# wtfis
[](https://github.com/pirxthepilot/wtfis/actions/workflows/tests.yml)
[](https://pypi.org/project/wtfis/)
Passive hostname, domain and IP lookup tool for non-robots
## WTF is it?
**wtfis** is a commandline tool that gathers information about a domain, FQDN or IP address using various OSINT services. Unlike other tools of its kind, it's built specifically for human consumption, providing results that are pretty (YMMV) and easy to read and understand.
This tool assumes that you are using free tier / community level accounts, and so makes as few API calls as possible to minimize hitting quotas and rate limits.
The project name is a play on "whois".
## Data Sources
| Service | Used in lookup | Required | Free Tier |
| --- | --- | --- | --- |
| [Virustotal](https://virustotal.com) | All | Yes | [Yes](https://www.virustotal.com/gui/join-us) |
| [Passivetotal](https://community.riskiq.com) | All | No | [Yes](https://community.riskiq.com/registration/)
| [IP2Whois](https://www.ip2whois.com) | Domain/FQDN | No | [Yes](https://www.ip2location.io/pricing#ip2whois)
| [IPWhois](https://ipwhois.io) | IP address | No | Yes (no signup) |
| [Shodan](https://shodan.io) | IP address | No | [No](https://account.shodan.io/billing) |
| [Greynoise](https://greynoise.io) | IP address | No | [Yes](https://www.greynoise.io/plans/community)
| [URLhaus](https://urlhaus.abuse.ch/) | All | No | Yes (no signup)
| [AbuseIPDB](https://www.abuseipdb.com/)| IP address | No | [Yes](https://www.abuseipdb.com/register?plan=free)
### Virustotal
The primary source of information. Retrieves:
* [Hostname (FQDN), domain or IP](https://developers.virustotal.com/reference/domains-1)
* Latest analysis stats with vendor detail
* Reputation score (based on VT community votes)
* Popularity ranks (Alexa, Cisco Umbrella, etc.) (FQDN and domain only)
* Categories (assigned by different vendors)
* [Resolutions](https://developers.virustotal.com/reference/domain-resolutions) (FQDN and domain only)
* Last n IP addresses (default: 3, max: 10)
* Latest analysis stats of each IP above
* [Whois](https://developers.virustotal.com/reference/whois)
* Fallback only: if Passivetotal creds are not available
* Various whois data about the domain itself
### Passivetotal (RiskIQ)
Optionally used if creds are provided. Retrieves:
* [Whois](https://api.riskiq.net/api/whois_pt/)
* Various whois data about the domain itself
Passivetotal is recommended over Virustotal for whois data for a couple of reasons:
* VT whois data format is less consistent
* PT whois data tends to be of better quality than VT. Also, VT's registrant data is apparently [anonymized](https://developers.virustotal.com/reference/whois).
* You can save one VT API call by offloading to PT
### IP2Whois
Optionally used if creds are provided and Passivetotal creds are not supplied. (i.e. second in line for Whois information)
* [Whois](https://www.ip2location.io/ip2whois-documentation)
* Various whois data about the domain itself
As above, IP2Whois is recommended over Virustotal if a Passivetotal account cannot be obtained.
### IPWhois
Default Geolocation and ASN lookup source for IP addresses. Retrieves:
* ASN, Org, ISP and Geolocation
IPWhois should not be confused with IP2Whois, which provides domain Whois data.
### Shodan
GETs data from the `/shodan/host/{ip}` endpoint (see [doc](https://developer.shodan.io/api)). For each IP, retrieves:
* List of open ports and services
* Operating system (if available)
* Tags (assigned by Shodan)
### Greynoise
Using Greynoise's [community API](https://docs.greynoise.io/docs/using-the-greynoise-community-api), wtfis will show whether an IP is in one of Greynoise's datasets:
* **Noise**: IP has been seen regularly scanning the Internet
* **RIOT**: IP belongs to a common business application (e.g. Microsoft O365, Google Workspace, Slack)
More information about the datasets [here](https://docs.greynoise.io/docs/understanding-greynoise-data-sets).
