# Corvo
This is a tool that has as aim to use [intelX](https://intelx.io) leaks and correlate them to figure out the most proeminent threat actors, families and of course, the number of leaks based in domains.
As the first step you need send your IntelX API to do requests.
After that if you want uso some date filter you need pass a date of beggining and ending with arguments '-a' for after and '-b' for before.
The term to search at the moment we are working with domains, like "google.com", so we will search for urls (https://something.google.com) or users that use this domain (john_doe@google.com).
Other way is to create a file or use the example file to search domains:
```
[DOMAINS]
health = test1.com.br,test2.com.br
food =test3.com.cl, test4.com.cl
```
For get leaks compared with your domain you need download the files.
```
$ python main.py -h
usage: main.py [-h] [-i] [-a AFTER] [-b BEFORE] [-p LEAK_PATH] -t TERM -f FILEPATH [-r] [-d]
A credential harvester, powered by the IntelX API.
options:
-h, --help show this help message and exit
-i, --init First step. Save your IntelX credentials
-a AFTER Date started to collecting infostealer leaks. Format: YYYY-MM-DD
-b BEFORE Date finished to collecting infostealer leaks. Format: YYYY-MM-DD
-p LEAK_PATH Pass a path of leaks only of infostealers to be parsed, if you already download it.
-t TERM The term (str) to be searched
-f FILEPATH A config file with domains.
-r Evade flow to reduce queries
-d More info for output, debugger
```
## Uses cases
### Search for a domain using dates (needs start and end) and activate the debugger
1. Pass the date range with arguments: -a, -b
2. Activate the debugger with the -d argument. Debugger mode will print on the screen the step-by-step verification process per file.
3. Pass the domain as term -t
4. The search result will be saved in the file corvo.leaks
```
$ python main.py -a 2024-09-01 -b 2024-09-30 -t test.com.br -d
Total citations [test.com.br]: 4
2024-09-16T06:46:25.887072Z::Passwords.txt=6f94d4a5-. . .
{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.test.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}
GroupName: None
2024-09-16T06:46:25.783095Z::AllPasswords.txt=2b51ac1c-. . .
{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.test.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}
GroupName: None
Checking the ComboListFresh.txt[Part1of2]::5d50672f-. . . tree
Find out the leaks file in the tree: AllPasswords.txt::26df3-. . .
2024-09-07T12:36:53.138062Z::AllPasswords.txt=26df3-. . .
Unknown pattern for file: 2fa96df3-. . .
{'company': [], 'client': []}
GroupName: None
Checking the Domain.txt[Part1of2]::0b9a0563-. . . tree
Find out the leaks file in the tree: AllPasswords.txt::2fa96df3-. . .
2024-09-07T12:36:52.897799Z::AllPasswords.txt=2fa96df3-. . .
Total group names: {'unknown': 3}
Check the result at corvo.leaks file
```
### Search for a domain using dates (needs start and end) and activate the debugger with reduced queries ('-r') enable
With '-r' enabled, only files that are 'Passwords' files will be readed and the code flow will not search for them in the tree file.
```
$ python main.py -a 2024-09-01 -b 2024-09-30 -t test.com.br -d -r
Total citations [test.com.br]: 4
2024-09-16T06:46:25.887072Z::Passwords.txt=6f94d4a5-. . .
{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.ituranweb.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}
GroupName: None
2024-09-16T06:46:25.783095Z::AllPasswords.txt=2b51ac1c-. . .
{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.ituranweb.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}
GroupName: None
Total group names: {'unknown': 2}
Check the result at corvo.leaks file
```
## Output
All data output will be written directly to the file corvo.leaks, unless you have activated debugger mode with '-d', this will print it to the terminal step by step.
- The header in the search for a term comes at the time executed and the key in the search for a domain file.
