Domain-CTI

A comprehensive Cyber Threat Intelligence (CTI) analysis tool for domain investigation. This tool performs automated analysis of domains using multiple threat intelligence sources and security checks.

Features

• WHOIS Information: Extract domain registration details
• DNS Records Analysis: A, MX, TXT, NS records
• SSL Certificate Inspection: Certificate validity, issuer, expiration
• Port Scanning: Common web ports (80, 443, 8080, 8443)
• VirusTotal Integration: Domain reputation and threat analysis
• Shodan Integration: IP information, open ports, vulnerabilities
• AbuseIPDB Integration: IP abuse confidence scoring
• Subdomain Enumeration: Certificate transparency logs via crt.sh
• Historical Data: Wayback Machine archived snapshots
• Certificate History: Historical SSL certificates
• Security Headers Analysis: HSTS, CSP, XSS protection, etc.

Prerequisites

Required Dependencies

The tool requires the following system dependencies:

# For Debian/Ubuntu:
sudo apt-get install whois dnsutils curl jq openssl nmap

# For RedHat/CentOS/Fedora:
sudo yum install whois bind-utils curl jq openssl nmap
# or for newer versions:
sudo dnf install whois bind-utils curl jq openssl nmap

# For macOS (using Homebrew):
brew install whois curl jq openssl nmap

API Keys Configuration

For enhanced analysis, configure the following API keys by editing the script:

1. VirusTotal API: Get your free API key from VirusTotal
2. Shodan API: Get your API key from Shodan
3. AbuseIPDB API: Get your API key from AbuseIPDB

Edit the script and replace the placeholder values:

# Edit domain_cti.sh and replace these lines:
VT_API_KEY="YOUR_VIRUSTOTAL_API_KEY"
SHODAN_API_KEY="YOUR_SHODAN_API_KEY"
ABUSEIPDB_API_KEY="YOUR_ABUSEIPDB_API_KEY"

Note: The tool will work without API keys but with limited functionality for VirusTotal, Shodan, and AbuseIPDB checks.

Installation

1. Clone this repository:

git clone https://github.com/Mertvip/Domain-CTI.git
cd Domain-CTI

2. Make the script executable:

chmod +x domain_cti.sh

3. Install dependencies (see Prerequisites section above)

4. Configure API keys (optional but recommended)

Usage

Single Domain Analysis

Analyze a single domain:

./domain_cti.sh -d example.com

Multiple Domain Analysis

Create a text file with domains (one per line):

# Create domains.txt
echo "example.com" > domains.txt
echo "google.com" >> domains.txt
echo "github.com" >> domains.txt

# Run analysis
./domain_cti.sh -l domains.txt

Domain List File Format

# This is a comment line (will be ignored)
example.com
google.com
malicious-domain.com
suspicious-site.org

Help

Display usage information:

./domain_cti.sh -h

Output

The tool generates detailed reports for each analyzed domain:

• Console Output: Colored progress information and summary
• Report Files: Detailed analysis saved to domain_cti_results/DOMAIN_cti_report.txt

Sample Output Structure

=====================================================================
                         DOMAIN CTI REPORT                           
                     TARGET DOMAIN: example.com                          
                     Generated on: Mon Sep  8 19:00:00 UTC 2024                           
=====================================================================

===================================================================== 
                         WHOIS INFORMATION
=====================================================================
Domain Name: EXAMPLE.COM
Registrar: Example Registrar Inc.
Creation Date: 1992-01-01
Expiration Date: 2025-01-01
...

=====================================================================
                         DNS RECORDS
=====================================================================
A Records:
93.184.216.34

MX Records:
0 .

TXT Records:
"v=spf1 -all"
...

=====================================================================
                         SSL CERTIFICATE
=====================================================================
Certificate Information:
notBefore=Jan  1 00:00:00 2024 GMT
notAfter=Jan  1 23:59:59 2025 GMT
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
subject=C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, CN = www.example.org
...

[Additional sections for VirusTotal, Shodan, Subdomains, etc.]

Security Considerations

• API Keys: Keep your API keys secure and never commit them to version control
• Rate Limits: Be aware of API rate limits for external services
• Network Access: The tool requires internet access for external API calls
• Permissions: Run with appropriate permissions for network operations

Troubleshooting

Common Issues

1. Missing Dependencies:

   [!] Missing dependencies: whois dig curl jq
   

   Solution: Install the missing dependencies using your package manager.

2. API Errors:

   Error querying VirusTotal: Invalid API key
   

   Solution: Verify your API key is correctly configured in the script.

3. Network Timeouts:

   Could not resolve IP address for domain
   

   Solution: Check internet connectivity and DNS resolution.

4. Permission Denied:

   bash: ./domain_cti.sh: Permission denied
   

   Solution: Make the script executable with chmod +x domain_cti.sh.

Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request

License

This project is open source. Please ensure you comply with the terms of service of all external APIs used by this tool.

Disclaimer

This tool is for educational and legitimate security research purposes only. Users are responsible for complying with applicable laws and the terms of service of external APIs and services used by this tool.