to C#.

Change default textual content editor (elective)
In the identical Tools -> Options menu, click on on the Tools tab.

  • Windows: notepad.exe or notepad++.exe
  • Linux: gedit
  • Mac: /Applications/Textual contentEdit.app or /Applications/TextWrangler.app

Close Fiddler

Download or clone CustomRules.cs into the suitable folder primarily based in your working system:

  • Windows (7/10) C:Users[username]PaperworkFiddler2Scripts
  • Ubuntu /residence/[username]/Fiddler2/Scripts/
  • Mac /Users/[username]/Fiddler2/Scripts/

Finish up the set up
Start Fiddler to finish the set up of EKFiddle. That’s it, you are all set!

Features

Toolbar buttons
The added toolbar buttons offer you fast shortcuts to among the predominant options:

QuickSave
Dumps present net classes right into a SAZ named (QuickSave-“MM-dd-yyyy-HH-mm-ss”.saz) to EKFiddleCaptures.

UI mode
Toggle between the default column view or further columns with further data (consists of time stamp, server IP and kind, methodology, and so on.).

VPN
VPN GUI straight constructed into Fiddler. It makes use of the OpenVPN shopper on Windows and Linux with ovpn recordsdata (sigining up with business VPN supplier could also be required). It will open up a brand new terminal/xterm every time it connects to a brand new server through the chosen .ovpn config file, killing the earlier to make sure just one TAP adapter is used at any given time.

Download and set up OpenVPN in default listing
Place your .ovpn recordsdata inside OpenVPN’s config folder.

  • Linux (examined on Ubuntu 16.04)

sudo apt-get set up openvpn
Place your .ovpn recordsdata in /and so on/openvpn.

Proxy
Allows you to connect with an upstream proxy (HTTP/s or SOCKS).

Import SAZ/PCAP
A shortcut to load SAZ (Fiddler’s native format) or PCAP (i.e. from Wireshark) captures.

View/Edit Regexes
View and create your customized common expressions. Note: a grasp listing is supplied with auto-updates through GitHub. Additionally the customized listing enables you to create your individual guidelines.
There are four kinds of indicators to match on:

  • URI (full or partial URI match)
  • IP (Single IP deal with or IP vary)
  • SourceCode (Response Body)
  • Headers (any worth inside a Response’s Headers)

Syntax:
Important! Fields are TAB delimited
URI My_URI_rule [a-z0-9]{2} Match URI
IP My_IP_address_rule 5.154.191.67 Match static IP deal with
IP My_IP_address_rule 5.154.191.(6[0-9]|70) Match an IP vary
SourceCode My_sourcecode_rule vml=1 Look for particular string
Headers My_headers_rule nginx Look for particular string

Run Regexes
Run the grasp and customized common expressions towards present net classes.

Clear Markings
Clear any remark and color highlighting within the at the moment loaded classes.

ContextAction menu
The ContextAction menu (accessed by proper-clicking on any session(s) lets you carry out further instructions on chosen sections. This might be very useful to do fast lookups, compute hashes or extract IOCs.

Hostname or IP deal with (Google Search, RiskIQ, URLQuery, RiskIQ)
Query the hostname for the at the moment chosen session.

URI

Build Regex
Create a daily expression from the at the moment chosen URI. This motion opens up a regex web site and the URI is already within the clipboard, able to be pasted into the question area.

Open in… Internet Explorer, Chrome, Firefox, Edge
This opens up the URI with the browser you chose.

Response Body

Remove encoding
Decodes the at the moment chosen classes (from their fundamental encoding).

Build Regex
Create a daily expression from the at the moment chosen session’s supply code. This motion opens up a regex web site and the URI is already within the clipboard, able to be pasted into the question area.

Calculate MD5/SHA256 hash
Get the present session’s physique and computes its hash.

Hybrid Analysis / VirusTotal lookup
Checks the present session’s physique for hash, then lookup that hash.

Extract to Disk
Downloads the at the moment choice session(s)’s physique to disk, into the ‘Artifacts’ folder.

Extract IOCs
Copies into reminiscence fundamental data from chosen classes in order that they are often shared as IOCs. Extract Coinhive web site keys

Connect-the-dots
Allows you to establish the sequence of occasions between classes. Right-clik on the session you have an interest in retracing your steps to and easily ‘join the dots’. It will label the sequence of occasions from 01, to n inside the feedback column. You can reorder that column to have a condensed view of the sequence.

Crawler (experimental)
Load a listing of URLs from a textual content file and let the browser automically go to them. Tools -> Crawler (experimental) -> Start crawler May require some tweaks in your browser’s settings, specifically almost about crash restoration.

Uninstalling EKFiddle
Delete CustomRules.cs

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.