Listen to this Post

Introduction:
In red team operations, domain categorization often becomes a bottleneck—manually verifying how your domains are classified across dozens of security vendors and submitting recategorization requests is tedious, error‑prone, and time‑consuming. Classifier is a newly open‑sourced tool that automates this entire workflow, leveraging stealth browser automation, CAPTCHA solving, and vendor‑specific authentication flows to check and recategorize domains across 12 major security vendors with a single command.
Learning Objectives:
- Understand the critical role domain categorization plays in red team infrastructure management.
- Learn to install, configure, and operate Classifier for automated categorization checks and recategorization submissions.
- Gain insights into the underlying browser automation techniques and how to extend the tool for custom vendor support.
1. Installation and Environment Setup
Classifier is a Python‑based tool that relies on `undetected-chromedriver` for stealth browser automation and external APIs for CAPTCHA solving. The first step is to clone the repository and install dependencies.
Step‑by‑step guide (Linux/macOS):
Clone the repository git clone https://github.com/KaynRO/classifier.git cd classifier Create and activate a virtual environment (recommended) python3 -m venv venv source venv/bin/activate Install required packages pip install -r requirements.txt
Windows equivalent:
git clone https://github.com/KaynRO/classifier.git cd classifier python -m venv venv venv\Scripts\activate pip install -r requirements.txt
After installation, you need to set up your 2Captcha API key (for automated CAPTCHA solving) and any vendor‑specific credentials. Export them as environment variables:
export 2CAPTCHA_API_KEY="your_2captcha_api_key_here" export PALOALTO_USERNAME="your_paloalto_username" export PALOALTO_PASSWORD="your_paloalto_password" Repeat for other vendors as needed
What this does:
The environment variables are read by Classifier during runtime, allowing it to authenticate with vendor portals and solve CAPTCHAs without exposing credentials in command‑line history.
2. Configuring Vendor Authentication Flows
Classifier supports a wide range of authentication mechanisms—from simple login forms to complex SAML SSO (Cisco) and Azure AD B2C. Configuration is handled through a YAML file (config.yaml) or directly via environment variables.
Step‑by‑step guide:
- Open the provided `config.example.yaml` and rename it to
config.yaml. - For each vendor you plan to use, fill in the required credentials. Example snippet for Palo Alto:
paloalto: username: ${PALOALTO_USERNAME} password: ${PALOALTO_PASSWORD} optional: use headless mode headless: false - For vendors like Cisco Talos that use SAML, you may need to provide additional parameters such as the organization ID:
talos: saml_org: "your_org_id" username: ${TALOS_USERNAME} password: ${TALOS_PASSWORD} - Save the file and ensure the environment variables are set.
What this does:
Classifier loads these credentials and uses them to automate login sequences. The tool mimics human interactions (typing delays, mouse movements) to reduce the risk of bot detection.
3. Performing Domain Categorization Checks
Once configured, you can immediately check the current categorization of any domain across all supported vendors with a single command.
Step‑by‑step guide:
python classifier.py --check example.com
This command will:
- Launch an undetected Chrome browser instance for each vendor (or reuse sessions).
- Navigate to the vendor’s lookup portal.
- Submit the domain and scrape the returned category.
- Save the results in a structured JSON file (default:
results/example.com.json).
Sample output:
{
"domain": "example.com",
"timestamp": "2025-02-18T10:30:00Z",
"vendors": {
"paloalto": "business",
"trendmicro": "uncategorized",
"talos": "low risk",
"virustotal": "clean"
}
}
What this does:
It aggregates categorization data from multiple sources, giving you a comprehensive view of how your infrastructure is perceived by different security vendors—essential for planning phishing campaigns or C2 infrastructure.
4. Submitting Recategorization Requests
If a domain is incorrectly categorized (e.g., marked as “malicious” when it’s benign), Classifier can automatically submit recategorization requests to vendors that support this feature.
Step‑by‑step guide:
python classifier.py --recategorize example.com --vendor paloalto --category business
– The `–vendor` flag specifies which vendor to target; you can also use `–all` to submit to all supported vendors.
– `–category` defines the desired category (e.g., “business”, “information technology”).
– The tool will handle CAPTCHAs automatically using 2Captcha (both image‑based and reCAPTCHA v2/v3/Enterprise, as well as Cloudflare Turnstile).
