ThreatPinch Lookup

Introduction

ThreatPinch Lookup creates informational tooltips when hovering oven an item of interest on any website. It helps speed up security investigations by automatically providing relevant information upon hovering over any IPv4 address, MD5 hash, SHA2 hash, and CVE title. It’s designed to be completely customizable and work with any rest API.

A sample of the type of data that can be displayed when hovering over an IPv4 address.

See it in action on Cisco Talos Blog.

Search and pivot using the graph

Current IOC Support

IPv4
MD5
SHA1
SHA2
CVE
FQDN (EFQDN is for Internet FQDN, IFQDN is for internal domains)
Bitcoin
Email
URL
Add your own in the options with regex!

Current Integrations

ThreatMiner for IPv4, Email, FQDN, MD5, SHA1 and SHA2 lookups.
Alienvault OTX for IPv4, CVE, MD5, SHA1 and SHA2 lookups.
IBM XForce Exchange for IPv4, EFQDN lookups.
VirusTotal for MD5, SHA1, SHA2, URL and FQDN lookups.
Cymon.io for IPv4 lookups.
ThreatCrowd for IPv4, FQDN and MD5 lookups.
CIRCL (Computer Incident Response Center Luxembourg) for CVE lookups.
PassiveTotal for FQDN Whois lookups.
MISP for MD5 and SHA2 (If you want more submit an issue in this github).
Censys.io for IPv4 lookups.
Shodan for IPv4 lookups.
ZoomEye for IPv4 lookups.
BlockChain.info for Bitcoin lookups.
Bitcoin Whos Who for Bitcoin lookups.
BTC for Bitcoin lookups.
PulseDive for IPv4, FQDN and URL lookups.
Recorded Future for IPv4, FQDN, MD5, SHA1 and SHA2 lookups.
Google Safe Browsing for URL lookups.
Have I Been Pwned for Email lookups.
Add your own in the developers options page!

Need a new integration?

Log a github issue or reach out to @ThreatPinch on twitter.
Try your luck at creating your own requests with the API Wizard. Check out the Youtube video to see how its done.
Check out the community shared integrations

Support

Check out the Wiki for documentation.

Please log an issue with any questions/comments. We'll respond as soon as possible.

Follow @ThreatPinch on Twitter.

Youtube channel with Demos.

Chrome Web Store

You can download the ThreatPinch Lookup extension directly from the Chrome Web Store.

ThreatPinch Lite is also available which has all the API lookups of ThreatPinch, but without the on hover injection code. ThreatPinch Lite relies on only the highlight right click search, and requires only permissions to make request to APIs which do not allow CORS requests.

How can I contribute/help ThreatPinch Lookup?

The best way to help or contribute to this project is to share any custom integrations you create with the community! Otherwise positive reviews and feedback in the Chrome Web Store and Product Hunt would be greatly appreciated!

Where is my data stored?

There is no backend server or database for ThreatPinch Lookup. All data is stored in locally used PouchDB databases. It all exists in your browser. Previously Chrome remote storage was used for some configuration items, this proved too challenging due to limitations on the storage. Going forward the Pouch databases will allow for some more interesting functionality.

Optionally, in the developers options you can configure a CouchDB server to sync your API responses with. See the Wiki for more details.

Firefox build?

If you are desperate for the Firefox build of ThreatPinch Lookup I've made it temporarily available here, just click install then ignore all the security warnings like a good security pro.

