Wtfis: Passive hostname, domain and IP lookup tool for non-robots
a year ago
- #command-line
- #cybersecurity
- #OSINT
- wtfis is a command-line tool for passive hostname, domain, and IP lookup, designed for human readability.
- It uses various OSINT services like Virustotal, IP2Whois, IPWhois, Shodan, Greynoise, URLhaus, and AbuseIPDB.
- The tool minimizes API calls to avoid hitting free-tier quotas and rate limits.
- Virustotal is the primary source, providing hostname details, reputation scores, popularity ranks, categories, and more.
- IP2Whois is recommended over Virustotal for whois data due to better quality and consistency.
- IPWhois provides geolocation and ASN lookup for IP addresses.
- Shodan can be used to find open ports and services on an IP, enabled with the -s flag.
- Greynoise identifies if an IP is scanning the internet or belongs to a common business application, enabled with the -g flag.
- URLhaus checks if a hostname or IP is used for malware distribution, enabled with the -u flag.
- AbuseIPDB provides abuse confidence scores and report counts for IPs, enabled with the -a flag.
- The tool supports defanged input (e.g., api[.]google[.]com) and clickable hyperlinks in terminal-supported environments.
- Installation options include pip, conda, and brew, with environment variables for API keys.
- Default arguments can be set via the WTFIS_DEFAULTS environment variable.
- The tool can also be run from a Docker image, with instructions for building and running provided.