In addition, the API also returns Greynoise's [classification](https://docs.greynoise.io/docs/understanding-greynoise-classifications) of an IP (if available). Possible values are **benign**, **malicious**, and **unknown**.
### URLhaus
[URLhaus](https://urlhaus.abuse.ch/) is a crowd-sourced database of reported malicious URLs. This enrichment provides insight on whether the queried hostname or IP is being or was used for malware distribution via HTTP or HTTPS. Data that is provided include:
* Count of currently online and total malware URLs
* Whether the hostname or IP is currently in the [DNSBL](https://www.dnsbl.info/) and [SURBL](https://www.surbl.org/) public blocklists
* All tags that have been assigned to the URL throughout its history in the URLhaus database
### AbuseIPDB
[AbuseIPDB](https://www.abuseipdb.com/) is a crowd-sourced database of reported malicious IP addresses. Through its API wtfis shows:
* Abuse confidence score (0-100)
* Number of reports
## Install
```
$ pip install wtfis
```
To install via `conda` (from conda-forge), see [wtfis-feedstock](https://github.com/conda-forge/wtfis-feedstock).
To install via [`brew`](https://brew.sh):
```
brew install wtfis
```
## Setup
wtfis uses these environment variables:
* `VT_API_KEY` (required) - Virustotal API key
* `PT_API_KEY` (optional) - Passivetotal API key
* `PT_API_USER` (optional) - Passivetotal API user
* `IP2WHOIS_API_KEY` (optional) - IP2WHOIS API key
* `SHODAN_API_KEY` (optional) - Shodan API key
* `GREYNOISE_API_KEY` (optional) - Greynoise API key
* `ABUSEIPDB_API_KEY` (optional) - AbuseIPDB API key
* `WTFIS_DEFAULTS` (optional) - Default arguments
Set these using your own method.
Alternatively, create a file in your home directory `~/.env.wtfis` with the above declarations. See [.env.wtfis.example](./.env.wtfis.example) for a template. **NOTE: Don't forget to `chmod 400` the file!**
## Usage
```
usage: wtfis [-h] [-m N] [-s] [-g] [-a] [-u] [-n] [-1] [-V] entity
positional arguments:
entity Hostname, domain or IP
optional arguments:
-h, --help show this help message and exit
-m N, --max-resolutions N
Maximum number of resolutions to show (default: 3)
-s, --use-shodan Use Shodan to enrich IPs
-g, --use-greynoise Enable Greynoise for IPs
-a, --use-abuseipdb Enable AbuseIPDB for IPs
-u, --use-urlhaus Enable URLhaus for IPs and domains
-n, --no-color Show output without colors
-1, --one-column Display results in one column
-V, --version Print version number
```
Basically:
```
$ wtfis FQDN_OR_DOMAIN_OR_IP
```
and you will get results organized by panel, similar to the image above.
Defanged input is accepted (e.g. `api[.]google[.]com`).
If supported by the terminal, the `Analysis` field and (if using PT) headings in the whois panel are clickable hyperlinks that point to the appropriate pages on the VT or PT website.
### Shodan
Shodan can be used to show an IP's open ports or services, and OS in some results. Invoke with the `-s` or `--use-shodan` flag.
If supported by the terminal, the `Services` field is a clickable hyperlink that takes you to the Shodan web interface.
### Greynoise
To enable Greynoise, invoke with the `-g` or `--use-greynoise` flag. Because the API quota is quite low (50 requests per week as of March 2023), this lookup is off by default.
The `GreyNoise` field name is also a hyperlink (if terminal-supported) that points to the IP entry in the Greynoise web interface, where more context is shown.
### URLhaus
Use the `-u` or `--use-urlhaus` flag to enable URLhaus enrichment for hostnames, domains and IPs.