```
#########################
## 2024-10-07_22-54-15 ##
#########################
Company Leaks (2) - test.com.br
{"soft": "Chrome Default (127.0.6533.122)", "url": "http://www.test.com.br/", "username": "john_doe@test.com.br", "password": "1234567"}
{"soft": "Chrome Default (127.0.6533.122)", "url": "https://test.com.br/", "username": "john_doe@test.com.br", "password": "123456"}
Client Leaks (0) - test.com.br
Total group names: {'unknown': 2}
```
## Workflow
||
|:---:|
|Corvo - Workflow|
Raw data
{
"_id": null,
"home_page": "https://github.com/santiag02/Corvo",
"name": "corvo",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "leaks, credentials, intelx, data-leak, infostealer",
"author": "Camila Santiago",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/19/0f/9ab710af1a950b5653105553b8c6f1a7b8c36576fac9a764ceb0f327530a/corvo-0.1.tar.gz",
"platform": null,
"description": "# Corvo\n\nThis is a tool that has as aim to use [intelX](https://intelx.io) leaks and correlate them to figure out the most proeminent threat actors, families and of course, the number of leaks based in domains.\n\nAs the first step you need send your IntelX API to do requests.\nAfter that if you want uso some date filter you need pass a date of beggining and ending with arguments '-a' for after and '-b' for before.\n\nThe term to search at the moment we are working with domains, like \"google.com\", so we will search for urls (https://something.google.com) or users that use this domain (john_doe@google.com).\n\nOther way is to create a file or use the example file to search domains:\n\n```\n[DOMAINS]\nhealth = test1.com.br,test2.com.br\nfood =test3.com.cl, test4.com.cl\n```\n\nFor get leaks compared with your domain you need download the files. \n\n\n```\n$ python main.py -h\nusage: main.py [-h] [-i] [-a AFTER] [-b BEFORE] [-p LEAK_PATH] -t TERM -f FILEPATH [-r] [-d]\n\nA credential harvester, powered by the IntelX API.\n\noptions:\n -h, --help show this help message and exit\n -i, --init First step. Save your IntelX credentials\n -a AFTER Date started to collecting infostealer leaks. Format: YYYY-MM-DD\n -b BEFORE Date finished to collecting infostealer leaks. Format: YYYY-MM-DD\n -p LEAK_PATH Pass a path of leaks only of infostealers to be parsed, if you already download it.\n -t TERM The term (str) to be searched\n -f FILEPATH A config file with domains.\n -r Evade flow to reduce queries\n -d More info for output, debugger\n```\n\n## Uses cases\n\n### Search for a domain using dates (needs start and end) and activate the debugger\n\n1. Pass the date range with arguments: -a, -b\n2. Activate the debugger with the -d argument. Debugger mode will print on the screen the step-by-step verification process per file.\n3. Pass the domain as term -t\n4. The search result will be saved in the file corvo.leaks\n\n```\n$ python main.py -a 2024-09-01 -b 2024-09-30 -t test.com.br -d\nTotal citations [test.com.br]: 4\n2024-09-16T06:46:25.887072Z::Passwords.txt=6f94d4a5-. . . \n{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.test.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}\nGroupName: None\n2024-09-16T06:46:25.783095Z::AllPasswords.txt=2b51ac1c-. . . \n{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.test.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}\nGroupName: None\nChecking the ComboListFresh.txt[Part1of2]::5d50672f-. . . tree\nFind out the leaks file in the tree: AllPasswords.txt::26df3-. . .\n2024-09-07T12:36:53.138062Z::AllPasswords.txt=26df3-. . .\nUnknown pattern for file: 2fa96df3-. . .\n{'company': [], 'client': []}\nGroupName: None\nChecking the Domain.txt[Part1of2]::0b9a0563-. . . tree\nFind out the leaks file in the tree: AllPasswords.txt::2fa96df3-. . .