• Stars
    star
    841
  • Rank 54,194 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created over 2 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Passive hostname, domain and IP lookup tool for non-robots

wtfis

Tests PyPI

Passive hostname, domain and IP lookup tool for non-robots

WTF is it?

wtfis is a commandline tool that gathers information about a domain, FQDN or IP address using various OSINT services. Unlike other tools of its kind, it's built specifically for human consumption, providing results that are pretty (YMMV) and easy to read and understand.

This tool assumes that you are using free tier / community level accounts, and so makes as few API calls as possible to minimize hitting quotas and rate limits.

The project name is a play on "whois".

Data Sources

Service Used in lookup Required Free Tier
Virustotal All Yes Yes
Passivetotal All No Yes
IP2Whois Domain/FQDN No Yes
IPWhois IP address No Yes (no signup)
Shodan IP address No No
Greynoise IP address No Yes

Virustotal

The primary source of information. Retrieves:

  • Hostname (FQDN), domain or IP
    • Latest analysis stats with vendor detail
    • Reputation score (based on VT community votes)
    • Popularity ranks (Alexa, Cisco Umbrella, etc.) (FQDN and domain only)
    • Categories (assigned by different vendors)
  • Resolutions (FQDN and domain only)
    • Last n IP addresses (default: 3, max: 10)
    • Latest analysis stats of each IP above
  • Whois
    • Fallback only: if Passivetotal creds are not available
    • Various whois data about the domain itself

Passivetotal (RiskIQ)

Optionally used if creds are provided. Retrieves:

  • Whois
    • Various whois data about the domain itself

Passivetotal is recommended over Virustotal for whois data for a couple of reasons:

  • VT whois data format is less consistent
  • PT whois data tends to be of better quality than VT. Also, VT's registrant data is apparently anonymized.
  • You can save one VT API call by offloading to PT

IP2Whois

Optionally used if creds are provided and Passivetotal creds are not supplied. (i.e. second in line for Whois information)

  • Whois
    • Various whois data about the domain itself

As above, IP2Whois is recommended over Virustotal if a Passivetotal account cannot be obtained.

IPWhois

Default enrichment for IP addresses. Retrieves:

  • ASN, Org, ISP and Geolocation

IPWhois should not be confused with IP2Whois, which provides domain Whois data.

Shodan

Alternative IP address enrichment source. GETs data from the /shodan/host/{ip} endpoint (see doc). For each IP, retrieves:

  • ASN, Org, ISP and Geolocation
  • List of open ports and services
  • Operating system (if available)
  • Tags (assigned by Shodan)

Greynoise

Supplementary IP address enrichment source. Using its community API, wtfis will show whether an IP is in one of Greynoise's datasets:

  • Noise: IP has been seen regularly scanning the Internet
  • RIOT: IP belongs to a common business application (e.g. Microsoft O365, Google Workspace, Slack)

More information about the datasets here.

In addition, the API also returns Greynoise's classification of an IP (if available). Possible values are benign, malicious, and unknown.

Install

$ pip install wtfis

To install via conda (from conda-forge), see wtfis-feedstock.

To install via brew:

brew install wtfis

Setup

wtfis uses these environment variables:

  • VT_API_KEY (required) - Virustotal API key
  • PT_API_KEY (optional) - Passivetotal API key
  • PT_API_USER (optional) - Passivetotal API user
  • IP2WHOIS_API_KEY (optional) - IP2WHOIS API key
  • SHODAN_API_KEY (optional) - Shodan API key
  • GREYNOISE_API_KEY (optional) - Greynoise API key
  • WTFIS_DEFAULTS (optional) - Default arguments

Set these using your own method.

Alternatively, create a file in your home directory ~/.env.wtfis with the above declarations. See .env.wtfis.example for a template. NOTE: Don't forget to chmod 400 the file!

Usage

usage: wtfis [-h] [-m N] [-s] [-g] [-n] [-1] [-V] entity

positional arguments:
  entity                Hostname, domain or IP

optional arguments:
  -h, --help            show this help message and exit
  -m N, --max-resolutions N
                        Maximum number of resolutions to show (default: 3)
  -s, --use-shodan      Use Shodan to enrich IPs
  -g, --use-greynoise   Enable Greynoise for IPs
  -n, --no-color        Show output without colors
  -1, --one-column      Display results in one column
  -V, --version         Print version number

Basically:

$ wtfis FQDN_OR_DOMAIN_OR_IP

and you will get results organized by panel, similar to the image above.