The `Malware URLs` field name is a hyperlink (if terminal-supported) that takes you to the specific URLhaus database page for your query.
### AbuseIPDB
Use the `-a` or `--use-abuseipdb` flag to enable AbuseIPDB enrichment for hostnames, domains and IPs.
The `AbuseIPDB` field name is a hyperlink (if terminal-supported) that takes you to the specific AbuseIPDB database page for your query.
### Display options
For FQDN and domain lookups, you can increase or decrease the maximum number of displayed IP resolutions with `-m NUMBER` or `--max-resolutions=NUMBER`. The upper limit is 10. If you don't need resolutions at all, set the number to `0`.
To show all panels in one column, use the `-1` or `--one-column` flag.
Panels can be displayed with no color with `-n` or `--no-color`.
### Defaults
Default arguments can be defined by setting the `WTFIS_DEFAULTS` environment variable. For example, to use shodan and display results in one column by default:
```
WTFIS_DEFAULTS=-s -1
```
If an argument is in `WTFIS_DEFAULTS`, then specifying the same argument during command invocation **negates** that argument. So in the example above, if you then run:
```
$ wtfis example.com -s
```
then Shodan will NOT be used.
Note that maximum resolutions (`-m N, --max-resolutions N`) cannot be defined in defaults at the moment.
## Docker
wtfis can be run from a Docker image. First, build the image (using the included [Dockerfile](./Dockerfile)) by running:
```
$ make docker-image
```
The image will have the latest _tagged_ version (not necessarily from the latest commit) wtfis. This ensures that you are getting a stable release.
Two ways you can run the image:
Ensure `.env.wtfis` is in your home directory and set with the necessary envvars. Then simply run:
```
$ make docker-run
```
This is an alias to
```
$ docker run --env-file=${HOME}/.env.wtfis -it wtfis
```
Note that each definition must NOT have any spaces before and after the equal sign (`FOO=bar`, not `FOO = bar`).
Altenatively, you can set the environment variables yourself, then run, e.g.:
```
$ docker run -e VT_API_KEY -e SHODAN_API_KEY -it wtfis
```
Raw data
{
"_id": null,
"home_page": null,
"name": "wtfis",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": "ipinfo, osint, passive lookup, passivetotal, security, shodan, virustotal, whois",
"author": null,
"author_email": "pirxthepilot <pirxthepilot@users.noreply.github.com>",
"download_url": "https://files.pythonhosted.org/packages/ff/a8/a8cd5b79094cb68c9e76291829773a3146646bc8b532b936702c5c013259/wtfis-0.10.1.tar.gz",
"platform": null,
"description": "# wtfis\n\n[](https://github.com/pirxthepilot/wtfis/actions/workflows/tests.yml)\n[](https://pypi.org/project/wtfis/)\n\nPassive hostname, domain and IP lookup tool for non-robots\n\n\n\n\n\n\n## WTF is it?\n\n**wtfis** is a commandline tool that gathers information about a domain, FQDN or IP address using various OSINT services. Unlike other tools of its kind, it's built specifically for human consumption, providing results that are pretty (YMMV) and easy to read and understand.\n\nThis tool assumes that you are using free tier / community level accounts, and so makes as few API calls as possible to minimize hitting quotas and rate limits.\n\nThe project name is a play on \"whois\".