Skip to content
1337skills 1337skills

GOSINT

GOSINT is an open-source intelligence (OSINT) framework for collecting, processing, and analyzing threat intelligence indicators including IPs, domains, file hashes, and URLs.

Installation

# Clone repository
git clone https://github.com/Ullaakut/Gosint
cd Gosint

# Install dependencies
go get ./...

# Build
go build

# Run
./gosint --help

Indicator Lookups

IP Address Intelligence

# Query IP reputation
gosint ip 192.168.1.1

# Geolocation lookup
gosint geoip 1.2.3.4

# ASN information
gosint asn 1.2.3.4

# WHOIS information
gosint whois 1.2.3.4

# Check blocklists
gosint ip 1.2.3.4 --blocklist

# Query shodan
gosint ip 1.2.3.4 --shodan

Domain Intelligence

# Subdomain enumeration
gosint domain target.com

# WHOIS domain info
gosint whois target.com

# DNS records
gosint dns target.com --record A,MX,NS

# Check domain reputation
gosint domain target.com --reputation

# Find subdomains
gosint subdomain target.com

File Hash Analysis

# Lookup file hash
gosint hash d41d8cd98f00b204e9800998ecf8427e

# VirusTotal query
gosint hash <hash> --virustotal

# Check against multiple sources
gosint hash <hash> --all-sources

URL Analysis

# Analyze URL
gosint url http://target.com/path

# Check URL reputation
gosint url http://target.com --reputation

# Scan URL
gosint url http://target.com --virustotal

# Extract domain from URL
gosint url http://target.com --extract-domain

Batch Processing

Process Multiple Indicators

# Process from file
gosint batch --file indicators.txt

# Format: one indicator per line
# Can be mixed types (IPs, domains, hashes)

# Output to file
gosint batch --file indicators.txt --output results.json

# Parallel processing
gosint batch --file indicators.txt --workers 10

Indicator Lists

# Process IP list
cat ips.txt | while read ip; do
  gosint ip $ip
done

# Domain list processing
for domain in $(cat domains.txt); do
  gosint domain $domain
done

# Distributed processing
gosint batch --file indicators.txt --distributed

Threat Intelligence Feeds

Integrate Public Feeds

# Subscribe to threat feeds
gosint feed add https://otx.alienvault.com/api/v1/pulse/subscribed

# Download ABUSE.CH feeds
gosint feed add https://sslbl.abuse.ch/feeds/

# Feodo tracker
gosint feed add https://feodotracker.abuse.ch/feeds/

# Update feeds
gosint feed update

# List subscribed feeds
gosint feed list

Custom Feed Integration

# Add custom feed
gosint feed add --name "custom" --url http://custom-feed.com/feed.json

# Feed formats: JSON, CSV, plaintext
# Gosint will parse common indicator formats

# Automatic feed aggregation
gosint feed sync --all

Correlation and Analysis

Cross-Reference Indicators

# Find related indicators
gosint correlate 1.2.3.4

# Link domains to IPs
gosint link-domain target.com

# Infrastructure mapping
gosint map-infrastructure target.com

# Find other domains on same IP
gosint ip 1.2.3.4 --reverse-dns

Timeline Analysis

# Create timeline from indicators
gosint timeline --file indicators.txt

# Date-based correlation
gosint timeline --start 2024-01-01 --end 2024-12-31

# Export timeline
gosint timeline --output timeline.json --format json

Data Export and Integration

Export Formats

# JSON export
gosint ip 1.2.3.4 --output json

# CSV export
gosint batch --file indicators.txt --format csv

# STIX format (threat sharing)
gosint export --format stix --output indicators.stix

# TAXII format
gosint export --format taxii --output taxii-feed

Integration with Other Tools

# Export to Splunk
gosint export --splunk --hec-token <token> --hec-url https://splunk:8088

# Export to ELK Stack
gosint export --elasticsearch --host localhost:9200 --index threats

# SIEM integration
gosint export --siem splunk --config siem_config.json

Configuration

Configuration File

# gosint.yaml
sources:
  virustotal: true
  abuseipdb: true
  shodan: true
  otx: true

api_keys:
  virustotal: "your-api-key"
  shodan: "your-api-key"
  abuseipdb: "your-api-key"

output:
  format: json
  file: results.json
  append: false

threading:
  workers: 10
  timeout: 30

Examples

Investigate Suspicious IP

# Complete IP investigation
echo "1.2.3.4" | gosint ip --all-sources --output report.json

# Results include:
# - Geographic location
# - ASN information
# - Reputation scores
# - Known malware
# - Blocklist status

Domain Reconnaissance

# Comprehensive domain analysis
gosint domain target.com --verbose

# Information gathered:
# - DNS records
# - Subdomains
# - WHOIS
# - SSL certificates
# - Web technology

Malware Analysis Workflow

# 1. Get file hash from malware sample
# 2. Look up in VirusTotal
gosint hash d41d8cd98f00b204e9800998ecf8427e --virustotal

# 3. Check domains contacted
# 4. Check IPs
# 5. Correlate across feeds
# 6. Generate report

Best Practices

  • Verify multiple sources: Cross-reference indicators
  • Check timestamps: Ensure current threat intelligence
  • Rate limiting: Respect API rate limits
  • API keys: Store securely in environment variables
  • Regular updates: Keep feeds current
  • Documentation: Document findings and sources
  • Shodan: Search engine for internet-connected devices
  • VirusTotal: File/URL malware scanning
  • AlienVault OTX: Open threat exchange
  • ABUSE.CH: Malicious URL/IP tracker
  • Censys: Internet scan data

Last updated: 2026-03-30