Friday, 30 December 2016

Telegram BBBot - Telegram Bug Bounty Bot

Telegram Bug Bounty Bot

  • This bot adopted special for deploying to Heroku
  • General purposes of this got - "Be helpful for infosec community!"
  • Bot use for fetching information
  • Used heroku as a template for project
  • For bot used free account on and

  • Purposes of bot:
    • "Deliver information as fast as possible!"
    • "Be helpful for infosec community"

  • For web server used GIN
  • For Bot functionality used telegram-bot-api.v4

Bot configuration
  • TELEGRAM_BBBOT_TOKEN - Telegram Api token received from @BotFather
  • TELEGRAM_BBBOT_URL - Webhook url to bot public web address
  • PORT - Standard heroku ENV variable for port number
  • TELEGRAM_BBBOT_FIREBASE_TOKEN - Firebase database token
  • TELEGRAM_BBBOT_FIREBASE_URL - Url to firebase project
  • TELEGRAM_BBBOT_HO_SEARCH_URL - HackerOne search url (crawler)
  • TELEGRAM_BBBOT_CHANNEL - Public channel identifier, for example @some_channel_name
  • TELEGRAM_BBBOT_HOST - Public bot host url for ping purposes (for disabling sleeping functionality after 30 min of inactivity)
  • TELEGRAM_BBBOT_H1_HACK_SEARCH_URL - HackerOne hacktivity url (crawler)
  • TELEGRAM_BBBOT_BUGCROWD_NEW_PROG_URL - BugCrowd url for crawling new programs (crawler)

Bot workflow
  • Bot started
  • Fetching data from firebase (synchronising)
  • Crawling programs from (in parallel)
  • Crawling hacktivity from (in parallel)
  • Crawling programs from (in parallel)
  • Determining new data from all crawled information (in parallel)
  • Publishing data to telegram channel from ENV variable
  • Note: If instance of bot at restarted all data restored from firebase storage.

Thursday, 29 December 2016

Parrot Security 3.3 - Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind

Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.

It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own softwares or protect your privacy with anonymity and crypto tools.



Parrot Security includes a full arsenal of security oriented tools to perform penetration tests, security audits and more. With a Parrot usb drive in your pocket you will always be sure to have all you need with you.


Parrot includes by default TOR, I2P, anonsurf, gpg, tccf, zulucrypt, veracrypt, truecrypt, luks and many other tecnologies designed to defend your privacy and your identity.


If you need a comfortable environment with updated frameworks and useful libraries already installed, Parrot will amaze you as it includes a full development-oriented environment with some powerful editors and IDEs pre-installed and many other tools installable from our repository.


System Specs
  • Debian GNU/Linux 9 (stretch)
  • Custom hardened Linux 4.8 kernel
  • Rolling release updates
  • Powerful worldwide mirror servers
  • High hardware compatibility
  • Community-driven development
  • free(libre) and open source project

System Requirements
  • CPU: at least 1Ghz dual core cpu
  • ARCH: 32bit, 64bit and ARMhf
  • RAM: minimum 256Mb - 2048Mb suggested
  • GPU: No graphic acceleration required
  • STORAGE lite/core: 4GB / 8GB
  • STORAGE Full: 16GB
  • BOOT: Legacy bios or UEFI


Cloud Pentesting

Parrot Cloud is a special edition of our OS specifically designed for servers, it consists on a lightweight parrot system without graphic interfaces, wireless and forensic tools and any other tools that can be considered useless in a remote-controlled virtual environment.


The idea of Parrot Cloud is to have a VPS or a dedicated server with a special operating system full of useful security tools, neither relying all the dirty work to your local machine nor relying the security of your confidential data to a 3rd party provider. It can also be used to store private files (preferably encrypted), scan targets in the background and other stuff that you don't need to do with your own machines, allowing you to go everywhere you want with just a Parrot live USB and to do great penetration tests without having confidential data physically with you. 


Parrot includes many cryptographic softwares which are extremely useful when it comes to protect your confidential data and defend your privacy.

Parrot includes several cryptographic front-ends to work both with symmetric and asymmetric encryption, infact it natively supports volumes encryption with LUKS, TrueCrypt, VeraCrypt and the hidden TrueCrypt/VeraCrypt volumes with nested algorythms support.

The whole system can be installed inside an encrypted partition to protect your computer in case of theft.

Another swiss army knife of your privacy is GPG, the GNU Privacy Guard, an extremely powerful PGP software that lets you create a private/public pair of keys to apply digital signatures to your messages and to allow other people to send you encrypted messages that only your private key can decrypt, in can also handle multiple identities and subkeys, and its power resides in its ring of trust as PGP users can sign each other's keys to make other people know if a digital identity is valid or not.

Even our software repository is digitally signed by GPG, and the system automatically verifies if an update was altered or compromised and it refuses to upgrade or to install new software if our digital signature is not found or not valid.


Your privacy is the most valuable thing you have in your digital life and the whole Parrot Team is exaggeratedly paranoid when it comes to users privacy, infact our system doesn't contain tracking systems, and it is hardened in deep to protect users from prying eyes.

Parrot has developed and implemented several tricks and softwares to achieve this goal, and AnonSurf is one of the most important examples, it is a software designed to start TOR and hijack all the internet traffic made by the system through the TOR network, we have also modified the system to make it use DNS servers different from those offered by your internet provider.

Parrot also includes torbrowser, torchat and other anonymous services, like I2P, a powerful alternative to TOR.


The main goal of an environment designed by hackers for hackers is the possibility to change it, adapt it, transform it and use it as a development platform to create new things, this is why Parrot comes out of the box with several tools for developers such as compilers, disassemblers, IDEs, comfortable editors and powerful frameworks.

Parrot includes QTCreator as its main C, C++ and Qt framework. Another very useful tool is Geany, a lightweight and simple IDE which supports a huge amount of programming languages, while we also include Atom, the opensource editor of the future developed by GitHub, and many compilers and interpreters with their most important libraries are pre-installed and ready to use.

And of course many other editors, development softwares and libraries are available through our software repository where we keep all the development tools always updated to their most cutting edge but reliable version. 


From 3.2 to 3.3 (25/12/2016)
  • include linux 4.8 kernel
  • fix touchpad/multitouch support
  • fix mismatching kernel installer
  • update anonsurf
  • fix minor MATE bugs
  • include GCC 6.2
  • update metasploit-framework 4.13
  • switch to php 7
  • upgrade most of the tools to their latest version

Wednesday, 28 December 2016

Fluxion 0.23 - WPA/WPA2 Security Hacked Without Brute Force

Fluxion is a remake of linset by vk496 with (hopefully) less bugs and more functionality. It's compatible with the latest release of Kali (rolling). Latest builds (stable) and (beta) can be found here here . If you're new, or just don't understand much about the project, have a look at the wiki . The attack is mostly manual, but experimental versions will automatically handle most functionality from the stable releases.

"Clients are not automatically connected to the fake access point"
This is a social engineering attack and it's pointless to drag clients in automatically. The script relies on the fact that a user should be present in order to enter the wireless credentials.

"There's no Internet connectivity in the fake access point"
There shouldn't be one. All of the traffic is being sinkholed to the built in captive portal via a fake DNS responder in order to capture the credentials.

"Fake sites don't work"
There might be a problem with lighttpd. The experimental version is tested on lighttpd 1.439-1, anything neweer may break functionality. If you have problems, please use the stable version. For more information check this fix out.

"Experimental menu is not responsive"
In the experimental version it will automatically check the handshake. I will fix the menu shortly. If you need a GUI, use the stable version (which doesn't automatically control handshakes).

"I need to sign in (on Android)"
This is how the script works. The fake captive portal is set up by the script itself to collect the credentials. Don't freak, it's al okay.