\n2024-09-07T12:36:52.897799Z::AllPasswords.txt=2fa96df3-. . .\nTotal group names: {'unknown': 3}\nCheck the result at corvo.leaks file\n```\n\n### Search for a domain using dates (needs start and end) and activate the debugger with reduced queries ('-r') enable\n\nWith '-r' enabled, only files that are 'Passwords' files will be readed and the code flow will not search for them in the tree file.\n\n```\n$ python main.py -a 2024-09-01 -b 2024-09-30 -t test.com.br -d -r\nTotal citations [test.com.br]: 4\n2024-09-16T06:46:25.887072Z::Passwords.txt=6f94d4a5-. . . \n{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.ituranweb.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}\nGroupName: None\n2024-09-16T06:46:25.783095Z::AllPasswords.txt=2b51ac1c-. . .\n{'company': [{'soft': 'Chrome Default (127.0.6533.122)', 'url': 'http://www.ituranweb.com.br/', 'username': 'john_doe@test.com.br', 'password': '1234567'}], 'client': []}\nGroupName: None\nTotal group names: {'unknown': 2}\nCheck the result at corvo.leaks file\n```\n\n## Output\n\nAll data output will be written directly to the file corvo.leaks, unless you have activated debugger mode with '-d', this will print it to the terminal step by step.\n\n- The header in the search for a term comes at the time executed and the key in the search for a domain file.\n\n```\n#########################\n## 2024-10-07_22-54-15 ##\n#########################\nCompany Leaks (2) - test.com.br\n{\"soft\": \"Chrome Default (127.0.6533.122)\", \"url\": \"http://www.test.com.br/\", \"username\": \"john_doe@test.com.br\", \"password\": \"1234567\"}\n{\"soft\": \"Chrome Default (127.0.6533.122)\", \"url\": \"https://test.com.br/\", \"username\": \"john_doe@test.com.br\", \"password\": \"123456\"}\n\nClient Leaks (0) - test.com.br\n\n\nTotal group names: {'unknown': 2}\n```\n\n## Workflow\n\n||\n|:---:|\n|Corvo - Workflow|\n",
"bugtrack_url": null,
"license": null,
"summary": "A credential harvester, powered by the IntelX API.",
"version": "0.1",
"project_urls": {
"Homepage": "https://github.com/santiag02/Corvo"
},
"split_keywords": [
"leaks",
" credentials",
" intelx",
" data-leak",
" infostealer"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "4fa5409bf814d00b186f51ce78d5153246e3758ae4822251baa82657952bb0c5",
"md5": "8530c6e835a4a0f9ea123158de14b6fe",
"sha256": "c3aea7a1ff5d2b4f0b59fc724d0a8cba9b0dca5982312a2b63abe8bd51dcbc43"
},
"downloads": -1,
"filename": "corvo-0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "8530c6e835a4a0f9ea123158de14b6fe",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 75660,
"upload_time": "2024-10-18T13:08:05",
"upload_time_iso_8601": "2024-10-18T13:08:05.884017Z",
"url": "https://files.pythonhosted.org/packages/4f/a5/409bf814d00b186f51ce78d5153246e3758ae4822251baa82657952bb0c5/corvo-0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "190f9ab710af1a950b5653105553b8c6f1a7b8c36576fac9a764ceb0f327530a",
"md5": "44c0e326a5a14fdc18fce5480b50ebd6",
"sha256": "f78af62b17abe4c1dd5ac03750b9f365242020d8495c60a0b05db1b938bbaec9"
},
"downloads": -1,
"filename": "corvo-0.1.tar.gz",
"has_sig": false,
"md5_digest": "44c0e326a5a14fdc18fce5480b50ebd6",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 14760,
"upload_time": "2024-10-18T13:08:07",
"upload_time_iso_8601": "2024-10-18T13:08:07.546398Z",
"url": "https://files.pythonhosted.org/packages/19/0f/9ab710af1a950b5653105553b8c6f1a7b8c36576fac9a764ceb0f327530a/corvo-0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-18 13:08:07",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "santiag02",
"github_project": "Corvo",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "corvo"
}
JSON