– For vendors that require additional justification, you can provide a comment via --comment "Legitimate business site".
What this does:
It automates the entire submission process, including filling forms, solving CAPTCHAs, and clicking submit buttons. This can reduce a 15‑minute manual task to a few seconds.
5. Understanding the Stealth Browser Automation
Classifier uses undetected-chromedriver—a patched version of Selenium that evades common bot detection mechanisms. It also implements human‑like interaction patterns.
Key techniques:
- Randomized delays between keystrokes and clicks.
- Natural mouse movements (using `ActionChains` with Bézier curves).
- Browser fingerprint spoofing (viewport size, user agent, etc.).
- Handling of pop‑ups and unexpected dialogs.
To run in headless mode (for servers), set `headless: true` in the config. However, some portals detect headless browsers; Classifier can optionally use a real display via Xvfb on Linux.
Example debugging:
If a vendor fails, you can enable verbose logging:
python classifier.py --check example.com --verbose
This will output detailed steps and save screenshots of the browser window at failure points (found in logs/screenshots/).
6. Adding Custom Vendors
Classifier’s modular design makes it easy to add new vendors. Each vendor is implemented as a Python class in the `vendors/` directory, inheriting from a base `Vendor` class.
Step‑by‑step guide to add a new vendor:
1. Create a new file, e.g., `vendors/mynewvendor.py`.
- Define a class that inherits from `Vendor` and implements the required methods:
from .base import Vendor</li> </ol> class MyNewVendor(Vendor): name = "mynewvendor" check_url = "https://vendor.com/lookup" recategorize_url = "https://vendor.com/submit" def check(self, domain): Implement the logic to navigate, fill form, and extract category pass def recategorize(self, domain, category, comment=""): Implement the recategorization submission pass
3. Add authentication handling if needed (use `self.login()` for reusable sessions).
4. Register the vendor in `vendors/__init__.py` by adding it to the `__all__` list.What this does:
It allows the community to expand coverage, ensuring the tool stays up‑to‑date with new vendors or changes in existing portals.
7. Advanced Usage and Operational Security (OpSec) Tips
When using Classifier in live red team engagements, consider these best practices:
- Use residential proxies to avoid IP‑based rate limiting or blocks. Configure them in
config.yaml:proxy: "http://user:pass@proxy_ip:port"
- Rotate user agents and browser fingerprints by modifying the `undetected-chromedriver` options.
- Run from a disposable VM or container to prevent credential leakage.
- Schedule regular checks using cron or Task Scheduler to monitor categorization changes over time.
Example cron job (daily at 2 AM):
0 2 cd /path/to/classifier && python classifier.py --check mydomain.com --output /reports/$(date +\%Y-\%m-\%d).json
What Undercode Say:
- Key Takeaway 1: Automating domain categorization checks and recategorization saves red teams dozens of hours per engagement, allowing them to focus on core operational tasks instead of manual portal gymnastics.
- Key Takeaway 2: The use of stealth browser automation (undetected-chromedriver) and integrated CAPTCHA solving (2Captcha) makes Classifier resilient against anti‑bot measures, ensuring high success rates even on heavily protected vendor portals.
- Analysis: By open‑sourcing Classifier, the author has lowered the barrier for red teams to maintain clean infrastructure. The modular architecture invites community contributions, which will likely lead to support for even more vendors and faster adaptation to portal changes. However, teams must be cautious: aggressive automation could trigger vendor alerts or lead to IP blacklisting if not paired with proper OpSec measures like proxies and session rotation.
Prediction:
As web filtering vendors increasingly adopt AI‑driven categorization and real‑time threat intelligence, tools like Classifier will need to evolve. Future versions may incorporate machine learning to predict categorization changes or use headless browser farms with distributed IPs to avoid rate limits. This could spark an arms race where vendors deploy more sophisticated bot detection (e.g., behavioral analysis), while red teams respond with even more human‑like automation and CAPTCHA‑solving services. Ultimately, the cat‑and‑mouse game will push both sides toward more advanced, automated infrastructure management techniques.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Andrei Grigoras – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- Use residential proxies to avoid IP‑based rate limiting or blocks. Configure them in


