As a pre-requesite for Harpoon, you need to install lxml requirements, on Debian/Ubuntu :
sudo apt-get install libxml2-dev libxslt-dev python3-dev.
You need to have geoipupdate installed and correctly configured to use geolocation correctly (make sure you to have
GeoLite2-Country GeoLite2-City GeoLite2-ASN as
If you want to use the screenshot plugin, you need phantomjs and npm installed:
npm install -g phantomjs
You can simply install the package from pypi with
pip install harpoon
If the above install instructions didn't work, you can build the tool from source by executing the following commands in the terminal (this assumes you are using virtualenvs):
git clone https://github.com/Te-k/harpoon.git cd harpoon pip3 install .
You may want to install harpoontools to have additional commands using harpoon features.
To configure harpoon, run
harpoon config and fill in the needed API keys.
harpoon update to download needed files. Check what plugins are configured with
harpoon config -c.
See the wiki for more information.
If you installed harpoon from pypi, just do
pip install -U harpoon.
If you installed harpoon from the git repository, go to the repository and use the following commands:
git pull origin master pip install .
After configuration the following plugins are available within the
asn Gather information on an ASN binaryedge Request BinaryEdge API cache Requests webpage cache from different sources censys Request information from Censys database (https://censys.io/) certspotter Get certificates from https://sslmate.com/certspotter circl Request the CIRCL passive DNS database config Configure Harpoon crtsh Search in https://crt.sh/ (Certificate Transparency database) cybercure Search cybercure.ai intelligence database for specific indicators. dns Map DNS information for a domain or an IP dnsdb Requests Farsight DNSDB email Gather information on an email address fullcontact Requests Full Contact API (https://www.fullcontact.com/) github Request Github information through the API googl Requests Google url shortener API greynoise Request information from GreyNoise API (pick Community or Enterprise via api_type config) help Give help on an Harpoon command hibp Request Have I Been Pwned API (https://haveibeenpwned.com/) hunter Request hunter.io information through the API hybrid Requests Hybrid Analysis platform intel Gather information on a domain ip Gather information on an IP address ipinfo Request ipinfo.io information koodous Request Koodous API malshare Requests MalShare database misp Get information from a MISP server through the API numverify Query phone number information from NumVerify opencage Forward/Reverse Geocoding using OpenCage otx Requests information from AlienVault OTX permacc Request Perma.cc information through the API pgp Search for information in PGP key servers pt Requests Passive Total database pulsedive Request PulseDive API quad9 Check if a domain is blocked by Quad9 robtex Search in Robtex API (https://www.robtex.com/api/) safebrowsing Check if the given domain is in Google safe Browsing list save Save a webpage in cache platforms screenshot Takes a screenshot of a webpage securitytrails Requests SecurityTrails database shodan Requests Shodan API spyonweb Search in SpyOnWeb through the API subdomains Research subdomains of a domain telegram Request information from Telegram through the API threatcrowd Request the ThreatCrowd API threatgrid Request Threat Grid API threatminer Requests TreatMiner database https://www.threatminer.org/ tor Check if an IP is a Tor exit node listed in the public list totalhash Request Total Hash API twitter Requests Twitter API umbrella Check if a domain is in Umbrella Top 1 million domains update Update Harpoon data urlhaus Request urlhaus.abuse.ch API urlscan Search and submit urls to urlscan.io vt Request Virus Total API xforce Query IBM Xforce Exchange API zetalytics Search in Zetalytics database
You can get information on each command with
harpoon help COMMAND
- AlienVault OTX
- CertSpotter : paid plans provide search in expired certificates (little interests imho, just use crtsh or censys). You don't need an account for current certificates
- CIRCL Passive DNS
- Farsight Dnsdb
- GreyNoise : supports both Community and Enterprise API. Use api_type config setting to specify which API type to use. Both still require an API key to work.
- Have I Been Pwned
- Hybrid Analysis
- IBM Xforce Exchange
- Security Trails
- Telegram : Create an application
- Total Hash
- Virus Total : for public, create an account and get the API key in the Settings page
Thanks to people who helped improving Harpoon : @jakubd @marrouchi @grispan56 @christalib
Credits for the logo goes to @euphoricfall and the PulseDive team
This code is released under GPLv3 license.
Originally posted at: https://github.com/Te-k/harpoon
- Blog2022.05.02Lupo - Malware IOC Extractor and Debugging module for Malware Analysis Automation
- Blog2022.05.02DDexec - a technique to run binaries filelessly and stealthily on Linux using dd to replace the shell with another process
- Blog2022.04.28ADReaper - A fast enumeration tool for Windows Active Directory Pentesting written in Go
- Blog2022.04.27Shhhloader - SysWhispers Shellcode Loader