Danger zone: Correlate data between domains, ips and email addresses

by do son · Published October 15, 2018 · Updated May 1, 2024

Danger zone

Correlate data between domains, ips and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.

Cases

Based on given email, check for associate domains and then check these domains for other emails and IPs.
For domains check for IP and Emails and next look for associated domains.
Extract domain from IP, check domain for other IPs and email.

Modules

Email:
- Trumail – Validation email address (https://trumail.io/)
- Whoxy – Reverse Whois service (https://whoxy.com/) KEY NEEDED
- haveIbeenPwned – Dumps (https://haveibeenpwned.com/)
- Username check – Check username, based on email address, across social media sites (https://username-availability.herokuapp.com/)
- Google – Query Google
IP:
- Geolocation – Geolocate IP (https://extreme-ip-lookup.com/)
- Threatcrowd – Information about IP (https://github.com/AlienVault-OTX/ApiV2)
- VirusTotal – Information about IP (https://www.virustotal.com/) Key needed
Domain:
- TLD – Get sponsor of particular Top Level Domain (https://raw.githubusercontent.com/mikewesthad/tld-data/master/data/tlds.json)
- Threatcrowd – Information about the domain (https://github.com/AlienVault-OTX/ApiV2)
- Whoxy – Whois service (https://whoxy.com/)
- Whois history – Historical data about the domain (https://whoxy.com/)
- Wayback Machine – Archive version of the website (http://archive.org/)
- VirusTotal – Information about domain (https://www.virustotal.com/)

Install

git clone https://github.com/woj-ciech/Danger-zone.git
pip install -r requirements.txt
pip install Google-search-api

For Elasticsearch setup go here

For Kibana setup go here

Edit settings.json file and put there your keys and ElasticSearch info

Usage

python danger-zone.py -h

usage: dangerzone.py [-h] [--email EMAIL] [--address ADDRESS] [--domain DOMAIN]

               [--elasticsearch]



Correlate data between domains, ips and email addresses and present it as a

graph.



optional arguments:

  -h, --help         show this help message and exit

  --email EMAIL      Email address

  --address ADDRESS  IP address

  --domain DOMAIN    Domain name

  --elasticsearch    Elasticsearch output

Graph:

A generated graph which started with fximperium[.]net

Console

Report generated to console contains more information than saved files.
Additional information is Google results, username check and HaveIBeenPwned module.
The most important things are coloured in a console, which lets you better remember and associate findings.