\n\n\n## Data Sources\n\n| Service | Used in lookup | Required | Free Tier |\n| --- | --- | --- | --- |\n| [Virustotal](https://virustotal.com) | All | Yes | [Yes](https://www.virustotal.com/gui/join-us) |\n| [Passivetotal](https://community.riskiq.com) | All | No | [Yes](https://community.riskiq.com/registration/)\n| [IP2Whois](https://www.ip2whois.com) | Domain/FQDN | No | [Yes](https://www.ip2location.io/pricing#ip2whois)\n| [IPWhois](https://ipwhois.io) | IP address | No | Yes (no signup) |\n| [Shodan](https://shodan.io) | IP address | No | [No](https://account.shodan.io/billing) |\n| [Greynoise](https://greynoise.io) | IP address | No | [Yes](https://www.greynoise.io/plans/community)\n| [URLhaus](https://urlhaus.abuse.ch/) | All | No | Yes (no signup)\n| [AbuseIPDB](https://www.abuseipdb.com/)| IP address | No | [Yes](https://www.abuseipdb.com/register?plan=free)\n\n### Virustotal\n\nThe primary source of information. Retrieves:\n\n* [Hostname (FQDN), domain or IP](https://developers.virustotal.com/reference/domains-1)\n * Latest analysis stats with vendor detail\n * Reputation score (based on VT community votes)\n * Popularity ranks (Alexa, Cisco Umbrella, etc.) (FQDN and domain only)\n * Categories (assigned by different vendors)\n* [Resolutions](https://developers.virustotal.com/reference/domain-resolutions) (FQDN and domain only)\n * Last n IP addresses (default: 3, max: 10)\n * Latest analysis stats of each IP above\n* [Whois](https://developers.virustotal.com/reference/whois)\n * Fallback only: if Passivetotal creds are not available\n * Various whois data about the domain itself\n\n### Passivetotal (RiskIQ)\n\nOptionally used if creds are provided. Retrieves:\n\n* [Whois](https://api.riskiq.net/api/whois_pt/)\n * Various whois data about the domain itself\n\nPassivetotal is recommended over Virustotal for whois data for a couple of reasons:\n\n* VT whois data format is less consistent\n* PT whois data tends to be of better quality than VT. Also, VT's registrant data is apparently [anonymized](https://developers.virustotal.com/reference/whois).\n* You can save one VT API call by offloading to PT\n\n### IP2Whois\n\nOptionally used if creds are provided and Passivetotal creds are not supplied. (i.e. second in line for Whois information)\n\n* [Whois](https://www.ip2location.io/ip2whois-documentation)\n * Various whois data about the domain itself\n\nAs above, IP2Whois is recommended over Virustotal if a Passivetotal account cannot be obtained.\n\n### IPWhois\n\nDefault Geolocation and ASN lookup source for IP addresses. Retrieves:\n\n* ASN, Org, ISP and Geolocation\n\nIPWhois should not be confused with IP2Whois, which provides domain Whois data.\n\n### Shodan\n\nGETs data from the `/shodan/host/{ip}` endpoint (see [doc](https://developer.shodan.io/api)). For each IP, retrieves:\n\n* List of open ports and services\n* Operating system (if available)\n* Tags (assigned by Shodan)\n\n### Greynoise\n\nUsing Greynoise's [community API](https://docs.greynoise.io/docs/using-the-greynoise-community-api), wtfis will show whether an IP is in one of Greynoise's datasets:\n\n* **Noise**: IP has been seen regularly scanning the Internet\n* **RIOT**: IP belongs to a common business application (e.g. Microsoft O365, Google Workspace, Slack)\n\nMore information about the datasets [here](https://docs.greynoise.io/docs/understanding-greynoise-data-sets).\n\nIn addition, the API also returns Greynoise's [classification](https://docs.greynoise.io/docs/understanding-greynoise-classifications) of an IP (if available). Possible values are **benign**, **malicious**, and **unknown**.\n\n### URLhaus\n\n[URLhaus](https://urlhaus.abuse.ch/) is a crowd-sourced database of reported malicious URLs. This enrichment provides insight on whether the queried hostname or IP is being or was used for malware distribution via HTTP or HTTPS. Data that is provided include:\n\n* Count of currently online and total malware URLs\n* Whether the hostname or IP is currently in the [DNSBL](https://www.dnsbl.info/) and [SURBL](https://www.surbl.org/) public blocklists\n* All tags that have been assigned to the URL throughout its history in the URLhaus database\n\n### AbuseIPDB\n\n[AbuseIPDB](https://www.abuseipdb.com/) is a crowd-sourced database of reported malicious IP addresses. Through its API wtfis shows:\n\n* Abuse confidence score (0-100)\n* Number of reports\n\n\n## Install\n\n```\n$ pip install wtfis\n```\n\nTo install via `conda` (from conda-forge), see [wtfis-feedstock](https://github.com/conda-forge/wtfis-feedstock).\n\nTo install via [`brew`](https://brew.sh):\n\n```\nbrew install wtfis\n```\n\n## Setup\n\nwtfis uses these environment variables:\n\n* `VT_API_KEY` (required) - Virustotal API key\n* `PT_API_KEY` (optional) - Passivetotal API key\n* `PT_API_USER` (optional) - Passivetotal API user\n* `IP2WHOIS_API_KEY` (optional) - IP2WHOIS API key\n* `SHODAN_API_KEY` (optional) - Shodan API key\n* `GREYNOISE_API_KEY` (optional) - Greynoise API key\n* `ABUSEIPDB_API_KEY` (optional) - AbuseIPDB API key\n* `WTFIS_DEFAULTS` (optional) - Default arguments\n\nSet these using your own method.\n\nAlternatively, create a file in your home directory `~/.env.wtfis` with the above declarations. See [.env.wtfis.example](./.env.wtfis.example) for a template. **NOTE: Don't forget to `chmod 400` the file!**\n\n\n## Usage\n\n```\nusage: wtfis [-h] [-m N] [-s] [-g] [-a] [-u] [-n] [-1] [-V] entity\n\npositional arguments:\n entity Hostname, domain or IP\n\noptional arguments:\n -h, --help show this help message and exit\n -m N, --max-resolutions N\n Maximum number of resolutions to show (default: 3)\n -s, --use-shodan Use Shodan to enrich IPs\n -g, --use-greynoise Enable Greynoise for IPs\n -a, --use-abuseipdb Enable AbuseIPDB for IPs\n -u, --use-urlhaus Enable URLhaus for IPs and domains\n -n, --no-color Show output without colors\n -1, --one-column Display results in one column\n -V, --version Print version number\n```\n\nBasically:\n\n```\n$ wtfis FQDN_OR_DOMAIN_OR_IP\n```\n\nand you will get results organized by panel, similar to the image above.\n\nDefanged input is accepted (e.g. `api[.]google[.]com`).\n\nIf supported by the terminal, the `Analysis` field and (if using PT) headings in the whois panel are clickable hyperlinks that point to the appropriate pages on the VT or PT website.\n\n### Shodan\n\nShodan can be used to show an IP's open ports or services, and OS in some results. Invoke with the `-s` or `--use-shodan` flag.\n\n\n\nIf supported by the terminal, the `Services` field is a clickable hyperlink that takes you to the Shodan web interface.\n\n### Greynoise\n\nTo enable Greynoise, invoke with the `-g` or `--use-greynoise` flag. Because the API quota is quite low (50 requests per week as of March 2023), this lookup is off by default.\n\n\n\nThe `GreyNoise` field name is also a hyperlink (if terminal-supported) that points to the IP entry in the Greynoise web interface, where more context is shown.\n\n### URLhaus\n\nUse the `-u` or `--use-urlhaus` flag to enable URLhaus enrichment for hostnames, domains and IPs.\n\n\n\nThe `Malware URLs` field name is a hyperlink (if terminal-supported) that takes you to the specific URLhaus database page for your query.\n\n### AbuseIPDB\n\nUse the `-a` or `--use-abuseipdb` flag to enable AbuseIPDB enrichment for hostnames, domains and IPs.\n\n\n\nThe `AbuseIPDB` field name is a hyperlink (if terminal-supported) that takes you to the specific AbuseIPDB database page for your query.