MCPcopy
hub / github.com/smicallef/spiderfoot

github.com/smicallef/spiderfoot @v4.0 sqlite

repository ↗ · DeepWiki ↗ · release v4.0 ↗
3,923 symbols 20,578 edges 514 files 1,377 documented · 35%
README

License Python Version Stable Release CI status Last Commit Codecov Twitter Follow Discord

SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.

SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line. It's written in Python 3 and GPL-licensed.

FEATURES

  • Web based UI or CLI
  • Over 200 modules (see below)
  • Python 3.7+
  • YAML-configurable correlation engine with 37 pre-defined rules
  • CSV/JSON/GEXF export
  • API key export/import
  • SQLite back-end for custom querying
  • Highly configurable
  • Fully documented
  • Visualisations
  • TOR integration for dark web searching
  • Dockerfile for Docker-based deployments
  • Can call other tools like DNSTwist, Whatweb, Nmap and CMSeeK
  • Actively developed since 2012!

WANT MORE?

Need more from SpiderFoot? Check out SpiderFoot HX for: - 100% Cloud-based and managed for you - Attack Surface Monitoring with change notifications by email, REST and Slack - Multiple targets per scan - Multi-user collaboration - Authenticated and 2FA - Investigations - Customer support - Third party tools pre-installed & configured - Drive it with a fully RESTful API - TOR integration built-in - Screenshotting - Bring your own Python SpiderFoot modules - Feed scan data to Splunk, ElasticSearch and REST endpoints

See the full set of differences between SpiderFoot HX and the open source version here.

USES

SpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.

You can target the following entities in a SpiderFoot scan:

  • IP address
  • Domain/sub-domain name
  • Hostname
  • Network subnet (CIDR)
  • ASN
  • E-mail address
  • Phone number
  • Username
  • Person's name
  • Bitcoin address

SpiderFoot's 200+ modules feed each other in a publisher/subscriber model to ensure maximum data extraction to do things like:

INSTALLING & RUNNING

To install and run SpiderFoot, you need at least Python 3.7 and a number of Python libraries which you can install with pip. We recommend you install a packaged release since master will often have bleeding edge features and modules that aren't fully tested.

Stable build (packaged release):

$ wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz
$ tar zxvf v4.0.tar.gz
$ cd spiderfoot-4.0
$ pip3 install -r requirements.txt
$ python3 ./sf.py -l 127.0.0.1:5001

Development build (cloning git master branch):

$ git clone https://github.com/smicallef/spiderfoot.git
$ cd spiderfoot
$ pip3 install -r requirements.txt
$ python3 ./sf.py -l 127.0.0.1:5001

Check out the documentation and our asciinema videos for more tutorials.

COMMUNITY

Whether you're a contributor, user or just curious about SpiderFoot and OSINT in general, we'd love to have you join our community! SpiderFoot now has a Discord server for seeking help from the community, requesting features or just general OSINT chit-chat.

WRITING CORRELATION RULES

We have a comprehensive write-up and reference of the correlation rule-set introduced in SpiderFoot 4.0 here.

Also take a look at the template.yaml file for a walk through. The existing 37 rules are also quite readable and good as starting points for additional rules.

MODULES / INTEGRATIONS

SpiderFoot has over 200 modules, most of which don't require API keys, and many of those that do require API keys have a free tier.

