Skip to content

Elyzer is an email header analyzer, written in python, capable of detecting potential spoofing attempts.

License

Notifications You must be signed in to change notification settings

B0lg0r0v/Elyzer

Repository files navigation

Elyzer

Table of Contents

Description

Elyzer is an e-mail header analyzer capable of detecting potential spoofing attempts. It will give you general information about the e-mail, the route it took, important security headers and the phishing / spoofing results.

⚠️ This project is under active development, and changes will be made frequently. As it's still in the early stages, bugs may be present..

General Informations

  • Before using this tool, make sure the e-mail header is formated correctly. This tool will parse the header according to RFC 822.
  • This tool can ONLY utilize the spoofing / phishing function if the header contains the sender's SMTP Server IPv4 address. IPv6 addresses are currently not supported.
  • Microsoft e-mail services are using IPv6 addresses, which on top of that are proxys. Finding the source address is very difficult if not simply impossible.
  • PLEASE DO NOT RELY ONLY ON THIS TOOL. Elyzer cannot garantuee you 100% accuracy.

Installation

For Unix users:

git clone https://github.com/B0lg0r0v/Elyzer.git
cd Elyzer
python -m pip install -r requirements.txt

To use the -pa argument, you need one API key from Driftnet:

Create an environment variable called DRIFTNET_API and insert your key as a value.

# On Unix systems
export DRIFTNET_API=<YOUR KEY>

# On Windows
set DRIFTNET_API=<YOUR KEY>

Usage

Using Elyzer is quite intuitive. Give with the -f argument the header file.

Unix:

python3 elyzer.py -f <FILE>

Full Elyzer options:

options:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  Give the E-Mail Header as a file.
  -pa, --passive        Enables the passive mode. DNS resolution is performed passively through Driftnet
                        for better OPSEC. You need to add "DRIFTNET_API" as an environment variable to 
                        use this feature.
  -nd, --no-dns         Enables the no-dns mode. No DNS resolution is performed for best OPSEC. This heavily affects
                        the results !
  -q, --quiet           Quiet mode. Disables banner.
  -j, --json            EXPERIMENTAL FEATURE. Output the results in JSON format.
  -v, --version         show program's version number and exit
  -a ATTACHEMENT, --attachement ATTACHEMENT
                        Check if the file is malicious.

Elyzer performs various DNS lookups to compare values for the spoofing function. This could raise OPSEC concerns, especially when dealing with a targeted attack.

If you have OPSEC concerns, you can now use the -pa argument to perform DNS lookups passively. This way, you’re no longer directly interacting with potential malicious domains, but indirectly, making it harder for an adversary to track. However, this CAN impact the results.

python3 elyzer.py -f <FILE> -pa

If you want the best OPSEC, you can use the -nd argument, which enables 'No DNS / Paranoid' mode. This will disable all DNS lookups, allowing you to use Elyzer entirely offline. However, be aware that this will significantly impact the results !

python3 elyzer.py -f <FILE> -nd

Additionally you can give a file with the -a argument to Elyzer. It will then generate you a VirusTotal Link where you can see if the file is potentially malicious or not.

python3 elyzer.py -f <MAIL_HEADER_FILE> -a <SUSPICIOUS_FILE>

Features

Here's a quick overview of Elyzer's features:

  • Print general e-mail informations
  • Print relay routing with timestamps
  • Print security headers and check if set correctly
  • Print interesting headers such as "Envelope-From"
  • Print MS-Exchange Headers
  • Spoofing / Phishing analyzer with optional passive DNS lookup

Spoofing / Phishing detection feature:

To-Do

  • Add JSON output functionality.
  • Add a functionality to be able to passively query DNS information to reduce OPSEC concerns.
  • Switching entirely to the Driftnet API
  • Optimize my garbage code :D

Community Projects

Check out this awesome project by @adriy-be: a WebUI for Elyzer!
Github repo: https://github.com/adriy-be/ElyzerWebUi

Notes

Credits for the getReceivedFields & the getFields functions goes to "spcnvdr" spcnvdrr@protonmail.com, Copyright 2020.
Also, thanks to @triggerfx for the custom Logo !

Disclaimer

This tool is primarly created for me as a project to enhance my coding skills and start creating some red team / blue team tools. It is not considered to be the most efficient tool out there.