In the ever-evolving world of cybersecurity and network analysis, efficient tools that consolidate information from multiple sources are invaluable. A new command-line utility called wtfis (a clever play on the traditional whois command) has caught the attention of security professionals and analysts for its ability to gather comprehensive information about domains, FQDNs, or IP addresses using various Open Source Intelligence (OSINT) services.
A Tool Built for Human Consumption
What sets wtfis apart from similar utilities is its focus on human readability. The tool presents information in a visually appealing format with color-coded panels that make complex data easy to interpret. This design philosophy resonates with security operations center (SOC) analysts who need to quickly assess potential threats.
I'm actually surprised no one built this before this is exactly what soc analyst would need.
The tool's interface organizes results into clean, readable panels that present information from multiple sources simultaneously, eliminating the need to manually query different services and piece together the results.
Comprehensive Data Sources
wtfis integrates data from several respected security and intelligence services. At its core, the tool uses VirusTotal for primary information retrieval, but it can also pull data from P2Whois, IPWhois, Shodan, Greynoise, URLhaus, and AbuseIPDB. This consolidation of resources provides users with a holistic view of the entity they're investigating, including reputation scores, IP resolutions, geolocation data, open ports, and potential malicious activity flags.
For security professionals who regularly need to investigate suspicious domains or IPs, this multi-source approach saves significant time compared to manually checking each service individually.
Data Sources Used by wtfis:
| Service | Used in lookup | Required | Free Tier |
|---|---|---|---|
| Virustotal | All | Yes | Yes |
| P2Whois | Domain/FQDN | No | Yes |
| IPWhois | IP address | No | Yes (via signup) |
| Shodan | IP address | No | No |
| Greynoise | IP address | No | Yes (via signup) |
| URLhaus | All | No | Yes |
| AbuseIPDB | IP address | No | Yes |
Key Features:
- Human-readable output with color-coded panels
- Minimizes API calls to avoid hitting rate limits
- Clickable hyperlinks in terminal (when supported)
- Customizable output with various command flags
- Docker support for containerized usage
Privacy and API Considerations
Some community members have raised concerns about the tool's privacy implications, noting that it requires API keys for various services, with a VirusTotal API key being mandatory. While this requirement is inherent to the tool's functionality, users in the discussion pointed out that obtaining these keys doesn't necessarily require extensive personal information.
The tool is designed with API usage efficiency in mind, making as few calls as possible to minimize hitting quotas and rate limits for free-tier accounts. This consideration makes wtfis practical for regular use without requiring premium subscriptions to the underlying services.
Setup and Customization
Getting started with wtfis involves installing the tool (available through package managers like brew and conda) and configuring the necessary API keys through environment variables or a configuration file. While some users noted this setup process might be somewhat tedious due to the number of potential API keys required, they acknowledged it as a necessary evil given the tool's functionality.
The tool offers several customization options, including the ability to set default arguments through environment variables, control the number of displayed IP resolutions, and toggle the use of specific data sources. This flexibility allows users to tailor the output to their specific needs and available API keys.
In an industry where efficiency and comprehensive information gathering are crucial, wtfis appears to fill a previously unaddressed need by combining multiple OSINT sources into a single, human-friendly interface. As one community member aptly suggested, if you're looking for a non-profane backronym, perhaps What's That Funny Internet Site? would fit the bill.
Reference: wtfis