Name Description Type
AbstractAPI Look up domain, phone and IP address information from AbstractAPI. Tiered API
abuse.ch Check if a host/domain, IP address or netblock is malicious according to Abuse.ch. Free API
AbuseIPDB Check if an IP address is malicious according to AbuseIPDB.com blacklist. Tiered API
Abusix Mail Intelligence Check if a netblock or IP address is in the Abusix Mail Intelligence blacklist. Tiered API
Account Finder Look for possible associated accounts on nearly 200 websites like Ebay, Slashdot, reddit, etc. Internal
AdBlock Check Check if linked pages would be blocked by AdBlock Plus. Tiered API
AdGuard DNS Check if a host would be blocked by AdGuard DNS. Free API
Ahmia Search Tor 'Ahmia' search engine for mentions of the target. Free API
AlienVault IP Reputation Check if an IP or netblock is malicious according to the AlienVault IP Reputation database. Free API
AlienVault OTX Obtain information from AlienVault Open Threat Exchange (OTX) Tiered API
Amazon S3 Bucket Finder Search for potential Amazon S3 buckets associated with the target and attempt to list their contents. Free API
Apple iTunes Search Apple iTunes for mobile apps. Free API
Archive.org Identifies historic versions of interesting files/pages from the Wayback Machine. Free API
ARIN Queries ARIN registry for contact information. Free API
Azure Blob Finder Search for potential Azure blobs associated with the target and attempt to list their contents. Free API
Bad Packets Obtain information about any malicious activities involving IP addresses found Commercial API
Base64 Decoder Identify Base64-encoded strings in URLs, often revealing interesting hidden information. Internal
BGPView Obtain network information from BGPView API. Free API
Binary String Extractor Attempt to identify strings in binary content. Internal
BinaryEdge Obtain information from BinaryEdge.io Internet scanning systems, including breaches, vulnerabilities, torrents and passive DNS. Tiered API
Bing (Shared IPs) Search Bing for hosts sharing the same IP. Tiered API
Bing Obtain information from bing to identify sub-domains and links. Tiered API
Bitcoin Finder Identify bitcoin addresses in scraped webpages. Internal
Bitcoin Who's Who Check for Bitcoin addresses against the Bitcoin Who's Who database of suspect/malicious addresses. Tiered API
BitcoinAbuse Check Bitcoin addresses against the bitcoinabuse.com database of suspect/malicious addresses. Free API
Blockchain Queries blockchain.info to find the balance of identified bitcoin wallet addresses. Free API
blocklist.de Check if a netblock or IP is malicious according to blocklist.de. Free API
BotScout Searches BotScout.com's database of spam-bot IP addresses and e-mail addresses. Tiered API
botvrij.eu Check if a domain is malicious according to botvrij.eu. Free API
BuiltWith Query BuiltWith.com's Domain API for information about your target's web technology stack, e-mail addresses and more. Tiered API
C99 Queries the C99 API which offers various data (geo location, proxy detection, phone lookup, etc). Commercial API
CallerName Lookup US phone number location and reputation information. Free API
Censys Obtain host information from Censys.io. Tiered API
Certificate Transparency Gather hostnames from historical certificates in crt.sh. Free API
CertSpotter Gather information about SSL certificates from SSLMate CertSpotter API. Tiered API
CINS Army List Check if a netblock or IP address is malicious according to Collective Intelligence Network Security (CINS) Army list. Free API
CIRCL.LU Obtain information from CIRCL.LU's Passive DNS and Passive SSL databases. Free API
CleanBrowsing.org Check if a host would be blocked by CleanBrowsing.org DNS content filters. Free API
CleanTalk Spam List Check if a netblock or IP address is on CleanTalk.org's spam IP list. Free API
Clearbit Check for names, addresses, domains and more based on lookups of e-mail addresses on clearbit.com. Tiered API
CloudFlare DNS Check if a host would be blocked by CloudFlare DNS. Free API
CoinBlocker Lists Check if a domain appears on CoinBlocker lists. Free API
CommonCrawl Searches for URLs found through CommonCrawl.org. Free API
Comodo Secure DNS Check if a host would be blocked by Comodo Secure DNS. Tiered API
Company Name Extractor Identify company names in any obtained data. Internal
Cookie Extractor Extract Cookies from HTTP headers. Internal
Country Name Extractor Identify country names in any obtained data. Internal
Credit Card Number Extractor Identify Credit Card Numbers in any data Internal
Crobat API Search Crobat API for subdomains. Free API
Cross-Referencer Identify whether other domains are associated ('Affiliates') of the target by looking for links back to the target site(s). Internal
CRXcavator Search CRXcavator for Chrome extensions. Free API
Custom Threat Feed Check if a host/domain, netblock, ASN or IP is malicious according to your custom feed. Internal
CyberCrime-Tracker.net Check if a host/domain or IP address is malicious according to CyberCrime-Tracker.net. Free API
Darksearch Search the Darksearch.io Tor search engine for mentions of the target domain. Free API
Debounce Check whether an email is disposable Free API
Dehashed Gather breach data from Dehashed API. Commercial API
Digital Ocean Space Finder Search for potential Digital Ocean Spaces associated with the target and attempt to list their contents. Free API
DNS Brute-forcer Attempts to identify hostnames through brute-forcing common names and iterations. Internal
DNS Common SRV Attempts to identify hostnames through brute-forcing common DNS SRV records. Internal
DNS for Family Check if a host would be blocked by DNS for Family. Free API
DNS Look-aside Attempt to reverse-resolve the IP addresses next to your target to see if they are related. Internal
DNS Raw Records Retrieves raw DNS records such as MX, TXT and others. Internal
DNS Resolver Resolves hosts and IP addresses identified, also extracted from raw content. Internal
DNS Zone Transfer Attempts to perform a full DNS zone transfer. Internal
DNSDB Query FarSight's DNSDB fo

Core symbols most depended-on inside this repo

debug
called by 1254
sflib.py
notifyListeners
called by 905
spiderfoot/plugin.py
error
called by 629
sflib.py
setup
called by 509
modules/sfp_isc.py
setTarget
called by 279
spiderfoot/plugin.py
handleEvent
called by 273
modules/sfp_isc.py
fetchUrl
called by 260
sflib.py
tempStorage
called by 244
spiderfoot/plugin.py

Shape

Method 3,378
Class 501
Function 40
Route 4

Languages

Python99%
TypeScript1%

Modules by API surface

test/unit/test_spiderfoot.py100 symbols
test/unit/spiderfoot/test_spiderfootdb.py86 symbols
sflib.py68 symbols
test/unit/test_spiderfootwebui.py56 symbols
sfwebui.py50 symbols
test/unit/test_spiderfootcli.py48 symbols
test/integration/test_sfwebui.py45 symbols
sfcli.py44 symbols
spiderfoot/db.py34 symbols
spiderfoot/plugin.py33 symbols
test/unit/spiderfoot/test_spiderfoottarget.py32 symbols
test/unit/spiderfoot/test_spiderfootplugin.py30 symbols

Dependencies from manifests, versioned

alertifyjs1.13.1 · 1×
bootstrap3.4.1 · 1×
d33.5.17 · 1×
jquery3.6.0 · 1×
sigma1.2.1 · 1×
tablesorter2.31.3 · 1×
CherryPy18.6.1 · 1×
ExifRead2.3.2 · 1×
Mako1.1.5 · 1×
PyPDF21.26.0 · 1×
adblockparser0.7 · 1×
beautifulsoup44.10.0 · 1×

For agents

$ claude mcp add spiderfoot \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact