{"id":13844347,"url":"https://github.com/keithjjones/hostintel","last_synced_at":"2026-01-17T18:52:43.915Z","repository":{"id":39421169,"uuid":"66305402","full_name":"keithjjones/hostintel","owner":"keithjjones","description":"A modular Python application to collect intelligence for malicious hosts.","archived":false,"fork":false,"pushed_at":"2021-04-13T18:07:46.000Z","size":34938,"stargazers_count":260,"open_issues_count":1,"forks_count":52,"subscribers_count":30,"default_branch":"master","last_synced_at":"2024-08-05T17:41:40.371Z","etag":null,"topics":["cybersecurity","investigation"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keithjjones.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"Contributing.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-08-22T20:25:06.000Z","updated_at":"2024-08-02T13:47:25.000Z","dependencies_parsed_at":"2022-07-13T06:50:53.134Z","dependency_job_id":null,"html_url":"https://github.com/keithjjones/hostintel","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithjjones%2Fhostintel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithjjones%2Fhostintel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithjjones%2Fhostintel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keithjjones%2Fhostintel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keithjjones","download_url":"https://codeload.github.com/keithjjones/hostintel/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225763347,"owners_count":17520440,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","investigation"],"created_at":"2024-08-04T17:02:40.865Z","updated_at":"2026-01-17T18:52:43.896Z","avatar_url":"https://github.com/keithjjones.png","language":"Python","funding_links":[],"categories":["IR Tools Collection","Open Source Threat Intelligence","IR tools Collection","Python (1887)","Python"],"sub_categories":["Other Tools","Tools"],"readme":"# hostintel\n\nThis tool is used to collect various intelligence sources for hosts.\nHostintel is written in a modular fashion so new intelligence sources can be\neasily added.\n\nHosts are identified by FQDN host name, Domain, or IP address.  This\ntool only supports IPv4 at the moment.  The output is in CSV format\nand sent to STDOUT so the data can be saved or piped into another\nprogram.  Since the output is in CSV format, spreadsheets such as\nExcel or database systems will easily be able to import the data.\n\nI created a short introduction for this tool on YouTube: https://youtu.be/aYK0gILDA6w\n\nThis works with Python v2 and Python v3. If you find it does not workwith Python v3 \nplease post an issue.\n\n## Help Screen:\n\n```\n$ python hostintel.py -h\nusage: hostintel.py [-h] [-a] [-d] [-v] [-p] [-s] [-c] [-t] [-o] [-i] [-r]\n                    ConfigurationFile InputFile\n\nModular application to look up host intelligence information. Outputs CSV to\nSTDOUT. This application will not output information until it has finished all\nof the input.\n\npositional arguments:\n  ConfigurationFile     Configuration file\n  InputFile             Input file, one host per line (IP, domain, or FQDN\n                        host name)\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -a, --all             Perform All Lookups.\n  -d, --dns             DNS Lookup.\n  -v, --virustotal      VirusTotal Lookup.\n  -p, --passivetotal    PassiveTotal Lookup.\n  -s, --shodan          Shodan Lookup.\n  -c, --censys          Censys Lookup.\n  -t, --threatcrowd     ThreatCrowd Lookup.\n  -o, --otx             OTX by AlienVault Lookup.\n  -i, --isc             Internet Storm Center DShield Lookup.\n  -r, --carriagereturn  Use carriage returns with new lines on csv.\n```\n\n# Install:\n\nFirst, make sure your configuration file is correct for your\ncomputer/installation.  Add your API keys and usernames as appropriate\nin the configuration file.  Python and Pip are required to run this\ntool.  There are modules that must be installed from GitHub, so be\nsure the git command is available from your command line.  Git is easy\nto install for any platform.  Next, install the python requirements\n(run this each time you git pull this repository too):\n\n```\n$ pip install -r requirements.txt\n```\n\nThere have been some problems with the stock version of Python on Mac\nOSX\n(http://stackoverflow.com/questions/31649390/python-requests-ssl-handshake-failure).\nYou may have to install the security portion of the requests library\nwith the following command:\n\n```\n$ pip install requests[security]\n```\n\nLastly, I am a fan of virtualenv for Python.  To make a customized local installation of\nPython to run this tool, I recommend you read:  http://docs.python-guide.org/en/latest/dev/virtualenvs/\n\n# Running:\n\n```\n$ python hostintel.py myconfigfile.conf myhosts.txt -a \u003e myoutput.csv\n```\nYou should be able to import myoutput.csv into any database or spreadsheet program.\n\n**Note that depending on your network, your API key limits, and the data you are searching for,\nthis script can run for a very long time!  Use each module sparingly!  In return for the long\nwait, you save yourself from having to pull this data manually.**\n\n## Sample Data:\n\nThere is some sample data in the \"sampledata\" directory.  The IPs, domains, and hosts\nwere picked at random and by no means is meant to target any organization or individual.\nRunning this tool on the sample data works in the following way:\n\n### Small Hosts List:\n```\n$ python hostintel.py local/config.conf sampledata/smalllist.txt -a \u003e sampledata/smalllist.csv\n*** Processing 8.8.8.8 ***\n*** Processing 8.8.4.4 ***\n*** Processing 192.168.1.1 ***\n*** Processing 10.0.0.1 ***\n*** Processing google.com ***\n*** Processing 212.227.247.242 ***\n*** Writing Output ***\n```\n\n### Larger Hosts List:\n```\n$ python hostintel.py local/config.conf sampledata/largerlist.txt -a \u003e sampledata/largerlist.csv\n*** Processing 114.34.84.13 ***\n*** Processing 116.102.34.212 ***\n*** Processing 118.75.180.168 ***\n*** Processing 123.195.184.13 ***\n*** Processing 14.110.216.236 ***\n*** Processing 14.173.147.69 ***\n*** Processing 14.181.192.151 ***\n*** Processing 146.120.11.66 ***\n*** Processing 163.172.149.131 ***\n\n...\n\n*** Processing 54.239.26.180 ***\n*** Processing 62.141.39.155 ***\n*** Processing 71.6.135.131 ***\n*** Processing 72.30.2.74 ***\n*** Processing 74.125.34.101 ***\n*** Processing 83.31.179.71 ***\n*** Processing 85.25.217.155 ***\n*** Processing 93.174.93.94 ***\n*** Writing Output ***\n```\n\n# Intelligence Sources:\n\nYou can get API keys at the sites below for your configuration file.\n\n  - GeoLite2 (No network I/O required)\n    - http://www.maxmind.com\n  - DNS (Network I/O required)\n    - https://github.com/rthalley/dnspython\n  - VirusTotal (Public API key and network I/O required, throttled when appropriate)\n    - http://www.virustotal.com\n  - PassiveTotal (API key, username, and network I/O required)\n    - http://www.passivetotal.com\n  - Shodan (API key and network I/O required)\n    - http://www.shodan.io\n  - Censys (API key, username, and network I/O required)\n    - http://www.censys.io\n  - ThreatCrowd (Network I/O required, throttled when appropriate)\n    - http://www.threatcrowd.org\n  - OTX by AlienVault (API key and network I/O required)\n    - https://otx.alienvault.com\n  - Internet Storm Center (Network I/O required)\n    - https://isc.sans.edu\n\n# Resources:\n\n   - The GeoIP2 Python library\n     - https://github.com/maxmind/GeoIP2-python\n   - The Python DNS library\n     - https://github.com/rthalley/dnspython\n     - Foundation of DNS lookups inspired by http://www.iodigitalsec.com/performing-dns-queries-python/\n   - The VirusTotal Python library\n     - https://github.com/blacktop/virustotal-api\n   - The Shodan Python library\n     - http://shodan.readthedocs.io/en/latest/\n     - https://github.com/achillean/shodan-python\n   - The Censys Python library\n     - https://github.com/censys/censys-python\n     - https://www.censys.io/api\n   - The PassiveTotal Python library\n     - https://passivetotal.readthedocs.io/en/latest/\n     - https://github.com/passivetotal/python_api\n   - The ThreatCrowd Python library\n     - https://github.com/threatcrowd/ApiV2\n     - https://github.com/jheise/threatcrowd_api\n   - The OTX Python Library\n     - https://github.com/AlienVault-Labs/OTX-Python-SDK\n     - https://otx.alienvault.com/api/\n   - The Internet Storm Center DShield Python Library\n     - https://github.com/rshipp/python-dshield\n     - https://isc.sans.edu/api/\n\n# Notes:\n\nCrude notes are available [here](notes/Notes.png).\n\n# License:\n\nThis application is covered by the Creative Commons BY-SA license.\n\n- https://creativecommons.org/licenses/by-sa/4.0/\n- https://creativecommons.org/licenses/by-sa/4.0/legalcode\n\n```\nThis product includes GeoLite2 data created by MaxMind, available from\n\u003ca href=\"http://www.maxmind.com\"\u003ehttp://www.maxmind.com\u003c/a\u003e.\n```\n\n# Contributing:\n\nRead [Contributing.md](Contributing.md)\n\n# To Do:\n\n - Try to incorporate https://github.com/mlsecproject/combine\n - Try to incorporate threat feeds from http://www.secrepo.com/\n - Add Malwr\n - Add column to display if input was IPv4, domain, or hostname\n - Look at https://github.com/Yelp/threat_intel\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeithjjones%2Fhostintel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeithjjones%2Fhostintel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeithjjones%2Fhostintel/lists"}