"The MAC address of the fake access point differs from the original"
The MAC address of the fake access point differs by one octet from the original in order to prevent fluxion deauthenticating clients from itself during the session.

"The redirection doesn't work for HTTPS websites"
HTTPS is not currently supported.

If you want to submit a feature, do so by labeling your issue as an "enhancement" or submit a PR. I don't have enough time to make daily changes to fluxion, sorry.

Included dependency versions
  1. Aircrack : 1:1.2-0~rc4-0parrot0
  2. Lighttpd : 1.439-1
  3. Hostapd : 1:2.3-2.3 If you want to compare this type dpkg -l | grep "name"

Fluxion gets weekly updates with new features, improvements and bugfixes. Be sure to check out the changelog here .

How it works
  • Scan the networks.
  • Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
  • Use WEB Interface *
  • Launch a FakeAP instance to imitate the original access point
  • Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
  • A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
  • A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
  • Each submitted password is verified by the handshake captured earlier
  • The attack will automatically terminate, as soon as a correct password is submitted

A Linux-based operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. An external wifi card is recommended.

  1. Deltax - Fluxion main developer
  2. Strasharo - contributor
  3. l3op - contributor
  4. dlinkproto - contributor
  5. vk496 - developer of linset
  6. ApatheticEuphoria - @WPS-SLAUGHTER,Bruteforce Script,Help with Fluxion
  7. Derv82 - @Wifite/2
  8. Princeofguilty - @webpages
  9. Photos for wiki @
  10. Ons Ali @wallpaper

Useful links
  1. Wifislax
  2. Kali Linux
  3. linset
  4. ares
  5. Closeme

Fluxion is intended to be used for legal security purposes only, and you should only use it to protect networks/hosts you own or have permission to test. Any other use is not the responsibility of the developer(s). Be sure that you understand and are complying with the Fluxion licenses and laws in your area. In other words, don't be stupid, don't be an asshole, and use this tool responsibly and legally.

Tuesday, 27 December 2016

Lobotomy - Android Reverse Engineering

Lobotomy is a command line based Android reverse engineering tool. What is in the repo, is currently in development. You should assume nothing works as expected until the official 2.0 release is finished.

Version Development
Author Benjamin Watson (rotlogix)

Feature Description
Components Enumerate AndroidManifest.xml components
Permission Enumerate declared and used AndroidManifest.xml permissions
Strings List and search for strings within the target application
AttackSurface Enumerate the target Application's attack surface through parsing the AndroidManifest.xml
Surgical Find specific Android API usage throughout the application
Interact Drop into an IPython session to analyze the target application in a more granular fashion
UI A terminal based interface for navigating an application's class tree
Decompile Decompile the target application with Apktool
Debuggable Convert the target application into being debuggable when installed on a device
Dextra Wrapper around dextra for dumping odex and oat files
Socket Find local and listening sockets on a target Android device



Building Requirements for python-adb
brew install openssl
brew install swig
env LDFLAGS="-L$(brew --prefix openssl)/lib" \
CFLAGS="-I$(brew --prefix openssl)/include" \
SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \
Create a Python Virtual Environment for Lobotomy
virtualenv -p /usr/bin/python2.7 lobotomy
cd lobotomy/
source bin/activate
Install the PIP Requirements
pip install -r requirements
Install Androguard
cd core/include/androguard
python install



