Just-Metadata - Tool That Gathers Too Analyzes Metadata Nearly Ip Addresses

Just-Metadata is a tool that tin give notice last used to get together intelligence information passively close a large lay out of IP addresses, as well as movement to extrapolate relationships that mightiness non otherwise last seen. Just-Metadata has "gather" modules which are used to get together metadata close IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the information loaded Just-Metadata as well as perform diverse operations that tin give notice position potential relationships betwixt the loaded systems.

Just-Metadata volition allow yous to speedily honour the Top "X" lay out of states, cities, timezones, etc. that the loaded IP addresses are located in. It volition allow yous to search for IP addresses yesteryear country. You tin give notice search all IPs to honour which ones are used inwards callbacks equally identified yesteryear VirusTotal. Want to run into if whatever IPs loaded guide keep been documented equally taking business office of attacks via the Animus Project, Just-Metadata tin give notice practise it.

Additionally, it is slow to practise novel analysis modules to allow people honour other relationships betwixt IPs loaded based on the available data. New intel gathering modules tin give notice last easily added inwards simply equally easily!

Setup
Ideally, yous should last able to run the setup script, as well as it volition install everything yous need.
For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs similar $9 bucks, come upward on now, it's worth it :).

Usage
As of now, Just metadata is designed to read inwards a unmarried text file containing IPs, each on their ain novel line. Create this file from whatever source (C2 callback IPs, spider web server logs, etc.). Once yous guide keep this file, kickoff Just-Metadata yesteryear calling it:
./Just-Metadata.py

Commands
help - Once inwards the framework, to run into a listing of available commands as well as a description of what they do, type the "help" command.
load - The charge ascendency takes an extra parameter, the file cite that yous (the user) desire Just-Metadata to charge IP addresses from. This ascendency volition open, as well as charge all IPs inside the file to the framework.
Ex: charge ipaddresses.txt
save - The relieve ascendency tin give notice last used to relieve the electrical flow working province of Just-Metadata. This is helpful inwards multiple cases, such equally after gathering information close IPs, as well as wanting to relieve the province off to disk to last able to operate on them at a later on bespeak inwards time. Simply typing "save" volition upshot inwards Just-Metadata saving the province to disk, as well as displaying the filename of the saved state.
import - The import ascendency tin give notice last used to charge a previously saved Just-Metadata province into the framework. It volition charge all IPs that were saved, as well as all information gathered close the IP addresses. This ascendency volition require an extra parameter, the cite of the province file that yous desire Just-Metadata to load.
Ex: import goodfile.state
list - The listing ascendency tin give notice last used to listing the unlike types of modules loaded into Just-Metadata. This ascendency volition guide keep an extra parameter, either "analysis" or "gather". Just-Metadata volition display all mofules of the type that the user requests is listed.
Ex: listing analysis
Ex: listing gather
gather - The get together ascendency tells Just-Metadata to run the module specified as well as get together information from that source. This tin give notice last used to get together geographical information, Virustotal, whois, as well as more. It's all based on the module. The information gathered volition last stored inside the framework inwards retention as well as tin give notice also last saved to disk amongst the "save" command.
Ex: get together geoinfo
Ex: get together virustotal
analyze - The analyze ascendency tells Metadata to run an analysis module against the information loaded into the framework. These modules tin give notice last used to honour IP addresses that portion the same SSH keys or SSL Public Key certificates, or certificate chains. They tin give notice also last used to honour IP addresses used inwards the same callbacks yesteryear malicious executables.
ip_info - This ascendency is used to dump all information close a specific IP address. This is currently beingness used after having run analysis modules. For example, after identifying IP addresses that portion the same SSH keys, I tin give notice dump all information close those IPs. I volition run into if they guide keep been used yesteryear malware, where they are located, etc.
export - The export ascendency volition guide keep Just-Metadata dump all information that's been gathered close all IP addresses currently loaded into the framework to CSV.

Thanks
Thanks to Justin Warner (@sixdub) for helping to give me to a greater extent than or less initial feedback, blueprint ideas, as well as human activity equally a sounding board during development!

Download Just-Metadata