Defanged input is accepted (e.g. api[.]google[.]com).

If supported by the terminal, the Analysis field and (if using PT) headings in the whois panel are clickable hyperlinks that point to the appropriate pages on the VT or PT website.

Shodan enrichment

Shodan can be used to enrich the IP addresses (instead of IPWhois). Invoke with the -s or --use-shodan flag.

If supported by the terminal, the Services field is a clickable hyperlink that takes you to the Shodan web interface.

Greynoise enrichment

To enable Greynoise, invoke with the -g or --use-greynoise flag. Because the API quota is quite low (50 requests per week as of March 2023), this lookup is off by default.

The GreyNoise field name is also a hyperlink (if terminal-supported) that points to the IP entry in the Greynoise web interface, where more context is shown.

Display options

For FQDN and domain lookups, you can increase or decrease the maximum number of displayed IP resolutions with -m NUMBER or --max-resolutions=NUMBER. The upper limit is 10. If you don't need resolutions at all, set the number to 0.

To show all panels in one column, use the -1 or --one-column flag.

Panels can be displayed with no color with -n or --no-color.

Defaults

Default arguments can be defined by setting the WTFIS_DEFAULTS environment variable. For example, to use shodan and display results in one column by default:

WTFIS_DEFAULTS=-s -1

If an argument is in WTFIS_DEFAULTS, then specifying the same argument during command invocation negates that argument. So in the example above, if you then run:

$ wtfis example.com -s

then Shodan will NOT be used.

Note that maximum resolutions (-m N, --max-resolutions N) cannot be defined in defaults at the moment.

Docker

wtfis can be run from a Docker image. First, build the image (using the included Dockerfile) by running:

$ make docker-image

The image will have the latest tagged version (not necessarily from the latest commit) wtfis. This ensures that you are getting a stable release.

Two ways you can run the image:

Ensure .env.wtfis is in your home directory and set with the necessary envvars. Then simply run:

$ make docker-run

This is an alias to

$ docker run --env-file=${HOME}/.env.wtfis -it wtfis

Note that each definition must NOT have any spaces before and after the equal sign (FOO=bar, not FOO = bar).

Altenatively, you can set the environment variables yourself, then run, e.g.:

$ docker run -e VT_API_KEY -e SHODAN_API_KEY -it wtfis

More Repositories

1

monomepi-stepsequencer

monome + raspberry pi + arduino + python
Python
21
star
2

terraform-aws-security-detection

Terraform deployment of a security detection and response system in AWS
HCL
2
star
3

errbot-ipam

Python
2
star
4

rubberducky-piano-payload

Play virtual instruments with your USB Rubber Ducky
Python
2
star
5

monomepi128

Trying to port monomepi to 128
Python
1
star
6

monomepi

raspberry pi + monome fun
Python
1
star
7

cookiecutter-golang

General purpose cookiecutter for Go projects
Makefile
1
star
8

puppet_joon-role

Fun with Puppet! My own role module.
Shell
1
star
9

easyrsatool

Helper tool for easy-rsa
Shell
1
star
10

errbot-funstuff

Random short fun things for errbot
Python
1
star
11

puppet_hiera-template

Shell
1
star
12

procfs-test

Quick test script for prometheus/procfs
Go
1
star
13

advent-of-code

Python
1
star
14

python-phpipam

Python
1
star
15

puppet_joon-profile

Fun with Puppet! Makings of a profile module.
HTML
1
star
16

go-root-bash

Spawn a bash shell as root
Go
1
star
17

ninjam-slack-bot

Chatbot for Ninjam server events
Python
1
star
18

osquery-kubelet

Proof-of-concept osquery extension that locally queries the kubelet API
Go
1
star
19

python-heroku

Limited heroku interface in python
Python
1
star
20

salt-codebase

My own salt code
SaltStack
1
star
21

streamingbot

Twitch live stream notifier for Slack
Python
1
star
22

python-redmine

Python
1
star
23

go-kubelet-poc

Proof-of-concept kubelet client
Go
1
star
24

go-uname

My own uname implementation in Go
Go
1
star
25

inotifystats

Go
1
star
26

csvtoiptc

Python
1
star
27

terraform-aws-static-site

Terraform module for a single static site using AWS S3 and Cloudfront
HCL
1
star
28

terraform-aws-static-site-deploy-role

Deploys an IAM role that has just enough access to manage a Cloudfront + S3 static site
HCL
1
star