Harpoon
OSINT / Threat Intel CLI tool.
Install
Requirements
As a pre-requesite for Harpoon, you need to install lxml requirements, on Debian/Ubuntu : sudo apt-get install libxml2-dev libxslt-dev python3-dev
.
You need to have geoipupdate installed and correctly configured to use geolocation correctly (make sure you to have GeoLite2-Country GeoLite2-City GeoLite2-ASN
as EditionIDs
).
Installing harpoon
You can simply install the package from pypi with pip install harpoon
If the above install instructions didn't work, you can build the tool from source by executing the following commands in the terminal (this assumes you are using virtualenvs):
git clone https://github.com/Te-k/harpoon.git
cd harpoon
pip3 install .
You may want to install harpoontools to have additional commands using harpoon features.
Configuration
To configure harpoon, run harpoon config
and fill in the needed API keys.
Then run harpoon update
to download needed files. Check what plugins are configured with harpoon config -c
.
See the wiki for more information.
Updating Harpoon
If you installed harpoon from pypi, just do pip install -U harpoon
.
If you installed harpoon from the git repository, go to the repository and use the following commands:
git pull origin master
pip install .
Usage
After configuration the following plugins are available within the harpoon
command:
asn Gather information on an ASN
binaryedge Request BinaryEdge API
cache Requests webpage cache from different sources
censys Request information from Censys database (https://censys.io/)
certspotter Get certificates from https://sslmate.com/certspotter
circl Request the CIRCL passive DNS database
config Configure Harpoon
crtsh Search in https://crt.sh/ (Certificate Transparency database)
cybercure Search cybercure.ai intelligence database for specific indicators.
dns Map DNS information for a domain or an IP
dnsdb Requests Farsight DNSDB
email Gather information on an email address
fullcontact Requests Full Contact API (https://www.fullcontact.com/)
github Request Github information through the API
greynoise Request information from GreyNoise API (pick Community or Enterprise via api_type config)
hashlookup Request CIRCL Hash Lookup db
help Give help on an Harpoon command
hibp Request Have I Been Pwned API (https://haveibeenpwned.com/)
hunter Request hunter.io information through the API
hybrid Requests Hybrid Analysis platform
intel Gather information on a domain
ip Gather information on an IP address
ipinfo Request ipinfo.io information
koodous Request Koodous API
malshare Requests MalShare database
misp Get information from a MISP server through the API
numverify Query phone number information from NumVerify
opencage Forward/Reverse Geocoding using OpenCage
otx Requests information from AlienVault OTX
permacc Request Perma.cc information through the API
pgp Search for information in PGP key servers
pt Requests Passive Total database
pulsedive Request PulseDive API
quad9 Check if a domain is blocked by Quad9
robtex Search in Robtex API (https://www.robtex.com/api/)
safebrowsing Check if the given domain is in Google safe Browsing list
save Save a webpage in cache platforms
securitytrails Requests SecurityTrails database
shodan Requests Shodan API
spyonweb Search in SpyOnWeb through the API
subdomains Research subdomains of a domain
telegram Request information from Telegram through the API
threatcrowd Request the ThreatCrowd API
threatgrid Request Threat Grid API
threatminer Requests TreatMiner database https://www.threatminer.org/
tor Check if an IP is a Tor exit node listed in the public list
totalhash Request Total Hash API
twitter Requests Twitter API
umbrella Check if a domain is in Umbrella Top 1 million domains
update Update Harpoon data
urlhaus Request urlhaus.abuse.ch API
urlscan Search and submit urls to urlscan.io
vt Request Virus Total API
xforce Query IBM Xforce Exchange API
zetalytics Search in Zetalytics database
You can get information on each command with harpoon help COMMAND
Access Keys
- AlienVault OTX
- BinaryEdge
- Censys
- CertSpotter : paid plans provide search in expired certificates (little interests imho, just use crtsh or censys). You don't need an account for current certificates
- CIRCL Passive DNS
- Farsight Dnsdb
- FullContact
- GreyNoise : supports both Community and Enterprise API. Use api_type config setting to specify which API type to use. Both still require an API key to work.
- Have I Been Pwned
- Hunter
- Hybrid Analysis
- IBM Xforce Exchange
- ipinfo.io
- Koodous
- MalShare
- NumVerify
- OpenCage
- PassiveTotal
- Permacc
- PulseDive
- Security Trails
- Shodan
- SpyOnWeb
- Telegram : Create an application
- Total Hash
- UrlHaus
- UrlScan
- Virus Total : for public, create an account and get the API key in the Settings page
- Zetalytics
Contributions
Thanks to people who helped improving Harpoon : @jakubd @marrouchi @grispan56 @christalib
Credits for the logo goes to @euphoricfall and the PulseDive team
License
This code is released under GPLv3 license.