wtfis - OSINT Tool for Domain, IP, and FQDN Intelligence Gathering

wtfis - OSINT Tool for Domain, IP, and FQDN Intelligence Gathering

wtfis is a command-line tool designed to gather detailed information about domains, fully qualified domain names (FQDNs), or IP addresses using various Open Source Intelligence (OSINT) services.

Unlike other tools in its category, wtfis focuses on delivering human-readable, well-organized results that are easy to interpret. It is optimized for users with free-tier or community-level accounts, minimizing API calls to avoid exceeding quotas or rate limits.

The name wtfis is a clever play on the term "whois," reflecting its purpose as an advanced lookup tool.

Features and Data Sources

wtfis integrates with multiple OSINT services to provide comprehensive insights. Below is an overview of the data sources it uses and the type of information it retrieves:

Primary Data Sources

1.VirusTotal (VT) (Required)

Retrieves:

  • Hostname, domain, or IP details
  • Latest analysis stats with vendor-specific details
  • Reputation score based on VT community votes
  • Popularity ranks (e.g., Alexa, Cisco Umbrella) for domains/FQDNs
  • Vendor-assigned categories
  • Resolutions (past IP addresses associated with the domain/FQDN)
  • Whois data (fallback option if other services are unavailable)

2.PassiveTotal (PT) (Optional)

  • Provides high-quality Whois data for domains.
  • Recommended over VirusTotal for Whois due to better consistency and detail.

3.IP2Whois (Optional)

  • Retrieves Whois data for domains when PassiveTotal credentials are unavailable.

4.IPWhois (Default for IP Geolocation)

  • Retrieves:ASN, organization, ISP, and geolocation details.

5.Shodan (Optional)

Retrieves:

  • Open ports and services
  • Operating system details
  • Tags assigned by Shodan

6.GreyNoise (Optional)

Identifies whether an IP

  • Is part of regular internet scans (Noise)
  • Belongs to common business applications (RIOT)
  • Classifies IPs as benign, malicious, or unknown.

7.URLhaus (Optional)

  • Checks if a hostname or IP is associated with malware distribution.
  • Provides:
  • Count of malware URLs
  • DNSBL/SURBL blocklist status
  • Historical tags assigned to URLs

8.AbuseIPDB (Optional)

  • Reports malicious activity associated with an IP.
  • Provides:
  • Abuse confidence score (0-100)
  • Number of reports

Installation

You can install wtfis using one of the following methods:

Using pip

pip install wtfis

Using Homebrew

brew install wtfis

Using Conda

Refer to the wtfis-feedstock repository for installation via Conda.

Using Docker

1.Build the Docker image:

make docker-image

2.Run the container:

make docker-run

Alternatively, you can set environment variables manually and run:

docker run -e VT_API_KEY=<your_api_key> ... wtfis

Setup

To use wtfis, you need to configure API keys for the supported services. These can be set as environment variables or stored in a configuration file (~/.env.wtfis).

Required Environment Variables

  • VT_API_KEY: VirusTotal API key (mandatory)

  • Optional keys for additional features:

    • PT_API_KEY and PT_API_USER (PassiveTotal)

    • IP2WHOIS_API_KEY (IP2Whois)

    • SHODAN_API_KEY (Shodan)

    • GREYNOISE_API_KEY (GreyNoise)

    • ABUSEIPDB_API_KEY (AbuseIPDB)

Example .env.wtfis file:

VT_API_KEY=your_virustotal_api_key

PT_API_KEY=your_passivetotal_api_key

SHODAN_API_KEY=your_shodan_api_key

Ensure the file is secure by setting appropriate permissions:

chmod 400 ~/.env.wtfis

Usage

The basic syntax for running wtfis is as follows:

wtfis [options] <entity>

Here, <entity> can be a hostname, domain, or IP address.

Common Options

  • -m N, --max-resolutions N: Set the maximum number of resolutions to display (default: 3; max: 10).

  • -s, --use-shodan: Enable Shodan lookups.

  • -g, --use-greynoise: Enable GreyNoise lookups.

  • -a, --use-abuseipdb: Enable AbuseIPDB lookups.

  • -u, --use-urlhaus: Enable URLhaus lookups.

  • -n, --no-color: Disable colored output.

  • -1, --one-column: Display results in a single column.

  • -V, --version: Display the current version of wtfis.

Examples

1.Basic lookup for a domain:

wtfis example.com

2.Lookup with Shodan and GreyNoise enrichments:

wtfis example.com --use-shodan --use-greynoise

3.Increase resolution limit:

wtfis example.com --max-resolutions=5

Advanced Features

Clickable Hyperlinks

If your terminal supports hyperlinks, certain fields in the output will link directly to relevant pages on VirusTotal, PassiveTotal, Shodan, etc.

Custom Defaults

You can define default arguments using the environment variable WTFIS_DEFAULTS. For example:

export WTFIS_DEFAULTS="-s --one-column"

This will enable Shodan lookups and display results in one column by default.

Conclusion

wtfis is a powerful OSINT tool tailored for human-readable outputs while leveraging free-tier API access efficiently. Its modular design allows users to customize lookups based on their needs and available API keys. .

Whether you're investigating domains, FQDNs, or IP addresses, wtfis provides a streamlined way to gather actionable intelligence from multiple sources in one place. You can learn more and Download wtfis in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog