Harpoon

OSINT / Threat Intel CLI tool.

Install

Requirements

As a pre-requesite for Harpoon, you need to install lxml requirements, on Debian/Ubuntu : sudo apt-get install libxml2-dev libxslt-dev python3-dev.

You need to have geoipupdate installed and correctly configured to use geolocation correctly (make sure you to have GeoLite2-Country GeoLite2-City GeoLite2-ASN as EditionIDs).

If you want to use the screenshot plugin, you need phantomjs and npm installed:

npm install -g phantomjs

Installing harpoon

You can simply install the package from pypi with pip install harpoon

If the above install instructions didn't work, you can build the tool from source by executing the following commands in the terminal (this assumes you are using virtualenvs):

git clone https://github.com/Te-k/harpoon.git
cd harpoon
pip3 install .

You may want to install harpoontools to have additional commands using harpoon features.

Configuration

To configure harpoon, run harpoon config and fill in the needed API keys.

Then run harpoon update to download needed files. Check what plugins are configured with harpoon config -c.

See the wiki for more information.

Updating Harpoon

If you installed harpoon from pypi, just do pip install -U harpoon.

If you installed harpoon from the git repository, go to the repository and use the following commands:

git pull origin master
pip install .

Usage

After configuration the following plugins are available within the harpoon command:

    asn                 Gather information on an ASN
    binaryedge          Request BinaryEdge API
    cache               Requests webpage cache from different sources
    censys              Request information from Censys database (https://censys.io/)
    certspotter         Get certificates from https://sslmate.com/certspotter
    circl               Request the CIRCL passive DNS database
    config              Configure Harpoon
    crtsh               Search in https://crt.sh/ (Certificate Transparency database)
    cybercure           Search cybercure.ai intelligence database for specific indicators.
    dns                 Map DNS information for a domain or an IP
    dnsdb               Requests Farsight DNSDB
    email               Gather information on an email address
    fullcontact         Requests Full Contact API (https://www.fullcontact.com/)
    github              Request Github information through the API
    googl               Requests Google url shortener API
    greynoise           Request Grey Noise API
    help                Give help on an Harpoon command
    hibp                Request Have I Been Pwned API (https://haveibeenpwned.com/)
    hunter              Request hunter.io information through the API
    hybrid              Requests Hybrid Analysis platform
    intel               Gather information on a domain
    ip                  Gather information on an IP address
    ipinfo              Request ipinfo.io information
    koodous             Request Koodous API
    malshare            Requests MalShare database
    misp                Get information from a MISP server through the API
    numverify           Query phone number information from NumVerify
    opencage            Forward/Reverse Geocoding using OpenCage
    otx                 Requests information from AlienVault OTX
    permacc             Request Perma.cc information through the API
    pgp                 Search for information in PGP key servers
    pt                  Requests Passive Total database
    pulsedive           Request PulseDive API
    quad9               Check if a domain is blocked by Quad9
    robtex              Search in Robtex API (https://www.robtex.com/api/)
    safebrowsing        Check if the given domain is in Google safe Browsing list
    save                Save a webpage in cache platforms
    screenshot          Takes a screenshot of a webpage
    securitytrails      Requests SecurityTrails database
    shodan              Requests Shodan API
    spyonweb            Search in SpyOnWeb through the API
    subdomains          Research subdomains of a domain
    telegram            Request information from Telegram through the API
    threatcrowd         Request the ThreatCrowd API
    threatgrid          Request Threat Grid API
    threatminer         Requests TreatMiner database https://www.threatminer.org/
    tor                 Check if an IP is a Tor exit node listed in the public list
    totalhash           Request Total Hash API
    twitter             Requests Twitter API
    umbrella            Check if a domain is in Umbrella Top 1 million domains
    update              Update Harpoon data
    urlhaus             Request urlhaus.abuse.ch API
    urlscan             Search and submit urls to urlscan.io
    vt                  Request Virus Total API
    xforce              Query IBM Xforce Exchange API
    zetalytics          Search in Zetalytics database

You can get information on each command with harpoon help COMMAND

Access Keys

• AlienVault OTX
• BinaryEdge
• Censys
• CertSpotter : paid plans provide search in expired certificates (little interests imho, just use crtsh or censys). You don't need an account for current certificates
• CIRCL Passive DNS
• Farsight Dnsdb
• FullContact
• GreyNoise
• Have I Been Pwned
• Hunter
• Hybrid Analysis
• IBM Xforce Exchange
• ipinfo.io
• Koodous
• MalShare
• NumVerify
• OpenCage
• PassiveTotal
• Permacc
• PulseDive
• Security Trails
• Shodan
• SpyOnWeb
• Telegram : Create an application
• Total Hash
• Twitter
• UrlHaus
• UrlScan
• Virus Total : for public, create an account and get the API key in the Settings page
• Zetalytics

Contributions

Thanks to people who helped improving Harpoon : @jakubd @marrouchi @grispan56 @christalib

License

This code is released under GPLv3 license.