SkillAgentSearch skills...

HakiChecker

Check reputation of IP/url/hash/file in bulk with mutiple OSINT

GenerateConvertImprove

Install / Use

/learn @GearZer0/HakiChecker
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Tools

There are 2 tools available. 1. HakiChecker tool

Checks reputation of IP addresses, Urls, Hashes or Files from multiple OSINTs.
It supports **screenshot mode** where screenshot of the OSINT results are taken automatically.

2. AutomateEmail tool

Another is AutomateEmail tool which automatically download attachment from email, extract the IP addresses 
from the attachment and run it with HakiChekcker.py for ip reputation check and then email the results. 
Scroll below for the setup instructions.

1. HakiChecker

Checks reputation of IP addresses, Urls, Hashes or Files from multiple OSINTs. It supports screenshot mode where screenshot of the OSINT results are taken automatically.

OSINT used

IP Address Reputation Check

  • IBM, VirusTotal, AbusedIPDB, FraudGuard, Auth0, CiscoTalos

    CiscoTalos is only checked when Screenshot mode is enabled.

URL Reputation Check

  • Virustotal, IBM, GoogleSafeBrowsing, PhishTank, URLscan.io, CiscoTalos

    Both CiscoTalos and URLscan.io will only be checked when screenshot mode is enabled. URLScan.io also provides a screenshot of the target URL aside from its screenshot.

Multiple file Scan

  • Virustotal

    File can be of any size. Any file larger than 32 MB will take a longer time (around a few minutes) and anything that goes over 200 MB may affect the performance.

Hash Reputation and Hash equivalent Hash Check

  • Virustotal

    Accepts Hash type of Sha1, Sha256 and MD5 and returns equivalent hash with reputation.

Safe or block?

The url/ip should display "Safe" at the Action column of the output when it is their default score (no IOC is found) or when the results are N/A (which means it was unsuccessful). Everything else will be flagged as "To block"

Below are the Safe score (their default score if no IOC is found)

  IP
    - IBM : 1 out of 10 | Unknown                        
    - Virustotal: 0 out of x
    - AbuseIPDB : 0 out of 100
    - FraudGuard : 1 out of 5
    - Auth0 : 0
    - CiscoTalos: Neutral | Favorable | Trusted | Unknown           (Only for screenshot mode)

   URL
    - Virustotal : 0 out of x
    - IBM : 1 out of 10 | Unknown
    - GoogleSafeBrowsing : Safe
    - Phish Tank : False | Unknown
    - Urlscan.io : 0 out of 100                                     (Only for screenshot mode)
    - CiscoTalos: Neutral | Favorable | Trusted | Unknown           (Only for screenshot mode)

Anything other than the above (except N/A) will be flagged as "To block"

Results

All the results will be saved in the Results folder (Not applicable for single search mode).

Syntax:  Results/<type of check>_<year>_<month>_<date>_<24hr time>
Example: Results/ip_2020-05-06_0958.csv

When screenshot mode is enabled (-ss), all the images will be saved in Images folder as a .png file. Screenshot will be saved for both normal mode and single check mode.

Syntax:  Images/<type of check>/<ip address/urldomain/hash/filename>_<OSINT>.png
Example: Images/ip/8.8.8.8_IBM.png
         Images/url/something.com_URLScan.png
         Images/hash/xxxxxxxxxxxxxxx_VirusTotal.png
         Images/file/nameoffile_VirusTotal.png   ** example from input C:/Users/xxxx/Downloads/sample.pdf

Requirements

1. Basic Installations

  • Python 3 + pip
  • Git (optional)

2. Clone Repo or Download

After installation of Git, type this into Git Bash. Note that this is just one of the many ways to clone a repository.

git clone https://github.com/GearZer0/HakiChecker.git

Then install the requirements via:

pip install beautifulsoup4==4.9.0, pywin32==227, validator-collection==1.4.1, xlrd==1.2.0, pywin32==227, 
requests==2.23.0, selenium==3.141.0

If it does not work later, install all the possible requirements via

pip install -r requirements.txt

3. Setup Screenshot Mode

Screenshot mode and CiscoTalos uses selenium which requires a driver.

  1. Check Google Chrome version from chrome settings > about Chrome
  2. Download chrome driver with correct version from here
  3. Unzip the downloaded zip file
  4. Open up config.txt and in the first line, append the directory which contains the driver after drive = . For example: 
    drive = C:/Users/xxxx/Downloads/chromedriver.exe

4. Get API KEYS

IBM:

IBM X Force Provides an API to get the Reputation details of IPAddress, Urls and Hashes. This script only uses IBM to check for IPs and URLs. Public API supports 5,000 API requests per month.

