Smart OSINT Collection of Common IOC (Indicator of compromise) Types

This application is designed to assist security analysts and researchers with the collection and assessment of common IOC types. Accepted IOCs currently include IP addresses, domain names, URLs, and file hashes.

The title of this project is named after Mimir, a figure in Norse mythology renowned for his knowledge and wisdom. This application aims to provide you knowledge into IOCs and then some added "wisdom" by calculating risk scores per IOC, assigning a common malware family name to hash lookups based off of reports from VirusTotal and OPSWAT, and leveraging machine learning tools to determine if an IP, URL, or domain is likely to be malicious.

Base Collection

For network based IOCs, Mimir gathers basic information including:

• Whois
• ASN
• Geolocation
• Reverse DNS
• Passive DNS
• Collection Sources

Some of these sources will require an API key, and occasionally only by getting a paid account and tried to limit reliance on paid services as much as possible.

• PassiveTotal
• VirusTotal
• DomainTools
• OPSWAT
• Google SafeBrowsing
• Shodan
• PulseDive
• CSIRTG
• URLscan
• HpHosts
• Blacklist checks
• Spam blacklist checks
• Risk Scoring

The risk scoring works best when Mimir can gather a decent amount of data points for an IOC; pDNS, well populated url/domain results (communicating samples, associated samples, recent scan data, etc.) and also takes into account the ML malicious-ness prediction result.

Machine Learning Predictions

The machine learning prediction results come from the CSIRT Gadgets projects csirtg-domainsml-py, csirtg-ipsml-py, csirtg-urlsml-py.

Output

Mimir offers results output in various options including local file reports or exporting the results to an external service.

stdout (console output)
normalizes result data, printed with headers and subheaders per module

JSON file
beautified output to local file

Excel
uses multiple sheets per IOC type

MISP
commit new indicators

ThreatConnect
commit new indicators with confidence and threat ratings (optionally assign tags, a description, and a TLP setting)

Download Smart OSINT Collection

FinDomain- Fastest And Cross-platform Subdomain Enumerator.

Comparison
It comparison gives you a idea why you should use findomain instead of another enumerators. The domain used for the test was Microsoft.com in the following BlackArch virtual machine:

Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-3.1)
Kernel: 5.2.6-arch1-1-ARCH
CPU: Intel (Skylake, IBRS) (4) @ 2.904GHz
Memory: 139MiB / 3943MiB

Find-Domain used to calculate the time, is the time command in Linux.

You can see all the details of the tests in it link.

Enumeration Tool	Search Time	Total Subdomains Found	CPU Usage	RAM Usage
Findomain	real 0m38.701s	5622	Very Low	Very Low
assetfinder	real 6m1.117s	4630	Very Low	Very Low
Subl1st3r	real 7m14.996s	996	Low	Low
Amass*	real 29m20.301s	332	Very High	Very High

I can't wait to the amass test for finish, looks like it will never ends and additionally the resources usage is very high.

Note: The benchmark was made the 10/08/2019, since it point other software's can improve things and you will got different results.

Features

• Discover sub-domains without brute-force, it uses Certificate Transparency Logs.
• Discover sub-domains with or without IP address according to user arguments.
• Read target from user argument (-t).
• Read a list of targets from file and discover their sub-domains with or without IP and also write to output files per-domain if specified by the user, recursively.
• Write output to TXT file.
• Write output to CSV file.
• Write output to JSON file.
• Cross platform support: Any platform.
• Optional multiple API support.
• Proxy support.

Note: the proxy support is just to proxify APIs requests, the actual implementation to discover IP address of sub-domains doesn't support proxyfing and it's made using the host network still if you use the -p option.

How it works?

It tool doesn't use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find sub-domains and it method make it tool the most faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/

APIs that are using at the moment:

• Certspotter: https://api.certspotter.com/
• Crt.sh : https://crt.sh
• Virustotal: https://www.virustotal.com/ui/domains/
• Sublit3r: https://api.sublist3r.com/
• Facebook: https://developers.facebook.com/docs/certificate-transparency

If you know other that should be added, open an issue.