Release Notes

3.0.6: 2018-08-21 - Fix to not display graphs on low powered GPU devices.
3.0.5: 2018-04-15 - Bug fix related to POST requests.
3.0.4: 2018-04-08 - Various bug fixes, performance improvements.
3.0.3: 2018-03-26 - Break fix for details on graph.
3.0.2: 2018-03-26 - Improved CSV exports, Show All Pivots checkbox in the bulk search (default is to only show observables with 2 or more relations), Show Graph checkbox in bulk search to either remove or refresh graph.
3.0.0: 2018-03-25 - New graph, ability to pivot and perform lookup of related graph items. CSV Exports for bulk lookups page. New virtual components on bulk search page. All requests and response processing performed through web workers for better performance. Added Recorded Future Lookups by @cicakdinding01. Added Google Safe Browser, Have I Been Pwned Lookups. Ability to toggle lookups to work either via on hover or via search page (more intrusive popovers could be left to working only on search page).
2.0.24: 2018-02-18 - Added PulseDive lookups.
2.0.23: 2018-02-08 - Catch Jexl errors (no impact, just noise in the console).
2.0.22: 2018-02-08 - Fix issue where custom width settings would not persist across upgrades, added AV vendor names back to VirusTotal lookups. Expose JSON Path parent objects name with ${PINCH.LOOPPARENTS} and ${PINCH.LOOPPARENTNAME}
2.0.18: 2018-01-31 - Pushed 2.0.17 updates to Chrome extension. Added Zoomeye, Bitcoin WhosWho and enhanced Shodan/Censys popup data. Upgraded PouchDB to latest for performance improvements.
2.0.17: 2017-11-09 - Remove Firefox store links, Mozilla reviewers deactived plugin after constant re-reviews. Will make Firefox builds available elsewhere, do not have time to deal with constant re-reviews for silly issues.
2.0.17: 2017-09-22 - ThreatPinch Lookup and ThreatPinch lite are now both in the Mozilla Add-ons page. Breaking changes were made to the expressions (icons, indicators). Icons should be easier to use in the future. Loop conditions were removed, if you need them use JSON Path arguments to filter content. Reliance on unsafe-eval was removed. These changes will be migrated to the Chrome Extension after some additional testing. Firefox versions should be fully functional at this point, if not please report any issues.
2.0.14: 2017-09-18 - Full ThreatPinch Lookup XPI file for Firefox available in this repo, still some minor bugs related to the drag and drop. Working on cleaning up some items to get it through the Mozilla Add-ons review process.
2.0.14: 2017-09-16 - ThreatPinch Lite published for Firefox in Mozilla Add-ons, still pending review.
2.0.14: 2017-09-03 - Minor fixes to search page for case sensitive lookups. Fix pivots for case sensitive IoC's.
2.0.10: 2017-09-03 - Added preservecase flag for Lookup Types, added blockchain.info Request Lookups for bitcoin address lookups.
2.0.9: 2017-05-25 - Fix for dataType mismatch in some response processing.
2.0.8: 2017-05-20 - Performance updates for pivot collections, long json responses, faster json parsing.
2.0.7: 2017-05-19 - Modified z-index for popover, improved placement code, fixed issue with RFC1918 detection on 172.16/12 subnet ranges.
2.0.5: 2017-05-17 - Fixes for popover placement edge cases.
2.0.4: 2017-05-17 - Added MAC address request type provided by @gd1eh, additional styling fixes for edge cases.
2.0.3: 2017-05-16 - Added "Block TP on this site" button to page action. Easy way to add the current domain to the global exclude list, which prevents the inject.js file from running on that page.
2.0.2: 2017-05-15 - Minor updates to migration code to keep user defined settings in lookup types, fix for extension id in custom lookup URL creation.
2.0.0: 2017-05-14 - Blocker button addition, enhanced wizard functionality, shareable custom integration links, removed span wrapping of obseravables, improved iframe support by moving popovers to active window instead of iframe, JSONPath support, style updates, minor bug fixes.
1.0.53: 2017-04-10 - Minor updates to popover styles.
1.0.51: 2017-04-09 - Added custom API integration wizard, be careful its still early stages and no validation!
1.0.50: 2017-04-05 - Fix for REST API responses which return with content type HTML. Added ThreatCrowd Lookups for IPV4, EFQDN and MD5. Added API group for ThreatCrowd for future API rate limiting, ThreatCrowd does not require an API key.
1.0.49: 2017-04-04 - Refectored some functionality to tighten extension permissions. Created ThreatPinch Lite build which is essentially the same plugin without the inject.js file to create the on hover tool tips.
1.0.46: 2017-04-03 - Another update to the migration code (sigh). Things will be sm

ThreatPinchLookup

Install / Use

README