PRINT
PRINT
SEND MAIL
SEND MAIL

Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like manifest.json, localization folders or Javascript and HTML source files.

Installation
To install the package, the user can choose pip3.
pip3 install -e . --user
Optionally, it can also be installed with administrator privileges using sudo:
sudo pip3 install -e .
A successfull installation can be checked using:
python3 -c "import neto; print(neto.__version__)"

Quick Start
To perform the analysis of an extension, the analyst can type the following:
neto analysis -u https://yoururl.com/extension-name.xpi
The extension will be automatically downloaded and unzipped by default in the system's temporal folder.
However, the analyst can also launch de analysis towards a locally stored extension:
neto analysis -e ./my-extension-name.xpi
After the static analysis is performed, it will generate a Json file that is stored by default in a newly created folder named output.
If you use Python, you can also import the package as a library in your own Python modules:
>>> from neto.lib.extensions import Extension
>>> my_extension = Extension ("./sample.xpi")
>>> my_extension.filename
'adblock_for_firefox-3.8.0-an+fx.xpi'
>>> my_extension.digest
'849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'
Apart from accesing to the elements found in the extension using properties, the analyst can always have access to it as a dictionary:
>>> my_extension.__dict__
{'_analyser_version': '0.0.1', '_digest': '849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'…
If you are not using Python, you can use the JSON RPC daemon:
$ neto daemon

____ _ _ _ _ _
| _ \ _ __ ___ (_) ___ ___| |_ | \ | | ___| |_ ___
| |_) | '__/ _ \| |/ _ \/ __| __| | \| |/ _ \ __/ _ \
| __/| | | (_) | | __/ (__| |_ | |\ | __/ || (_) |
|_| |_| \___// |\___|\___|\__| |_| \_|\___|\__\___/
|__/

Developed by @ElevenPaths
Version: 0.5.0b


* Running on http://localhost:14041/ (Press CTRL+C to quit)
You can then run commands using your preferred JSON RPC library to write a client (we have written a short demo in the bin folder) or even curl:
 curl --data-binary '{"id":0, "method":"remote", "params":["https://example.com/myextension.xpi"], "jsonrpc": "2.0"}'  -H 'content-type:text/json;' http://localhost:14041

Features
The following is a non-exhaustive list of the features included in this package are the following:
  • Manifest analysis.
  • Internal file hashing.
  • Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
  • Comments extraction from HTML, CSS and JS files.
  • Cryptojacking detection engine based on known mining domains and expressions.
  • Suspicious Javascript code detection such as eval().
  • Certificate analysis if provided.
  • Batch analysis of previously downloaded extensions.


©2021 By Cyber Sec Labs

   

CONTACT US

We're not around right now. But you can send us an email and we'll get back to you, asap.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account