Awesome
EKFiddle v.1.2.6
An extension/rules for the Fiddler Classic web debugger to analyze malicious web traffic.
Fiddler Classic
Installation
-
Download and install Fiddler from here: https://www.telerik.com/fiddler
-
Download and run EKFiddleExtension.exe
Alternatively, download EKFiddle.dll and put it into Fiddler's Scripts folder (%AppData%\Local\Programs\Fiddler\Scripts
)
Note: The EKFiddle.dll
version replaces the previous CustomRules.cs
.
Features
Top level menu
The top level menu gives you the ability to access certain features and settings for the EKFiddle extension.
Regexes
The Regexes menu item lets you view, edit, run and update the regexes that are used to identify web sessions and color them / add comments accordingly.
Added support for AND/OR operators:
[regex] *AND* [regex] *AND* [regex]
[regex] *OR* [regex] *OR* [regex]
YARA support
Advanced Filters
The Advanced Filters menu item is for filtering web traffic based on a compiled list of domains, URLs, IP addresses, or hashes that you want to exclude.
You can also filter traffic by tags:
UI mode
Fiddler's default UI only shows a limited number of columns. By choosing the Advanced UI, you can view more information about web sessions, including CMS type, SHA-256, etc.
Real-time monitoring options
- Real-time monitoring
- CMS detection
- Inspect Images (slow)
These real-time options can be enabled to automatically flag traffic as web sessions are being captured. CMS detection attempts to identify what kind of Content Management System a website is running and displays it within a new column (Advanced UI required). Inspect Images will look at the content of supposed images to see if they are the wrong mime-type or hide content (steganography).
Themes
Customize Fiddler's application and SAZ icons with the EKFiddle theme or retro versions of Fiddler.
AutoBrowser
Automate browsing tasks by loading a list of URLs from a text file and let Fiddler record all the traffic.
Upstream proxy
Connect to another proxy (anonymous or private) via Fiddler
Check for Updates...
Check for the latest version of EKFiddle.
About
Displays the About page for the EKFiddle project.
Contextual menu
The contextual menu (right click) allows you to perform additional actions on the selected web session(s).
Hostname
- Copy
- Google Search
- Internet Archive Lookup
- Sucuri SiteCheck Scan
- Urlscan.io Lookup
- VirusTotal Lookup
IP Address
- Copy
- Google Search
- Urlscan.io Lookup
- VirusTotal Lookup
Response Body
- Copy SHA-256
- Copy SHA-1
- Copy MD5
- Save to Disk
- Urlscan.io Lookup
- VirusTotal Lookup
Extract
- Google Analytics ID
- Phone Number
Filter
- Hide Hostname
- Hide IP Address
- Hide URL
- Hide Response Body Hash
Connect-the-dots
This feature enables you to see the flow between a web session and previous ones. This is helpful to retrace traffic.
Full Traffic Summary
Copies to the clipboard a text-base summary of web sessions that can be easily used to share with others.
Tags
Add or edit tags (separate column in Advanced UI mode) for each web session.
Uninstallation
- Delete EKFiddle.dll from Fiddler's Script folder, delete EKFiddle's folder (
Documents\Fiddler2\EKFiddle
)