: : :
t#, t#, t#,
i ;##W. . ;##W. ;##W.
LE :#L:WE Ef. :#L:WE GEEEEEEEL :#L:WE .. : f. ;WE.
L#E .KG ,#D E#Wi .KG ,#D ,;;L#K;;. .KG ,#D ,W, .Et E#, i#G
G#W. EE ;#f E#K#D: EE ;#f t#E EE ;#f t##, ,W#t E#t f#f
D#K. f#. t#iE#t,E#f. f#. t#i t#E f#. t#i L###, j###t E#t G#i
E#K. :#G GK E#WEE##Wt:#G GK t#E :#G GK .E#j##, G#fE#t E#jEW,
.E#E. ;#L LW. E##Ei;;;;.;#L LW. t#E ;#L LW. ;WW; ##,:K#i E#t E##E.
.K#E t#f f#: E#DWWt t#f f#: t#E t#f f#: j#E. ##f#W, E#t E#G
.K#D f#D#; E#t f#K; f#D#; t#E f#D#; .D#L ###K: E#t E#t
.W#G G#t E#Dfff##E, G#t t#E G#t :K#t ##D. E#t E#t
:W##########Wt t jLLLLLLLLL; t fE t ... #G .. EE.
:,,,,,,,,,,,,,. : j t

See the docs for more information.

Monday, 26 December 2016

sslscan - tests SSL/TLS enabled services to discover supported cipher suites

This is a fork of ioerror's version of sslscan (the original readme of which is included below). Changes are as follows:
  • Highlight SSLv2 and SSLv3 ciphers in output.
  • Highlight CBC ciphers on SSLv3 (POODLE).
  • Highlight 3DES and RC4 ciphers in output.
  • Highlight PFS+GCM ciphers as good in output.
  • Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output.
  • Highlight anonymous (ADH and AECDH) ciphers in output (purple).
  • Hide certificate information by default (display with --get-certificate ).
  • Hide rejected ciphers by default (display with --failed ).
  • Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
  • Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
  • Supports IPv6 hostnames (can be forced with --ipv6 ).
  • Check for TLS compression (CRIME, disable with --no-compression ).
  • Disable cipher suite checking --no-ciphersuites .
  • Disable coloured output --no-colour .
  • Removed undocumented -p output option.
  • Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed ).
  • Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys.
  • Support scanning RDP servers with --rdp (credit skettler).
  • Added option to specify socket timeout.
  • Added option for static compilation (credit dmke).
  • Added --sleep option to pause between requests.
  • Disable output for anything than specified checks --no-preferred .
  • Determine the list of CAs acceptable for client certificates --show-client-cas .
  • Experimental build support on OSX (credit MikeSchroll).
  • Flag some self-signed SSL certificates.
  • Experimental Windows support (credit jtesta).
  • Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 --no-cipher-details .
  • Flag weak DHE keys with OpenSSL >= 1.0.2 --cipher-details .
  • Flag expired certificates.
  • Flag TLSv1.0 ciphers in output as weak.
  • Experimental OSX support (static building only).
  • Support for scanning PostgreSQL servers (credit nuxi).
  • Check for TLS Fallback SCSV support.
  • Added StartTLS support for LDAP --starttls-ldap .
  • Added SNI support --sni-name (credit Ken).

Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.
Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.
Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page .

Building on OS X
There is experimental support for statically building on OS X, however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on OS X. Once you have, just run:
make static

OpenSSL issues

Statically linking a custom OpenSSL build
It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy sslscan binary (file size, memory consumption, etc.), this allows to enable both SSLv2 and SSLv3 ciphers. In comparison to the method of repackaging the Debian build, this custom OpenSSL build won't affect other tools on the same system, as they would use the version packaged by the distro's maintainers.
To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies:
apt-get install build-essential git zlib1g-dev
apt-get build-dep openssl
then run
make static
which will clone the OpenSSL repository , and configure/compile/test OpenSSL prior to compiling sslscan .
Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile ). For more information on this, see Modifying Build Settings in the OpenSSL wiki.
You can verify whether you have a statically linked OpenSSL version, if
./sslscan --version
looks a bit like
OpenSSL 1.1.0-dev xx XXX xxxx
(pay attention to the -static suffix and the 1.1.0-dev OpenSSL version).

Building on Kali
Kali now ships with a statically built version of sslscan which supports SSLv2.
The package can be found in the Kali Git Repository .
If for whatever reason you can't install this package, follow the instructions above for statically building against OpenSSL.