Supported platforms in our binary releases

All supported platforms in the binarys that we give are 64 bits only and we don't have plans to add support for 32 bits binary releases, if you want to have support for 32 bits follow the documentation.

• Linux
• Windows
• MacOS
• ARM
• Arch64 (Raspberry Pi)

Build for 32 bits or another platform

If you want to build the tool for your 32 bits system or another platform, follow it steps:

Note: You need to have rust, make and perl installed in your system first.

Using the Github source code:

• Clone the repository or download the release source code.
• Extract the release source code (only needed if you downloaded the compressed file).
• Go to the folder where the source code is.
• Execute cargo build --release
• Now your binary is in target/release/findomain and you can use it.

Installation Android (Termux)

Install the Termux package, open it and follow it commands:

$ pkg install rust make perl
$ cargo install findomain
$ cd $HOME/.cargo/bin
$ ./findomain

Installation in Linux using source code

If you want to install it, you can do that manually compiling the source or using the precompiled binary.

Manually: You need to have rust, make and perl installed in your system first.

$ git clone https://github.com/Edu4rdSHL/findomain.git
$ cd findomain
$ cargo build --release
$ sudo cp target/release/findomain /usr/bin/
$ findomain

Installation in Linux using compiled artifacts

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
$ chmod +x findomain-linux
$ ./findomain-linux

If you are using the BlackArch Linux distribution, you just need to use:

$ sudo pacman -S findomain

Installation ARM

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-arm
$ chmod +x findomain-arm
$ ./findomain-arm

Installation Aarch64 (Raspberry Pi)

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-aarch64
$ chmod +x findomain-aarch64
$ ./findomain-aarch64

Installation Windows

Download the binary from 
https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-windows.exe

Open a CMD shell and go to the dir where findomain-windows.exe was downloaded.

Exec: findomain-windows in the CMD shell.

Installation MacOS

$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-osx
$ chmod +x findomain-osx.dms
$ ./findomain-osx.dms

Usage

You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address.

findomain 0.2.0
Eduard Tolosa <tolosaeduard@gmail.com>
A tool that use Certificates Transparency logs to find subdomains.

USAGE:
    findomain [FLAGS] [OPTIONS]

FLAGS:
    -a, --all-apis    Use all the available APIs to perform the search. It take more time but you will have a lot of
                      more results.
    -h, --help        Prints help information
    -i, --get-ip      Return the subdomain list with IP address if resolved.
    -V, --version     Prints version information

OPTIONS:
    -f, --file <file>        Sets the input file to use.
    -o, --output <output>    Write data to output file in the specified format. [possible values: txt, csv, json]
    -p, --proxy <proxy>      Use a proxy to make the requests to the APIs.
    -t, --target <target>    Target host

Examples

Make a simple search of subdomains and print the info in the screen:
findomain -t example.com

Make a simple search of subdomains using all the APIs and print the info in the screen:
findomain -t example.com -a

Make a search of subdomains and export the data to a CSV file:
findomain -t example.com -o csv

Make a search of subdomains using all the APIs and export the data to a CSV file:
findomain -t example.com -a -o csv

Make a search of subdomains and resolve the IP address of subdomains (if possible):
findomain -t example.com -i

Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible):
findomain -t example.com -i -a

Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible), exporting the data to a CSV file:
findomain -t example.com -i -a -o csv

Make a search of subdomains using a proxy (http://127.0.0.1:8080 in it case, the rest of aguments continue working in the same way, you just need to add the -p flag to the before commands):
findomain -t example.com -p http://127.0.0.1:8080

Download FinDomain

Slurp- Blackbox/Whitebox S3 Bucket Enumerator

To Evaluate the security of S3 buckets

Overview

• Credit to all the vendor packages to develop Slurp possible.
• Slurp is for pen-testers and security professionals to perform audits of s3 buckets.

Features

• Scan via domain(s); you can target a single domain or a list of domains
• Scan via keyword(s); you can target a single keyword or a list of keywords
• Scan via AWS credentials; you can target your own AWS account to see which buckets have been exposed
• Colorized output for visual grep
• Currently generates over 28,000 permutations per domain and keyword (thanks to @jakewarren and @random-robbie)
• Punycode support for internationalized domains
• Strong copyleft license (GPLv3)

Modes

There are two modes that this tool operates at; blackbox and whitebox mode. Whitebox mode (or internal) is significantly faster than blackbox (external) mode.

