spidey

Hi Guys,

This my first blog. So, i must begin with

Code:

echo "H3llo H4ck3r5!"

Well, i had been searching a tool, last year, that took IPs and plotted them on a map but, i couldn't find any opensource one. Honeymap was the best closest map that i was able to find. It takes live feeds over websocks/hpfeeds and requires one to embed the GPS coordinates in the data being fed. I did a bit of JS editing in this project and it was simple to create small IP to Map tool. This worked but, i was not happy, and lost my code the next day, as my HDD crashed in a power-failure. LOL..

Recently, fb1h2s pinged me to checkout if i still had that script for one of his recent research, but unfortunately the script was gone.

Fortunately, my present research involved working on ElasticSearch and its when i encountered Kibana. Well, for those who are less/not aware about ElasticSearch & Kibana, ElasticSearch is a sweet indexing engine, where you can store/index JSON data of any schema and have it looked up easily and very very quicky. Its useful for making your own personal search engine .

Kibana is a an addon tool by ElasticSearch guys, its supercool. . It gives you an awesome interface with plenty of plugins to customize your search interface for ElasticSearch and give stats of the indexed data as per our requirement.

One of the awesome plugin in Kibana is "bettermap" and it really goes by its name. You need to index your data with a column, that has longitude and latitude in a JSON list format string. i.e. [long, lat] e.g. [12.3, 34.2] and configure the plugin to map the geo coordinate field.

So, this gave me an idea to make a script that reads CSV files that has bulk data with one of the columns having IP address, and use Kibana and ElasticSearch to plot the IPs on a map. What best came out was that, you can search for a specific keyword and the map gets regenerated as per your search query.

The script is available for download from my GIT repo : ip2map. I have tested it on Debian & Mint. If you have your repos correctly set, it will setup most of the dependencies and install this tool at /opt/ip2map folder.

Setup Instructions
To Setup on Debian versions:

Code:

# wget https://raw.githubusercontent.com/5pld3y/ip2map/master/install.sh
# chmod a+x install.sh
# ./install.sh

For other versions, you need to fulfill the following dependencies:

Code:

build-essential 
xterm 
python-setuptools 
python-dev gzip 
openjdk-7-jre 
curl 
libcurl4-openssl-dev

Once setup, the tool will invoke the ElasticSearch in a Xterm, its needed to put and fetch info. When you are done with your work you can close it. Please be careful with ElasticSearch vulnerabilities and make sure to patch it if you plan to keep the ElasticSearch service running. ElasticSearch is located within /opt/ip2map/elasticsearch


Usage:

Code:

# ip2map your-data-file.csv

A sample CSV file for testing is attached for testing. Attachment 714

The tool will ask you a set of inputs that you need to specify:
1) Index type name : This is like Database name, if you add a CSV to an old index, the data will get appended. Duplicate row is updated. The rowid is the MD5 of the row

2) Page Title: The HTML Page Title

3) Map Title: The caption for the bettermap plugin where your map is plotted

4) Tooltip column name: The column name from your CSV file that you want to get flashed on mouse hover over the Map markers. If you have one column i.e. IP only, Specify the values as IP

Few important things:

1. The CSV file requires the first row as the column titles. Its case sensetive.
2. The column with IPs should be named as IP
3. The CSV file should have one column i.e. IP atleast.

Screenshots of the tool in action below:

ElasticSearch poping up in Xterm:


ip2map terminal Usage:


Basic MAP Output without search Filter:


Map with filtered query looking for exploit kits - TYPE:exploit*



Map with filtered query looking for Backdoors - TYPE:*backdoor*



My ip2map script is just a PoC to comfort my research work. You can modify Kibana's dashboard by reading more of its Doc. If you find any bugs or fixes, please report at the project's GIT repo:

Code:

https://github.com/5pld3y/ip2map

Well, this is my first blog so, please spare me for typos, grammar and boring paras.

Have a nice day.

https://twitter.com/5pld3y