During incident response practices, you may need to look up very quickly some abnormal activity. While using feeds such as Artillery and OTX is far from a bulletproof method – these feeds can quickly help identify known C2 or malicious IPs or hostnames. The purpose of GoatRider is to make it simple to look through multiple sources quickly and determine if theres anything abnormal from a hostname or IP address list.
What you need (one of the other):
A file that contains 1 or many IP addresses
A file that contains 1 or many hostnames
What GoatRider will do:
Import the IP addresses file and convert them to hostnames
Import the hostnames file and convert them to IP addresses
Then GoatRider will go out to Artillery Banlist feeds, TOR exit nodes, and OTX and do a comparison to the IP addresses to see if there are any hits.
What it will then do is automatically download the Alexa top 1 million sites and do a comparison to hostnames. If a hostname does not appear in the 1M it will let you know.
Here’s goatrider in action.
Scenario: You have a list of egress IP addresses (outbound IP addresses) from your network. The file contains 50,000 IP addresses in the following format:
ip1
ip2
ip3
ip4
etc.
You run goatrider:
root@stronghold:/home/relik/Desktop/git/goatrider# python goatrider.py moo.txt
[*] This part might take a bit… Converting hostnames to IPs or IPs to hostnames. Be patient…
[*] Checking Alexa, Artillery, TOR, and OTX…
ARTILLERY_BANLIST_HIT_IP: 1.93.51.221
Same for Alexa hits, lets say you pull your DNS query logs from your DNS servers:
root@stronghold:/home/relik/Desktop/git/goatrider# python goatrider.py moo.txt
[*] This part might take a bit… Converting hostnames to IPs or IPs to hostnames. Be patient…
[*] Checking Alexa, Artillery, TOR, and OTX…
ALEXA_NOT_FOUND_HIT_HOST: woawoagoatsgoatseverywhere.com
Again – this isn’t the end-all-be-all for identifying threats, but is a quick way of going through things to try and find malicious activity in your network.
You can get goatrider here:
Enjoy!