Blackbox (external)

In this mode, you are using the permutations list to conduct scans. It will return false positives and there is no way to link the buckets to an actual aws account! Do not open issues asking how to do this.

Domain


Keywords

Whitebox (internal)

In this mode, you are using the AWS API with credentials on a specific account that you own to see what is open. This method pulls all S3 buckets and checks Policy/ACL permissions. Note that, I will not provide support on how to use the AWS API.

Your credentials should be in ~/.aws/credentials.

Internal

Usage

• slurp domain <-t|--target> example.com will enumerate the S3 domains for a specific target.
• slurp keyword <-t|--target> linux,golang,python will enumerate S3 buckets based on those 3 key words.
• slurp internal performs an internal scan using the AWS API.

Installation

This project uses vgo; you can clone and go build or download from Releases section.

Please do not open issues on why you cannot build the project; this project builds like any other project would in Go, if you cannot build then I strongly suggest you read the go spec.

Also, the only binaries I'm including are linux/amd64; if you want mac/windows binaries, build it yourself.

Download Slurp

CloudCheck- To Test String If A Cloudflare DNS Bypass is Possible 

Cloudcheck is made to be used in the same folder as CloudFail. Make sure all files in this repo are in the same folder before using.

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by Cloudflare in the hopes of discovering the location of the server.

Using Tor to mask all requests, the tool as of right now has 3 different attack phases.

• Misconfigured DNS scan using DNSDumpster.com.
• Scan the Crimeflare.com database.
• Bruteforce scan over 2500 subdomains.

Cloudcheck create a empty text file called none.txt in the data folder, that way it doesn't do a subdomain brute when testing.

Cloudcheck will automatically change your hosts file, using entries from CloudFail and test for a specified string to detect if said entry can be used to bypass Cloudflare.

If output comes out to be "True", you can use the IP address to bypass Cloudflare in your hosts file. (Later automating this process)

Download Cloudcheck

Simple command line forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.

usbrip (derived from "USB Ripper", not "USB R.I.P." astonished) is an open source forensics tool with CLI interface that lets you keep track of USB device artifacts (aka USB event history, "Connected" and "Disconnected" events) on Linux machines.

usbrip is a small piece of software written in pure Python 3 (using some external modules though, see Dependencies/PIP) which parses Linux log files (/var/log/syslog* or /var/log/messages* depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: "Connected" (date & time), "User", "VID" (vendor ID), "PID" (product ID), "Product", "Manufacturer", "Serial Number", "Port" and "Disconnected" (date & time).

Besides, it also can:

• export gathered information as a JSON dump (and open such dumps, of course);
• generate a list of authorized (trusted) USB devices as a JSON (call it auth.json);
• search for "violation events" based on the auth.json: show (or generate another JSON with) USB devices that do appear in history and do NOT appear in the auth.json;
• When installed with -s flag create crypted storages (7zip archives) to automatically backup and accumulate USB events with the help of crontab scheduler;
• search additional details about a specific USB device based on its VID and/or PID.

Quick Start

usbrip is available for download and installation at PyPI:

$ pip3 install usbrip

Git Clone

For simplicity, lets agree that all the commands where ~/usbrip$ prefix is appeared are executed in the ~/usbrip directory which is created as a result of git clone:

~$ git clone https://github.com/snovvcrash/usbrip.git usbrip && cd usbrip
~/usbrip$

Dependencies

usbrip works with non-modified structure of system log files only, so, unfortunately, it won't be able to parse USB history if you change the format of syslogs (with syslog-ng or rsyslog, for example). That's why the timestamps of "Connected" and "Disconnected" fields don't have the year, by the way. Keep that in mind.