Building on Debian
It is recommended that you statically build sslscan using the instructions listed above. If this is not an option and you want to compile your system OpenSSL with support for legacy protocols such as SSLv2 and SSLv3 then follow the instructions below.
Note that many modern distros (including Debian) ship with a version of OpenSSL that disables support for SSLv2 ciphers. If sslscan is compiled on one of these distros, it will not be able to detect SSLv2.
This issue can be resolved by rebuilding OpenSSL from source after removing the patch that disables SSLv2 support.
The script automates this process for Debian systems. It has been tested on Debian Squeeze/Wheezy; it may work on other Debian based distros, but has not been tested. The built version of OpenSSL will be installed using dpkg .
If it is not possible to rebuild OpenSSL, sslscan will still compile (thanks to a patch from digineo/sslscan , based on the debian patch). However, a warning will be displayed in the output to notify the user that SSLv2 ciphers will not be detected.

Sunday, 25 December 2016

Raptor WAF v0.04 - Web Application Firewall using DFA

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable,  the core of match engine using DFA to detect XSS, SQLi and path traversal.

No more words, look at the following :

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...
  • You can block XSS, SQL injection attacks and path traversal with Raptor
  • You can use blacklist of IPs to block some users at config/blacklist ip.txt
  • You can use IPv6 and IPv4 at communications
  • At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
  • At the future SSL/TLS...

to run:

$ git clone
$ cd raptor_waf; make; bin/raptor


Up some HTTPd server at port 80
$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt
you can test at http://localhost:8883/test.php

Look the docs

Saturday, 24 December 2016

Hijacker - Aircrack, Airodump, Aireplay, MDK3 and Reaver GUI Application for Android

Hijacker is a Graphical User Interface for the wireless auditing tools airodump-ng, aireplay-ng and mdk3. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.
This application requires an android device with a wireless adapter that supports Monitor Mode . A few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 (and BCM4358 (although injection is not yet supported so no aireplay or mdk)) chipset will work with Nexmon . Also, devices that use BCM4330 can use bcmon . An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.
The required tools are included in the app. To install them go to Settings and click "Install Tools". This will install everything in the directory you select. If you have already installed them, you don't have to do anything. You can also have them at any directory you want and set the directories in Settings, though this might cause the wireless tools not being found by the aircrack-ng suite. The Nexmon driver and management utility is also included.
Root is also necessary, as these tools need root to work. If you don't grant root permissions to it, it hangs... for some reason... don't know why...

  • View a list of access points and stations (clients) around you (even hidden ones)
  • View the activity of a network (by measuring beacons and data packets) and its clients
  • Deauthenticate all the clients of a network
  • Deauthenticate a specific client from the network it's connected
  • MDK3 Beacon Flooding with custom SSID list
  • MDK3 Authentication DoS for a specific network or to everyone
  • Try to get a WPA handshake or gather IVs to crack a WEP network
  • Statistics about access points (only encryption for now)
  • See the manufacturer of a device (AP or station) from a OUI database (pulled from IEEE)
  • See the signal power of devices and filter the ones that are closer to you
  • Leave the app running in the background, optionally with a notification
  • Copy commands or MAC addresses to clipboard, so you can run them in a terminal if something goes wrong
  • Include the tools
  • Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)
  • .cap files cracking with custom wordlist
  • Save captured packets in .cap file
  • Create custom commands to be ran on an access point or a client with one click

Make sure:
  • you are on Android 5+
  • you are rooted. SuperSU is required. If you are on CM, install SuperSU
  • have installed busybox (opened and installed the tools)
  • have a firmware to support Monitor Mode on your wireless interface

