Neto v0.6.2 releases: A tool to analyse browser extensions

Project Neto is a Python 3 package conceived to analyze and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in an extension like manifest.json, localization folders or Javascript and HTML source files.

Features

The following is a non-exhaustive list of the features included in this package are the following:

• Manifest analysis.
• Internal file hashing.
• Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
• Comments extraction from HTML, CSS and JS files.
• Cryptojacking detection engine based on known mining domains and expressions.
• Suspicious Javascript code detection such as eval().
• Certificate analysis if provided.
• Batch analysis of previously downloaded extensions.

Changelog v0.6.2

Several issues addressed:

• Add more suspicious categories to detect pattern recognition code, external connections and possible payments.
• Add suspicious strings to standard output
• Beautify outputs when the program is unable to process an extension because of incorrect extensions
• Fix an error in the storage of the data extracted from entities

Installation

git clone https://github.com/ElevenPaths/neto.git

cd neto

pip3 install -e . --user

Quick Start

To perform the analysis of an extension, the analyst can type the following:

neto analysis -u https://yoururl.com/extension-name.xpi

The extension will be automatically downloaded and unzipped by default in the system’s temporal folder.

However, the analyst can also launch de analysis towards a locally stored extension:

neto analysis -e ./my-extension-name.xpi

After the static analysis is performed, it will generate a Json file that is stored by default in a newly created folder named output.

If you use Python, you can also import the package as a library in your own Python modules:

>>> from neto.lib.extensions import Extension

>>> my_extension = Extension ("./sample.xpi")

>>> my_extension.filename

'adblock_for_firefox-3.8.0-an+fx.xpi'

>>> my_extension.digest

'849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'

Apart from access to the elements found in the extension using properties, the analyst can always have access to it as a dictionary:

>>> my_extension.__dict__

{'_analyser_version': '0.0.1', '_digest': '849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'…

If you are not using Python, you can use the JSON RPC daemon:

$ neto daemon



         ____            _           _      _   _      _

        |  _ \ _ __ ___ (_) ___  ___| |_   | \ | | ___| |_ ___

        | |_) | '__/ _ \| |/ _ \/ __| __|  |  \| |/ _ \ __/ _ \ 

        |  __/| | | (_) | |  __/ (__| |_   | |\  |  __/ || (_) |

        |_|   |_|  \___// |\___|\___|\__|  |_| \_|\___|\__\___/

                      |__/



                                    Developed by @ElevenPaths

                                    Version: 0.5.0b





 * Running on http://localhost:14041/ (Press CTRL+C to quit)

You can then run commands using your preferred JSON RPC library to write a client

 curl --data-binary '{"id":0, "method":"remote", "params":["https://example.com/myextension.xpi"], "jsonrpc": "2.0"}'  -H 'content-type:text/json;' http://localhost:14041

Demo

Copyright (C) Félix Brezo felix.brezo@11paths.com

Source: https://github.com/ElevenPaths/