ServerSecurityProject

ServerSecurityProject (SSP)

An open-source passive Internet scanner that detects phishing or crdential harvesting pages.

SSP is an open-source modular internet scanner that passively detects servers hosting malicous pages for credential harvesting. SSP utilizes Censys’ data-feeds to detect suspicious pages which are then scanned by SSP’s internal engine that uses fuzzy-logic and assigned weights to accurately determine phishing pages. The platform has been programmed in bash and HTML to ensure low overhead and interoperability across the Linux, FreeBSD, MacOS, and other open-source OSes. SSP has two modules:

• Module 1: Downloads suspicious websites using Censys data-feeds. This module is editable so that the user may initiate downloads of other credential harvesting websites, corporate login, or run customized scans across the Censys’ supplied data-feeds;
  
• Module 2: Downloads HTML, javascripts, and connected resources of suspicious pages as obtained in module 1 for offline analysis; and
  
• Module 3: Detects phishing pages using defined fuzzy logic and weights. This section is embedded within module 2 and is editable ensuring that the user may change the logic and weights to detect custom credential harvesting phishing site(s).
  
  

SSP generates the output a main report file and a Comma Seperated Value (CSV) feed file. The report file uses the nomenclature of Report-[service]-[UID] while the CSV file is named as [status]-Feed-[service]-[UID].

• Report_Gmail_DD_MM_YYYY_HH_MM_SS.html: contains an easy to view report that details the phishing server’s meta-data, code, and fuzzy logic results. This page is a detailed analysis document that lists the results generated by SSP. The user is able to view phishing pages (offline), their code, and other details for detailed investigations.
  
• Active_Feed_Gmail_DD_MM_YYYY_HH_MM_SS.txt: A list of malicious sites that were suspicious and online at the time of scanning.
  
• Inactive_Feed_Gmail_DD_MM_YYYY_HH_MM_SS.txt: A list of malicious sites that were suspicious but are offline at the time of scanning.
  

The feed file (CSV) has the following fields:
ctime,country,city,postcode,dnsnames,ipadd,port,abusect,orgname, bgp_prefix, asncode, asnname, dnsnames, self_ca, tls_serial, tls_issuerdn,phishcheck1, phishcheck2, phishcheck3, phishcheck4, phishcheck5, phishcheck6, phishcheck7, phishcheck8, phishcheck9

UID is defined as date and time.

Setup and Running

SSP is developed in bash script it will run across all Mac OS, Linux, FreeBSD and other open-source operating systems.

Step 1: Download the files in the source directory (SRC) and enter Censys API credentials in line 12 of module1.sh.
Step 2: Grant permissions to all files by typing the following in the terminal:

chmod +x module1.sh
chmod +x module2.sh

Step 3: Run the main file:
./module1.sh

SSP creates the following outputs:

• Timestamped folder that will save the results from Censys,
• Unique files that contain the list of IP and port number of servers
• HTML encoded Feed file containing IP, port number, location (City, Country), Server OS, installed software, URL, and detilaed logs.

Access Feed File

Feed files are available in folder, “feed” within the repository that contains files that bear the filename of the day and time they were created. These files can be downloaded, freely used, distributed, or re-packaged with a citation to Dr. Nived Chebrolu, Aadya Srivastava, Censys, SSP, and other partners. For more information or you would like to gain access to raw scanning logs then please contact us at contact [at] serversecurityproject [.] com

Pending Task List

• Global feed distribuion: Creating a network where malware scanners, browsers, and other anti-virus platforms can easily copy and use the feeds.
• Generate examples for use.

Project Supported by:
Censys (www.censys.com)

Project Mentor: Dr. Nived Chebrolu, Oxford University
Project Founder: Aadya Srivastava, Student at NAS Dubai

This site is open source. Improve this page.