  1. Login to IBM and get API KEY and API PASSWORD
  2. Open up config.txt and under [IBM], append API KEY after ibm_key = and append API PASSWORD after ibm_pass =
Fraudguard.io:

FraudGuard provides API to check IP reputation. Its public API supports 1000 requests per month.

  1. Login to fraudguard.io and get API KEY USERNAME and PASSWORD
  2. Input API KEY USERNAME and PASSWORD into config.txt under [FraudGuard] in this format USERNAME:PASSWORD
  3. (optional) Can create more than 1 set of usernames and passwords and store in config.txt as fg_keys = USERNAME:PASSWORD, USERNAME2:PASSWORD2

Score Definition:

1 = No Risk
2 = Spam or Website Abuse (excessive scraping, resource linking or undesired site automation)
3 = Open Public Proxy
4 = Tor Node
5 = Honeypot, Malware, Botnet or DDoS Attack
AbuseIPDB:

AbuseIPDB provides reputation check on IP Addresses. Its public API supports 1000 API requests per day.

  1. Login to AbuseIPDB and get API KEY
  2. Open up config.txt and under [AbuseIPDB], append API KEY after abip_key =
Auth0:

Auth0 checks reputation of IP Addresses. Public API supports 4000 API requests per day or 40,000 hits per day, where each API consumes 10 hits.

  1. Login to Auth0 and get API KEY
  2. Open up config.txt and under [Auth0], append API KEY after auth0_key =

Score Definition:

 0: Auth0 Signals is neutral about the IP address given. It means the service cannot find the IP address 
   in any given individual service and cannot classify the IP as risky.
-1: Auth0 Signals has detected the IP address in one of the checks. This is the lowest level of risk of 
    an IP address.
-2: Auth0 Signals has detected the IP address in two checks. This is the medium level of risk of 
    an IP address.
-3: Auth0 Signals has detected the IP address in all the checks. This is the highest risk level 
    of an IP address.
Virustotal:

Virus Total is one of the most comprehensive OSINT. It can check for IPs, URLs, Hashes and files. Public API supports 4 requests per minute.

  1. Login to Virustotal and get API KEY
  2. Open up config.txt and under [Virus Total], append API KEY after vt_key =
urlscan.io:

URLscan.io can check for URLs and take screenshots. It generally takes a long time is only enabled for screenshot mode.

  1. Login to urlscan.io and get API KEY
  2. Open up config.txt and under [URLscan], append API KEY after urlscan_key =
GoogleSafeBrowsing:

Google Safe is used to lookup URLs and any URLs found is considered unsafe.

  1. To generate API Keys, login to your gmail account and follow this guide
  2. Open up config.txt and under [Google Safe], append API KEY after google_key =

Threat Definition:

THREAT_TYPE_UNSPECIFIED             Unknown
MALWARE                             Malware threat type
SOCIAL_ENGINEERING                  Social engineering threat type
UNWANTED_SOFTWARE                   Unwanted software threat type
POTENTIALLY_HARMFUL_APPLICATION     Potentially harmful application threat type
PhishTank:

Phish Tank is used to check for phishing site.

  1. Login to Phish Tank and register for a new application to get API KEY
  2. Open up config.txt and under [Phish Tank], append API KEY after phish_key =
  3. phish_user should be a name describing the application use or it can be left blank. Its API supports 2000 requests per 5 minute.

Score Definition:

Unknown:        The URL does not exist in the database
False:          The URL is determined as not a phish
Questionable:   Phishtank is in the process of determining whether the URL which was reported is a phish
Phish:          Phishtank has detected the URL as a phish
Cisco Talos:

Cisco Talos checks for IP and URL reputation. It requires Chrome driver which should have been installed earlier when setting up screenshot mode in step 3.

Web Reputation Levels:

Trusted:        Displaying behavior that indicates exceptional safety
Favorable:      Displaying behavior that indicates a level of safety
Neutral:        Displaying neither positive or negative behavior. However, has been evaluated.
Questionable:   Displaying behavior that may indicate risk, or could be undesirable
Untrusted:      Displaying behavior that is exceptionally bad, malicious, or undesirable
Unknown:        Not previously evaluated, or lacking features to assert a threat level verdict

Commands Available

To run the script, there are a few commands available. Input can be in the form of csv or text file.

-ip list.txt	    Choose IP Address as Parameter 
-url list.txt	    Choose url as Parameter 
-hash list.txt	    Choose hash as Parameter 
-file list.txt	    Choose file as Parameter
-sip xx.xx.xx.xx    check single IP address
-surl xxxxxx        check single url
-shash xxxxxxxx     check single hash
-ss

GearZer0

View profile

View on GitHub
GitHub Stars19
CategoryDevelopment
Updated2mo ago
Forks9
GearZer0/HakiChecker

Languages

Python

Security Score

75/100

Audited on Jan 19, 2026

No findings