MITERU-Phishkit Collection

MITERU is an automated phishing kit collection tool written and designed by Manabu Niseki. The tool will pull a list of suspicious domains from various sources and from that data, crawl these domains looking for specific file types in open directories that are commonly associated with phishing kits. For a more indepth look at what sources are being pulled from and details on docker install, please take a look at the offical github page here.

In this post I will go over the installation of MITERU on a clean linux install, and cofiguration of cron and slack alerts.

Installation

sudo apt update 
sudo apt upgrade
sudo apt install ruby-dev
sudo gem install miteru

Once installation is complete we will set up slack alerts via a webook (This is optional). First off we need to create a channel for our alerts to go to within slack.

Configuration

From here we need to create a custom intergration for the webhook. From the main menu select administration>>manage-apps>>custom intergration. Within the search bar at the top of the page search for Incoming Webhooks and select add to slack.

Now all we have to do is select the channel we wish the messages to be posted to, and select Add Incoming Webhook Intergration.

The next section will give you the webhook URL needed as well as options to customize the bot name and icon on your notifications.

In order to use slack alerting we need to set a couple of evironment variables back on the Linux machine. This will contain the slack webhook address and the channel we want to post to.

export SLACK_WEBHOOK_URL=YOUR HOOK ADDRESS HERE
export SLACK_CHANNEL=YOUR SELECTED CHANNEL

Once done we are ready to start testing. There are a few various options within MITERU explained below.

$ miteru help execute
Usage:
  miteru execute

Options:
  [--auto-download], [--no-auto-download]              # Enable or disable auto-download of phishing kits
  [--ayashige], [--no-ayashige]                        # Enable or disable ayashige(ninoseki/ayashige) feed
  [--directory-traveling], [--no-directory-traveling]  # Enable or disable directory traveling
  [--download-to=DOWNLOAD_TO]                          # Directory to download file(s)
                                                       # Default: /tmp
  [--post-to-slack], [--no-post-to-slack]              # Post a message to Slack if it detects a phishing kit
  [--size=N]                                           # Number of urlscan.io's results. (Max: 10,000)
                                                       # Default: 100
  [--threads=N]                                        # Number of threads to use
  [--verbose], [--no-verbose]
                                                       # Default: true

Recommended execution setting however would be running every 24 hours at 06:30 UTC with the folowing config.

miteru --threads=12 --size=10000 --ayashige --auto-download --directory-traveling --download-to=/YOUR STORAGE LOCATION

If all goes well we should have the following output from the terminal.

Now that we have confirmed all is working, the last thing to do is add a scheduled cron job by using crontab -e and adding the following lines to the crontab.

SLACK_WEBHOOK_URL=YOUR HOOK ADDRESS HERE
SLACK_CHANNEL=YOUR SELECTED CHANNEL
PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/sbin:/usr/local/bin:$PATH
30 6 * * * miteru execute --auto-download --ayashige --directory-traveling --download-to=/home/ubuntu --post-to-slack --size=10000 --threads=12

Tags:

%d bloggers like this: