Miteru is an experimental phishing kit detection tool.
How it works
- It collects phishy URLs from the following feeds:
- CertStream-Suspicious feed via urlscan.io
- OpenPhish feed via urlscan.io
- PhishTank feed via urlscan.io
- URLhaus feed via urlscan.io
- urlscan.io phish feed (available for Pro users)
- Ayashige feed
- Phishing Database feed
- PhishStats feed
- It checks each phishy URL whether it enables directory listing and contains a phishing kit (compressed file) or not.
- Note: compressed file =
- Note: compressed file =
- Phishing kit detection & collection.
- Slack notification.
gem install miteru
$ miteru Commands: miteru execute # Execute the crawler miteru help [COMMAND] # Describe available commands or one specific command
$ miteru help execute Usage: miteru execute Options: [--auto-download], [--no-auto-download] # Enable or disable auto-download of phishing kits [--ayashige], [--no-ayashige] # Enable or disable ayashige(ninoseki/ayashige) feed [--directory-traveling], [--no-directory-traveling] # Enable or disable directory traveling [--download-to=DOWNLOAD_TO] # Directory to download file(s) # Default: /tmp [--post-to-slack], [--no-post-to-slack] # Post a message to Slack if it detects a phishing kit [--size=N] # Number of urlscan.io's results. (Max: 10,000) # Default: 100 [--threads=N] # Number of threads to use [--verbose], [--no-verbose] # Default: true Execute the crawler
$ miteru execute ... https://dummy1.com: it doesn't contain a phishing kit. https://dummy2.com: it doesn't contain a phishing kit. https://dummy3.com: it doesn't contain a phishing kit. https://dummy4.com: it might contain a phishing kit (dummy.zip).
Using Docker (alternative if you don’t install Ruby)
$ docker pull ninoseki/miteru # ex. auto-download detected phishing kit(s) into host machines's /tmp directory $ docker run --rm -v /tmp:/tmp ninoseki/miteru execute --auto-download
--post-to-slack feature, you should set the following environment variables:
SLACK_WEBHOOK_URL: Your Slack Webhook URL.
SLACK_CHANNEL: Slack channel to post a message (default: “#general”).
If you are a urlscan.io Pro user, set your API key as an environment variable
It enables you to subscribe the urlscan.io phish feed.
- t4d/StalkPhish: The Phishing kits stalker, harvesting phishing kits for investigations.
- duo-labs/phish-collect: Python script to hunt phishing kits.
- leunammejii/analyst_arsenal: A tool belt for analysts to continue fighting the good fight.
miteru (this link opens in a new window) by ninoseki (this link opens in a new window)
An experimental phishing kit detection tool