montysecurity / c2-tracker Goto Github PK

If you'd like to not have to worry about running this script on your own machine every day, likely have to manage port forwards, and expose yourself to greater security risk, you could run this task as a GitHub workflow! You can securely stash your Shodan API key and run the script using my own hardened VM: https://github.com/T145/black-mirror/pkgs/container/black-mirror

Hi,

I noticed a lot of potential false positive regarding the CobalStrike C2.

The jarm fingerprinting: ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1+port:443  gives as an output thousand of IPs related to a big security vendor.

You can se that almost all the IPs starting with 34. or 35. are related to them.

I suggest to improve the code excluding that jarm fingerprinting if matches also the following query: ssl.cert.subject.cn:

Thanks in advance.

Hi, maybe AcidRain string in query is wrong?
(no IP is found for that product)

Thanks in advance,
L

Hello!

I have add Shodan key to my environment variables, ~/.bashrc, ~/.profile, and to ~/.zshrc and still getting error":
python3 tracker.py
Traceback (most recent call last):
File "/opt/C2/C2-Tracker/tracker.py", line 223, in
main()
File "/opt/C2/C2-Tracker/tracker.py", line 220, in main
shodan()
File "/opt/C2/C2-Tracker/tracker.py", line 6, in shodan
api_key = os.environ["SHODAN_API_KEY"].strip()
~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "", line 679, in getitem
KeyError: 'SHODAN_API_KEY'

i cant do anything with them hack into putty into tcp into etc i dont think i can add them to my botnet