Automater

Welcome to another tutorial! This one is on Automater, and is part of the OSINT section.

Automater is a URL, IP, MD5 Hash analyzer tool for Intrusion Analysts. Automater will take the target you give it, connect to a set of pre-defined websites, and return things like “this domain is known to serve malware”, or “the hash you entered has been detected as malicious”. It uses sites like Robtex, VirusTotal, and several others to get this information, automating the process for you, so you don’t have to visit these sites individually, saving you a ton of time.

As an intrusion analyst, you will come across these things where a user may get an email asking them to click on a link, and you can use Automater to research that URL to see if anything malicious has been reported on it.

Let’s take a look at some of the options available.

Options
In Kali, go to “Applications –> Information Gathering –> OSINT Analysis –> AUTOMATER”. This will give you the standard listing of all the options, and a description for each.

atm-help1
atm-help2

Let’s briefly go over them…

-o: output results to text file
-f: output results to CEF file
-w: output results to HTML file
-c: output results to CSV file
-d: change delay in seconds; default is 2 seconds
-s: only run target against specific sources as defined in the sites XML file
-p: post information to sites that allow posting; default is not to send post requests
–proxy: specify a proxy to use
-a: specify user-agent to send with requests; default is Automater/version

Domain Analysis
The first scan we’ll run will be for analyzing a domain. The command is simple here:

automater facebook.com

atm-domain1

We see that automater checked several sites looking for information on Facebook. It checked to see if the domain was included in any URL blacklists, and if any sites listed it as a malicious site. As an analyst at your company, you could run your domain through these checks to see if anything negative comes back.

Let’s look at a site that is known to be malicous. There are several sites that maintain lists of malicious URLs. We’ll grab a URL from malwaredomainlist.com.

atm-domain2

You can see this domain was included in blacklists at a few different places like Fortinet. It also shows geo-location coordinates, and the country of origin.

IP Analysis
Now let’s give it an IP address, and see what kind of information it returns. I’m going to use the IP of the domain we just looked at.

atm-ip1

and the results…

atm-ip2
atm-ip3

Notice there were several results returned from Malc0de, including some MD5 hashes, and the dates the site was reported for validation.

MD5 Hash Analysis
Now let’s give automater a hash to analyze. We’ll use one of the results from the previous scan.

atm-hash1
atm-hash2
atm-hash3

Suppose we have a hash, and we just want to check it against VirusTotal. You can do that using the “-s” switch, then specifying the source you want to use.

atm-specifysrc1
atm-specifysrc2

The source names you use here are specified in the “sites.xml” file that comes as part of the Automater package. These files are located under “/usr/share/automater/“. If you navigate to this directory, you’ll see the “sites.xml” file. Open this file, then scroll down until you start seeing the tag, which defines how these site names should be called.

atm-specifysrc3

Generating an MD5 Hash
One extra note here – if you have a suspect file, and you want to generate an MD5 hash, you can use the built in utility in Linux called MD5SUM. This is a command line tool that comes in most Linux distros by default, and is very simple to use. Here is a sample use for it:

1. Navigate to the folder containing your suspect file
2. Run MD5Sum – “md5sum nameoffile ”
3. The hash will be displayed, and you can then check it using Automater

atm-md5test1

Conclusion
You can see that automater is an awesome tool that you can use to investigate suspicious URLs, or a piece of software you think could be malware. It saves loads of time in research by you not having to visit all these sites individually.

Thanks for looking!