Download the latest version here .
When you run Hijacker for the first time, you will be asked whether you want to set up the tools or go to home screen. If you have installed your firmware and all the tools, you can just go to the home screen. Otherwise, click set up to install the tools. You can change the directories in which they will be installed, but I recommend that you leave them unchanged. The app will check what directories are available and select the best for you. Keep in mind that on some devices, installing files in /system might trigger an Android security feature and your system partition will be restored when you reboot. After installing the tools and the firmware (only Nexmon) you will land on the home screen and airodump will start. If you don't see any networks, make sure you have enabled your WiFi and it's in monitor mode. If you have a problem, go to settings and click "Test Tools". If they all pass, you probably don't have monitor mode enabled. If something fails, click "Copy test command" and select the tool that fails. A sample command will be copied to your clipboard so you can open a terminal, run it, and see what's wrong.
Keep in mind that Hijacker is just a GUI for these tools. The way it runs the tools is fairly simple, and if all the tests pass and you are in monitor mode, then you should be getting the results you want. But also keep in mind that these are AUDITING tools. This means that they are used to TEST the integrity of your network, so there is a chance (and you should hope for it) that the attacks don't work on a network. It's not the app's fault, it's actually something to be happy about (given that this means that your network is safe). However, if an attack works when you type a command in a terminal, but not with the app, feel free to post here to resolve the issue. This app is still under development so bugs are to be expected.

First of all, if the app happens to crash at a random time, run it again and close it properly. This is to make sure that there are not any tools still running in the background, as this can cause battery drain. If it crashes during startup or exiting, open a terminal, run ps | busybox grep -e air -e mdk and kill the processes you see.
Most of the problems arise from the binaries not being installed (correctly or at all). If that's the case, go to settings, click "install tools", choose directories for binaries and the lib ( and click install. If the directory for your binaries is included in PATH, then you don't have to do anything else. If it's not, the you need to adjust the absolute paths of the binaries, right below the "install tools" option. This might also cause problems (especially with mdk) since these programs require the wireless tools to be installed, and they won't find them if you install them anywhere other than the paths included in your PATH variable. If you don't know what the PATH variable is, then you probably shouldn't be using any of these programs.
Installing the tools via the NexMon app doesn't work anymore, so if there is a problem, just reinstall them through the app in the same directory you have them already.
If you are certain that there is problem with the app itself and not the tools installation, open an issue here so I can fix it. Make sure to include precise steps to reproduce the problem and a logcat (having the logcat messages options enabled in settings). If the app happens to crash, a new activity should start which will generate a report in /sdcard and give you the option to email it to me directly. I suggest you do that, and if you are worried about what will be sent you can check it out yourself, it's just a txt file and it will be sent as an email attachment to me.

Friday, 23 December 2016

Noriben - Portable, Simple, Malware Analysis Sandbox

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.
Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.
Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity.

Cool Features
If you have a folder of YARA signature files, you can specify it with the --yara option. Every new file create will be scanned against these signatures with the results displayed in the output results.
If you have a VirusTotal API, place it into a file named "virustotal.api" (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results.
You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use --hash to read them.
You can automate the script for sandbox-usage. Using -t to automate execution time, and --cmd "path\exe" to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample.
The --generalize feature will automatically substitute absolute paths with Windows environment paths for better IOC development. For example, C:\Users\malware_user\AppData\Roaming\malware.exe will be automatically resolved to %AppData%\malware.exe.

--===[ Noriben v1.6 ]===--
--===[ @bbaskin ]===--

usage: [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH]
[-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize]
[--cmd CMD] [-d]

optional arguments:
-h, --help show this help message and exit
-c CSV, --csv CSV Re-analyze an existing Noriben CSV file
-p PML, --pml PML Re-analyze an existing Noriben PML file
-f FILTER, --filter FILTER
Specify alternate Procmon Filter PMC
--hash HASH Specify MD5 file whitelist
-t TIMEOUT, --timeout TIMEOUT
Number of seconds to collect activity
--output OUTPUT Folder to store output files
--yara YARA Folder containing YARA rules
--generalize Generalize file paths to their environment variables.
Default: True
--cmd CMD Command line to execute (in quotes)
-d Enable debug tracebacks