As a security investigator, you've encountered a common frustration: Chrome extensions making suspicious DNS requests, but they're nearly impossible to trace back to their source. Why? Because all DNS requests appear to come from the chrome process, making it extremely difficult to determine which extension is responsible for what network activity.
Traditional network monitoring tools show:
Process: chrome.exe
DNS Query: suspicious-domain.com
But which extension made that request? The trail goes cold... until now.
ExtensionHound is purpose-built to solve this forensic challenge by:
- Analyzing Chrome's internal network state
- Correlating DNS requests with specific extensions
- Revealing the hidden connections between extensions and their network activities
ExtensionHound is a powerful forensic tool that breaks through the chrome process attribution barrier, allowing you to:
- 🔍 Scans Chrome profiles for extension DNS request history
- 📊 Provides detailed analysis of network connections
- 🌐 Optional VirusTotal integration for domain reputation checking
- 🔐 Optional Secure Annex integration for extension details (users, rating,Yara pattern matching)
- 📁 Multiple output formats (Console, CSV, JSON)
- 🖥️ Cross-platform support (Windows, macOS, Linux)
- Clone the repository:
git clone https://github.com/arsolutioner/ExtensionHound.git
cd ExtensionHound- Create and activate a virtual environment (recommended):
python -m venv venv
source venv/bin/activate # On Windows, use: venv\Scripts\activate- Install required packages:
pip install -r requirements.txt- Set up API integrations (optional):
- Create a
.envfile in the project root - Add your API keys:
# VirusTotal API Key for domain reputation checks VT_API_KEY=your_virustotal_api_key_here # Secure Annex API Key for extension details SECUREANNEX_API_KEY=your_secureannex_api_key_here # Rate limit for API calls (per minute) RATE_LIMIT_PER_MINUTE=4
- Create a
Common flags:
--chrome-dir PATH: Specify custom Chrome directory--vt: Enable VirusTotal domain checking--secure-annex: Enable Secure Annex extension details--output FORMAT: Choose output format (csv/json)--output-file PATH: Specify output file path
Here are some practical examples of how to use ExtensionHound:
python ExtensionHound.py --output csv --output-file audit_results.csvpython ExtensionHound.py --vt --secure-annex --output json --output-file "audits/$(date +%Y-%m-%d)_security_report.json"# Analyze a specific Chrome profile
python ExtensionHound.py --chrome-dir "/path/to/Chrome User Data/Profile 1"
# Deep dive into the Default profile with all features enabled
python ExtensionHound.py --chrome-dir "/path/to/Chrome User Data/Default" --vt --secure-annex- Checks domain reputation against VirusTotal's database
- Shows detection ratios with severity indicators:
- ✅ Clean (0 detections)
⚠️ Low Risk (1-2 detections)- 🚨 Medium Risk (3-9 detections)
- ⛔ High Risk (10+ detections)
- Retrieves detailed information about Chrome extensions:
- Extension name and developer
- Number of active users
- Extension rating
- Helps identify potentially malicious or suspicious extensions
- YARA Rules Integration
- Uses YARA rules for advanced extension signature detection
- Identifies potentially malicious extensions based on code patterns
- Helps detect known malicious behaviors and techniques
- 💼 LinkedIn: Amram Englander
- 📧 Secure Email: [email protected]
- 🛡️ For urgent security assistance or consultation, feel free to reach out via ProtonMail or LinkedIn
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.