\n\n### Display options\n\nFor FQDN and domain lookups, you can increase or decrease the maximum number of displayed IP resolutions with `-m NUMBER` or `--max-resolutions=NUMBER`. The upper limit is 10. If you don't need resolutions at all, set the number to `0`.\n\nTo show all panels in one column, use the `-1` or `--one-column` flag.\n\n\n\nPanels can be displayed with no color with `-n` or `--no-color`. \n\n\n\n### Defaults\n\nDefault arguments can be defined by setting the `WTFIS_DEFAULTS` environment variable. For example, to use shodan and display results in one column by default:\n\n```\nWTFIS_DEFAULTS=-s -1\n```\n\nIf an argument is in `WTFIS_DEFAULTS`, then specifying the same argument during command invocation **negates** that argument. So in the example above, if you then run:\n\n```\n$ wtfis example.com -s\n```\n\nthen Shodan will NOT be used.\n\nNote that maximum resolutions (`-m N, --max-resolutions N`) cannot be defined in defaults at the moment.\n\n\n## Docker\n\nwtfis can be run from a Docker image. First, build the image (using the included [Dockerfile](./Dockerfile)) by running:\n\n```\n$ make docker-image\n```\n\nThe image will have the latest _tagged_ version (not necessarily from the latest commit) wtfis. This ensures that you are getting a stable release.\n\nTwo ways you can run the image:\n\nEnsure `.env.wtfis` is in your home directory and set with the necessary envvars. Then simply run:\n\n```\n$ make docker-run\n```\n\nThis is an alias to\n\n```\n$ docker run --env-file=${HOME}/.env.wtfis -it wtfis\n```\n\nNote that each definition must NOT have any spaces before and after the equal sign (`FOO=bar`, not `FOO = bar`).\n\nAltenatively, you can set the environment variables yourself, then run, e.g.:\n\n```\n$ docker run -e VT_API_KEY -e SHODAN_API_KEY -it wtfis\n```\n",
"bugtrack_url": null,
"license": null,
"summary": "Passive hostname, domain and IP lookup tool for non-robots",
"version": "0.10.1",
"project_urls": {
"Homepage": "https://github.com/pirxthepilot/wtfis"
},
"split_keywords": [
"ipinfo",
" osint",
" passive lookup",
" passivetotal",
" security",
" shodan",
" virustotal",
" whois"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "54d656eca49a94e466cc8e3db27ca7d72e5f5df1bb1f38225326bc5a3ce7b721",
"md5": "59d5a1f1e909c6719df44ab7dc2312b5",
"sha256": "cead4f78d8fefd8dea9a107418c3dadf0adaf3100adf00c49cc3e23b1e09b8a6"
},
"downloads": -1,
"filename": "wtfis-0.10.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "59d5a1f1e909c6719df44ab7dc2312b5",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 36285,
"upload_time": "2024-10-19T03:15:11",
"upload_time_iso_8601": "2024-10-19T03:15:11.838280Z",
"url": "https://files.pythonhosted.org/packages/54/d6/56eca49a94e466cc8e3db27ca7d72e5f5df1bb1f38225326bc5a3ce7b721/wtfis-0.10.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "ffa8a8cd5b79094cb68c9e76291829773a3146646bc8b532b936702c5c013259",
"md5": "b877089921303e902bbcd2d13dd9ab05",
"sha256": "c3c0d3ef1fef20222bc3cb96f2b69a00e9714e468277fd87cf20c051de253331"
},
"downloads": -1,
"filename": "wtfis-0.10.1.tar.gz",
"has_sig": false,
"md5_digest": "b877089921303e902bbcd2d13dd9ab05",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 590473,
"upload_time": "2024-10-19T03:15:13",
"upload_time_iso_8601": "2024-10-19T03:15:13.585353Z",
"url": "https://files.pythonhosted.org/packages/ff/a8/a8cd5b79094cb68c9e76291829773a3146646bc8b532b936702c5c013259/wtfis-0.10.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-19 03:15:13",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "pirxthepilot",
"github_project": "wtfis",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "wtfis"
}
JSON
