Monkeyspaw is a mildly complex Greasemonkey user script I wrote for Black Hat in order to demonstrate Greasemonkey as an AJAX-ish information gathering framework. It's not really designed for casual users, though -- that's why it has "Security Professional" in the name.
However, I've had some requests to put together some straightforward documentation on getting going with Monkeyspaw with minimal fuss. Thus, this document.
Firefox is pretty much a must for Greasemonkey and Monkeyspaw. There are reportedly ports of Greasemonkey for Internet Explorer, such as GreasemonkIE, but I really have no idea how those work. If you get it going, super. Let me know.
Next, you'll need to install Greasemonkey (click on that to get started and come back here when you're done). You will probably get a warning from Firefox in the upper part of your browser asking if you're sure you trust greasemonkey.mozdev.org -- you ought to.
By itself, Greasemonkey doesn't do a whole lot, but it's the engine which powers all the cool stuff that Monkeyspaw does -- and about a zillion other user scripts of varying degrees of usefulness.
This is the easiest part -- clicking here will display the script in your browser, and a handy install button near the top. Once that's done, Greasemonkey is installed and ready to go.
So now that you've through all that trouble, what should you expect to see? Well, take your typical phishing site, like this one:
By itself, this site would look just like any other phishing site. But now that you have Monkeyspaw installed, you get the Monkeyspaw Console displayed on pretty much every site you visit, allowing you to perform several in-window functions on the site you're viewing.
Checking the IP Query box will return some information about the site's IP address:
Monkeyspaw does this (and most other useful functions) by leveraging Greasemonkey's GM_xmlhttpRequest() function to connect to other websites and ask specific questions about the currently-viewed web site. In this case, Monkeyspaw looks up the IP address by going out to a "ping" web service which will resolve the DNS name of site to an IP address, then looks that IP address up at a free geolocation service.
This, in a nut shell, demonstrates both the power of Greasemonkey (it can violate the otherwise pretty strict rule on mingling data from different domains in a useful way), and my own laziness. After all, I could just go out to these websites myself and type the domain name in to get the same results -- but this method allows me to do it with one click -- or one keystroke, since the IP Lookup checkbox is bound to the "Alt-I" access key ("Shift-Alt-I" in Firefox 2.0).
Not to be limited to mere IP address queries, we can also interrogate the hostname, too:
Note also that these data boxes also provide links to still other sites that may provide more complete information about the particular aspect of the site that we're interested in. For example, the DNS Lookup box's SiteAdvisor link will open a new Firefox tab directly to SiteAdvisor's entry for this particular page. While this isn't typically useful for phishing sites, it comes in handy for sites that you might merely suspect to be evil, such as a fake anti-spyware site which really just delivers more spyware.
The Server Info box is unique in that it merely re-queries the site you're currently on again, and this time, captures the HTTP server headers for easy reading:
This solves my biggest irritation with web site investigation -- there is no built in button on Firefox or IE which allows me to see the HTTP server info easily and quickly. Monkeyspaw also does some handy (for me at least) syntax highlighting, so I can tell immediately, for example, that I'm looking at an Apache site, if there are any interesting X-Headers, etc. It's especially useful for giving a quick hint as to what the phisher used to gain control of the server in the first place, simply by looking at the version numbers for all the Apache modules installed.
Report is probably the most directly useful button on the console:
This is currently the only interactive data box provided by Monkeyspaw. Basically, it's a one-click/one-keystroke interface to the most excellent Phishing Incident Reporting and Termination (PIRT) Squad at Castle Cops. These guys do great work in not only analysis and reporting of current phishing activity, but are surprisingly effective at their primary mission of phishing site takedown. So, reporting phishing sites via Monkeyspaw ought to effect a takedown that much more quickly.
Another interesting feature of Greasemonkey is its ability to create custom "error" messages in the Javascript console. While this is intended for tracking along development of whatever Greasemonkey script you're working on at the moment, I figured it would make a great spot to stash all the data Monkeyspaw gathers on the sites you visit:
Thus, you can play Monkeyspaw for a while, then when you want to save off whatever data you found, it's easy to just cut-n-paste it out of the log.
Inspired by OmniFeedster, a user script by Mark Pilgrim, I also wanted the data boxes to be moveable around the page, on the off chance that one of them was covering up some interesting part of the site in question:
Just grab on to the data box title, drag around. However, it turns out it can be quite a pain if you accidentally drag one off the screen. It's pretty much gone forever. This is why they all snap back to their default locations on the next page load.
Also, if you use Monkeyspaw routinely for more than five minutes or so, you'll find the console, while adorable, grow quite irritating. So, by editing the script (right-click on the Greasemonkey face, select Manage User Scripts, select Monkeyspaw Console, hit Edit), you can set the MonkeyspawConsoleOpacity variable to 0 (zero). This incidentally demonstrates well that it's easy (and fun) to edit Monkeyspaw scripts "live," -- the changes are persistant, and will take effect on the next page load.
Making the console invisible will have no effect on the access keys for functionality. "Alt-I" for IP Query, "Alt-D" for Domain Lookup, "Alt-S" for Server Info, and "Alt-R" for Report. (Hit the access key again to make the data boxes disappear, too).
Note for Firefox 2.0 users: The fine people at Mozilla changed the behavior of access keys in FF 2.0. Now, access keys require a Shift-Alt combination in order to avoid conflicting with other browser keystroke functionality. So, your hand has to contort a little more now, but it's fine for lefties like me.
Comments and ideas for improvement are always welcome, since I'd love to see the Monkeyspaw project blossom into an entire, fully-functional, single-interface suite of investigatory GM scripts. So, feel free to e-mail me at .