DEB Packages

• python3.6 (or newer) interpreter
• python3-venv
• p7zip-full (used by storages module)
• ~$ sudo apt install -y python3-venv p7zip-full

PIP Packages

usbrip makes use of the following external modules:

• terminaltables
• termcolor

To resolve Python dependencies manually (it's not necessary actually because pip or setup.py can automate the process, see Installation) create a virtual environment (optional) and run pip from within:

~/usbrip$ python3 -m venv venv && source venv/bin/activate
(venv) ~/usbrip$ pip install -r requirements.txt

Or let the pipenv one-liner do all the dirty work for you:

~/usbrip$ pipenv install && pipenv shell

After that you can run usbrip portably:

(venv) ~/usbrip$ python -m usbrip -h
Or
(venv) ~/usbrip$ python __main__.py -h

Installation

There are two ways to install usbrip into the system: pip or setup.py.

pip or setup.py

First of all, usbrip is pip installable. This means that after git cloning the repo you can simply fire up the pip installation process and after that run usbrip from anywhere in your terminal like so:

~/usbrip$ python3 -m venv venv && source venv/bin/activate
(venv) ~/usbrip$ pip install .

(venv) ~/usbrip$ usbrip -h

Or if you want to resolve Python dependencies locally (without bothering PyPI), use setup.py:

~/usbrip$ python3 -m venv venv && source venv/bin/activate
(venv) ~/usbrip$ python setup.py install

(venv) ~/usbrip$ usbrip -h

alien Note: you'd likely want to run the installation process while the Python virtual environment is active (like it is shown above).

install.sh

Secondly, usbrip can also be installed into the system with the ./installers/install.sh script.

When using the ./installers/install.sh some extra features become available:

• the virtual environment is created automatically;
• the storage module becomes available: you can set a crontab job to backup USB events on a schedule (the example of crontab jobs can be found in usbrip/cron/usbrip.cron).

Warning: if you are using the crontab scheduling, you want to configure the cron job with sudo crontab -e in order to force the storage update submodule run as root as well as protect the passwords of the USB event storages. The storage passwords are kept in /var/opt/usbrip/usbrip.ini.

The ./installers/uninstall.sh script removes all the installation artifacts from your system.

To install usbrip use:

~/usbrip$ chmod +x ./installers/install.sh
~/usbrip$ sudo -H ./installers/install.sh [-l/--local] [-s/--storages]
~/usbrip$ cd

~$ usbrip -h

• When -l switch is enabled, Python dependencies are resolved from local .tar packages (./3rdPartyTools/) instead of PyPI.
• When -s switch is enabled, not only the usbrip project is installed, but also the list of trusted USB devices, history and violations storages are created.

Note: when using -s option during installation, make sure that system logs do contain at least one external USB device entry. It is a necessary condition for usbrip to successfully create the list of trusted devices (and as a result, successfully create the violations storage).

After the installation completes, feel free to remove the usbrip folder.

Paths

When installed, the usbrip uses the following paths:

• /opt/usbrip/ — project's main directory;
• /var/opt/usbrip/usbrip.ini — usbrip configuration file: keeps passwords for 7zip storages;
• /var/opt/usbrip/storage/ — USB event storages: history.7z and violations.7z (created during the installation process);
• /var/opt/usbrip/log/ — usbrip logs (recommended to log usbrip activity when using crontab, see usbrip/cron/usbrip.cron);
• /var/opt/usbrip/trusted/ — list of trusted USB devices (created during the installation process);
• /usr/local/bin/usbrip — symlink to the /opt/usbrip/venv/bin/usbrip script.

cron

Cron jobs can be set as follows:

~/usbrip$ sudo crontab -l > tmpcron && echo "" >> tmpcron
~/usbrip$ cat usbrip/cron/usbrip.cron | tee -a tmpcron
~/usbrip$ sudo crontab tmpcron
~/usbrip$ rm tmpcron

uninstall.sh

To uninstall usbrip use:

~/usbrip$ chmod +x ./installers/uninstall.sh
~/usbrip$ sudo ./installers/uninstall.sh [-a/--all]

When -a switch is enabled, not only the usbrip project directory is deleted, but also all the storages and usbrip logs are deleted too.

And don't forget to remove the cron job.

Usage

Synopsis

# ---------- BANNER ----------

$ usbrip banner
Get usbrip banner.

# ---------- EVENTS ----------

$ usbrip events history [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Get USB event history.

