dictator-001/phishscope

``` # PhishScope – 高级网络钓鱼检测工具包 PhishScope is a production-ready, synchronous cybersecurity forensic tool designed for security analysts and SOC teams. It evaluates suspicious URLs and emails by integrating multiple threat intelligence sources, performing WHOIS‑based domain age analysis, executing IP geolocation, and tracing redirect chains. PhishScope provides two interfaces: 1. **Interactive CLI**: Fast, terminal-based analysis with human-readable reporting. 2. **Web UI**: A unique, cyber-forensic themed graphical interface hosted via a local Flask instance for comprehensive visual analysis. --- ## 🚀 特性 - **External Threat Intelligence**: Deep integration with VirusTotal and URLVoid to fetch malicious detections. - **Domain Age Analysis**: Live WHOIS lookups to identify newly registered domains (NRDs). - **Phishing Keyword Detection**: Scans URLs and optional email contents for obfuscation patterns and common phishing nomenclature. - **IP Geolocation**: Pinpoints server hosting locations and flags traffic originating from high-risk regions or suspect ISPs. - **Redirect Chain Analysis**: Traces full HTTP/HTTPS redirect chains to expose the final landing page and suspicious intermediaries. - **Heuristic Risk Scoring**: Calculates a definitive 0–100 risk score and classification (Low Risk, Medium Risk, High Risk) accompanied by a confidence interval. - **Synchronous Execution**: PhishScope relies on standard synchronous libraries (`requests`, `flask`, `whois`) to guarantee stable analysis without event-loop bottlenecks. --- ## 🛠️ 安装 1. **Clone the repository:** ```bash git clone cd phishscope ``` 2. **Create a Python Virtual Environment:** (Requires Python 3.12+) ```bash python -m venv venv # 在 Windows 上： .\venv\Scripts\activate # 在 Linux/MacOS 上： source venv/bin/activate ``` 3. **Install Dependencies:** ```bash pip install -r requirements.txt ``` 4. **Environment Variables:** A `.env` file is heavily recommended for external intelligence modules. Copy the example file and input your keys: ```bash cp .env.example .env ``` *Required variables inside `.env` include `VT_API_KEY` (VirusTotal) and `URLVOID_API_KEY` (URLVoid).* --- ## 📖 详细用法 PhishScope operates primarily via its command-line entrypoint `cli/cli_interface.py`. Ensure your virtual environment is active before running. ### 1. Standard CLI Mode Run a quick terminal scan on a suspicious URL. The output will be rendered in a neat, human-readable terminal table detailing the threat intelligence findings. ```bash python -m cli.cli_interface "https://suspicious-example.com" ``` **Testing with Email Content:** If you have the contextual phishing email, you can provide its content to improve keyword and obfuscation detection heuristics: ```bash python -m cli.cli_interface "https://suspicious-example.com" --email "Dear User, please verify your account immediately." ``` ### 2. Cyper-Forensic Web UI Mode PhishScope includes a bespoke graphical interface driven by a local Flask server. It provides animated visual feedback, including an SVG Risk Dial and comprehensive data grids. To launch the Web UI, use the `--web` flag: ```bash python -m cli.cli_interface --web ``` - **Output:** The terminal will display `Starting PhishScope Web UI on http://127.0.0.1:5000`. - **Action:** Open your browser and navigate to `http://localhost:5000`. - From the UI, you can seamlessly type URLs and paste email contents without needing to constantly re-run terminal commands. The backend handles REST API calls over `/api/scan`. --- ## 🏗️ 架构与模块 The toolkit is cleanly divided into intelligent analysis modules to ensure SOC operators can easily extend its capabilities: - `modules/url_reputation.py`: Interfaces with external APIs (VirusTotal, URLVoid). - `modules/domain_analysis.py`: Performs `python-whois` registration checks. - `modules/ip_geolocation.py`: Relies on `socket` lookups and `ip-api.com` or local `GeoIP2` databases. - `modules/keyword_detector.py`: Uses Regex to identify obfuscation mechanisms (e.g. Cyrillic alphabet swapping, zero replacements). - `modules/redirect_analyzer.py`: Utilizes `requests.Session` with `allow_redirects=False` to safely traverse and log HTTP hops. - `modules/risk_engine.py`: Takes the outputs of all modules to statistically quantify the threat. --- ## 💡 故障排除 - **`requests` or `api.schemas` ModuleNotFoundError:** Ensure you are running the scripts within the context of the repository (e.g., using `python -m cli.cli_interface` from the root project folder) and that dependencies from `requirements.txt` are adequately installed in your activated virtual environment. - **Missing Intelligence Data:** If Reputation returns 0 detections but you know the URL is malicious, verify that your `.env` contains valid API keys for VirusTotal and URLVoid. ```

标签：Ask搜索, DAST, Flask, Go语言工具, IP地理位置, Python, Sigma 规则, SOC工具, TLP, URL扫描, VirusTotal, Web界面, WHOIS查询, 协议探测, 启发式分析, 域名分析, 威胁情报, 安全运营, 开发者工具, 恶意软件分析, 扫描框架, 无后门, 欺骗检测, 漏洞发现, 网络安全, 逆向工具, 配置审计, 重定向追踪, 钓鱼检测, 隐私保护