Analyzing browser extensions with Neto Console

Monday, May 21, 2018

Fifteen days ago we published the first version of Neto, our extensions analyzer in Github. It was published under a free license, also during this time we have worked on a series of features which allow the analysts to have a better interaction with each one of the tool’s uses, in addition to improving their settings. In this post we will see some of the new changes which we have included in this version whilst highlighting their interactive interface.


The main new changes to version 0.6
In this second release we will include some of the features which we consider to be relevant:
  • The Neto console. Is the main use included within this version. It deals with a small interface of commands which we invoke with neto console and from that we can execute different analysis commands in an interactive way which we will see further on in this post.
  • The folder settings. In this prerelease we have also included a series of file settings which will generate during the installation. In systems GNU/Linux the folder settings will be created in /home//.config/ElevenPaths/Neto and furthermore, will be the place in which we store the main folder settings and some of the backups, a reference folder where we can store the analysis results. In Windows systems this folder will be created in C:/Users//ElevenPaths/Neto.
  • Visualisation of the analyses' characteristics carried out in CLI. Thus, the analyst can check from the command line the main extracted characteristics from the analysis, such as the hash extension, the permissions used, the scripts which load in each tab or in the background and also the valuation which Virustotal does from the archive; without the need of manually exploring the JSON. The JSON will continue to be generated with the complete data.
The simplest way of installing the tool is with the pip command:

pip3 install neto

Those who have already downloaded the previous version, will have to update it by adding the previous --upgrade command:

pip3 install neto --upgrade

The GNU/Linux systems’ command can execute it either with an administrator’s profile or even with a sudo if we are not administrators and we do not have privileges to add it, use --'user'in order to install it only for the actual user.

The interactive console
As we previously commented upon, the main change of this version has been the addition of the interactive Neto console. Within the commands interface which we have included, we wanted to get closer to some of the Neto features in an easier way, in order to explore the extensions. In order to launch it from the commands line we will utilize neto console, which will open an interactive interface.  


From there, at any moment we can support it by using the help command, in order to see which options we have.



So far, we have included 13 different commands with distinct uses, which we will order below in alphabetical order. Where it has been possible, we have implemented the autocomplete option. In whichever case, if we have doubts about any of their functions, we can use the 'help' command to see the available help and some examples of how to use it:
  • analyse. The main analysis command. It will be followed by the key words «local» or «remote» depending on whether the extension which we are going to analyze is stored locally or if we provide a remote URL. If we select the local option, we can autocomplete the contained extension names in the 'working_directory' which we have defined.


  • delete. A command utilized to delete the analyses which have been carried out. It is in charge of deleting the analysis files which have not been useful. We can make reference to the analysis by carrying it out with the reserved words ALL or SELECTED, as well as by the extension name. It must be used with caution in order to avoid any issues.
  • deselect. It is the reverse command to deselect. It will highlight an extension as selected if you specify the same name in a literal form. You can also use the reserved word «ALL».
  • details. Shows the most relevant extension information which we can select using the autocomplete functions. It deals with the same information which we would see after carrying out the analysis using the CLI. If we want the complete details of the JSON we can use full_details.
  • exit. Closes the console.
  • full_details. Shows the corresponding JSON for the selected extension.
  • grep. A literal search command in the already stored analyses. The extension names will be returned which contain the chain’s literal text which we have included below with the name. By default, the search will be carried out only on the extensions which have been selected. In the case that none of them have been selected, it will carry it out on all of them.
  • help. The command which gives support.
  • list. With this we will list the analyses which have been carried out. We can also utilize the reserved words «ALL» and «SELECTED», the wildcard «*» in order to indicate extensions which start by a determined text chain (e. g.: list ad*).

  • select. Is a command used to select some of the extensions which we have previously seen (for example, in order to erase them or to search for them).
  • set. It deals with a command which we will use to modify some specific values of the interface options, such as the working directory.
  • show. We will utilize this command only to show the tool’s information, such as its generic data (using show info) or the interface options (using show info).
  • update. Update the list of known extensions. This is useful if whilst we maintain the interface open we have another process behind (for example, the CLI launched with neto analyse -e miextension.xpi) which continues adding extensions.
Following this, we have provided a small demonstration video below of how the interface console functions with Neto Console, so that it gives you the idea of how to use it.


In the future…
Although the state of the Neto development is still clearly a work in progress, our Innovation Laboratory at ElevenPaths wants to continue enhancing the tool's characteristics. In the next few weeks we will talk about how to develop new analysis plugins in order to add new characteristics which we will find in the extensions, and in some cases in those in which the tool can be helpful in analyzing the extension's characteristics at a glance. Meanwhile, in order to continue improving little by little you can always let us know any doubts which you may have in respect to how it functions and also any issues within the Github project. Any feedback will be well received.

Félix Brezo
Innovation and Laboratory Team at ElevenPaths

No comments:

Post a Comment