smicallef / spiderfoot

**SpiderFoot** is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate. SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line. It's written in **Python 3** and **MIT-licensed**. FEATURES • Web based UI or CLI • Over 200 modules (see below) • Python 3.7+ • YAML-configurable correlation engine with 37 pre-defined rules • CSV/JSON/GEXF export • API key export/import • SQLite back-end for custom querying • Highly configurable • Fully documented • Visualisations • TOR integration for dark web searching • Dockerfile for Docker-based deployments • Can call other tools like DNSTwist, Whatweb, Nmap and CMSeeK • Actively developed since 2012! WANT MORE? Need more from SpiderFoot? Check out SpiderFoot HX for: • 100% Cloud-based and managed for you • Attack Surface Monitoring with change notifications by email, REST and Slack • Multiple targets per scan • Multi-user collaboration • Authenticated and 2FA • Investigations • Customer support • Third party tools pre-installed & configured • Drive it with a fully RESTful API • TOR integration built-in • Screenshotting • Bring your own Python SpiderFoot modules • Feed scan data to Splunk, ElasticSearch and REST endpoints See the full set of differences between SpiderFoot HX and the open source version here. USES SpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet. You can target the following entities in a SpiderFoot scan: • IP address • Domain/sub-domain name • Hostname • Network subnet (CIDR) • ASN • E-mail address • Phone number • Username • Person's name • Bitcoin address SpiderFoot's 200+ modules feed each other in a publisher/subscriber model to ensure maximum data extraction to do things like: • Host/sub-domain/TLD enumeration/extraction • Email address, phone number and human name extraction • Bitcoin and Ethereum address extraction • Check for susceptibility to sub-domain hijacking • DNS zone transfers • Threat intelligence and Blacklist queries • API integration with SHODAN, HaveIBeenPwned, GreyNoise, AlienVault, SecurityTrails, etc. • Social media account enumeration • S3/Azure/Digitalocean bucket enumeration/scraping • IP geo-location • Web scraping, web content analysis • Image, document and binary file meta data analysis • Dark web searches • Port scanning and banner grabbing • Data breach searches • So much more... INSTALLING & RUNNING To install and run SpiderFoot, you need at least Python 3.7 and a number of Python libraries which you can install with . We recommend you install a packaged release since master will often have bleeding edge features and modules that aren't fully tested. Stable build (packaged release): Development build (cloning git master branch): Check out the documentation and our asciinema videos for more tutorials. COMMUNITY Whether you're a contributor, user or just curious about SpiderFoot and OSINT in general, we'd love to have you join our community! SpiderFoot now has a Discord server for seeking help from the community, requesting features or just general OSINT chit-chat. WRITING CORRELATION RULES We have a comprehensive write-up and reference of the correlation rule-set introduced in SpiderFoot 4.0 here. Also take a look at the template.yaml file for a walk through. The existing 37 rules are also quite readable and good as starting points for additional rules. MODULES / INTEGRATIONS SpiderFoot has over 200 modules, most of which *don't require API keys*, and many of those that do require API keys *have a free tier*. | Name | Description | Type | |:---------| :-----------|:-------| AbstractAPI|Look up domain, phone and IP address information from AbstractAPI.|Tiered API abuse.ch|Check if a host/domain, IP address or netblock is malicious according to Abuse.ch.|Free API AbuseIPDB|Check if an IP address is malicious according to AbuseIPDB.com blacklist.|Tiered API Abusix Mail Intelligence|Check if a netblock or IP address is in the Abusix Mail Intelligence blacklist.|Tiered API Account Finder|Look for possible associated accounts on over 500 social and other websites such as Instagram, Reddit, etc.|Internal AdBlock Check|Check if linked pages would be blocked by AdBlock Plus.|Tiered API AdGuard DNS|Check if a host would be blocked by AdGuard DNS.|Free API Ahmia|Search Tor 'Ahmia' search engine for mentions of the target.|Free API AlienVault IP Reputation|Check if an IP or netblock is malicious according to the AlienVault IP Reputation database.|Free API AlienVault OTX|Obtain information from AlienVault Open Threat Exchange (OTX)|Tiered API Amazon S3 Bucket Finder|Search for potential Amazon S3 buckets associated with the target and attempt to list their contents.|Free API Apple iTunes|Search Apple iTunes for mobile apps.|Free API Archive.org|Identifies historic versions of interesting files/pages from the Wayback Machine.|Free API ARIN|Queries ARIN registry for contact information.|Free API Azure Blob Finder|Search for potential Azure blobs associated with the target and attempt to list their contents.|Free API Base64 Decoder|Identify Base64-encoded strings in URLs, often revealing interesting hidden information.|Internal BGPView|Obtain network information from BGPView API.|Free API Binary String Extractor|Attempt to identify strings in binary content.|Internal BinaryEdge|Obtain information from BinaryEdge.io Internet scanning systems, including breaches, vulnerabilities, torrents and passive DNS.|Tiered API Bing (Shared IPs)|Search Bing for hosts sharing the same IP.|Tiered API Bing|Obtain information from bing to identify sub-domains and links.|Tiered API Bitcoin Finder|Identify bitcoin…