$ usbrip events open <DUMP.JSON> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Open USB event dump.

$ usbrip events gen_auth <OUT_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Generate a list of trusted (authorized) USB devices.

$ usbrip events violations <IN_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Get USB violation events based on the list of trusted devices.

# ---------- STORAGE ----------

$ usbrip storage list <STORAGE_TYPE> [-q] [--debug]
List contents of the selected storage (7zip archive). STORAGE_TYPE is "history" or "violations".

$ usbrip storage open <STORAGE_TYPE> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-q] [--debug]
Open selected storage (7zip archive). Behaves similary to the EVENTS OPEN submodule.

$ usbrip storage update <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
Update storage — add USB events to the existing storage (7zip archive). COMPRESSION_LEVEL is a number in [0..9].

$ usbrip storage create <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
Create storage — create 7zip archive and add USB events to it according to the selected options.

$ usbrip storage passwd <STORAGE_TYPE> [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
Change password of the existing storage.

# ---------- IDs ----------

$ usbrip ids search [--vid <VID>] [--pid <PID>] [--offline] [-q] [--debug]
Get extra details about a specific USB device by its <VID> and/or <PID> from the USB ID database.

$ usbrip ids download [-q] [--debug]
Update (download) the USB ID database.

Help

To get a list of module names use:

$ usbrip -h

To get a list of submodule names for a specific module use:

$ usbrip <module> -h

To get a list of all switches for a specific submodule use:

$ usbrip <module> <submodule> -h

Examples

Show the event history of all USB devices, supressing banner output, info messages and user interaction (-q, --quiet), represented as a list (-l, --list) with latest 100 entries (-n NUMBER, --number NUMBER):

$ usbrip events history -ql -n 100

Show the event history of the external USB devices (-e, --external, which were actually disconnected) represented as a table (-t, --table) containing "Connected", "VID", "PID", "Disconnected" and "Serial Number" columns (-c COLUMN [COLUMN], --column COLUMN [COLUMN]) filtered by date (-d DATE [DATE ...], --date DATE [DATE ...]) with logs taken from the outer files (-f FILE [FILE ...], --file FILE [FILE ...]):

$ usbrip events history -et -c conn vid pid disconn serial -d "Dec  9" "Dec 10" -f /var/log/syslog.1 /var/log/syslog.2.gz

Build the event history of all USB devices and redirect the output to a file for further analysis. When the output stream is NOT terminal stdout (| or > for example) there would be no ANSI escape characters (color) in the output so feel free to use it that way. Also notice that usbrip uses some UNICODE symbols so it would be nice to convert the resulting file to UTF-8 encoding (with encov for example) as well as change newline characters to Windows style for portability (with awk for example):

usbrip history events -t | awk '{ sub("$", "\r"); print }' > usbrip.out && enconv -x UTF8 usbrip.out

Remark: you can always get rid of the escape characters by yourself even if you have already got the output to stdout. To do that just copy the output data to usbrip.out and add one more awk instruction:

awk '{ sub("$", "\r"); gsub("\\x1B\\[[0-?]*[ -/]*[@-~]", ""); print }' usbrip.out && enconv -x UTF8 usbrip.out

Generate a list of trusted USB devices as a JSON-file (trusted/auth.json) with "VID" and "PID" attributes containing the first three devices connected on September 26:

$ usbrip events gen_auth trusted/auth.json -a vid pid -n 3 -d "Sep 26"

Search the event history of the external USB devices for violations based on the list of trusted USB devices (trusted/auth.json) by "PID" attribute, restrict resulting events to those which have "Bob" as a user, "EvilUSBManufacturer" as a manufacturer, "1234567890" as a serial number and represent the output as a table with "Connected", "VID" and "PID" columns:

$ usbrip events violations trusted/auth.json -a pid -et --user Bob --manufact EvilUSBManufacturer --serial 1234567890 -c conn vid pid

Search for details about a specific USB device by its VID (--vid VID) and PID (--pid PID):

$ usbrip ids search --vid 0781 --pid 5580

Download the latest version of usb_ids/usb.ids database (the source is here):

$ usbrip ids download

Download USBrip