darkrecon

Dark-web / OSINT reconnaissance for threat intelligence

v1.2.1

Linux

Quick Start

Install via jcli (recommended)

jcli install darkrecon

Run a lookup

darkrecon domain example.com                       # crt.sh subdomain enum
darkrecon hash 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8   # HIBP k-anonymity
darkrecon config --list                            # show configured API keys (masked)
darkrecon config --set virustotal_key <KEY>        # store a key (chmod 600)

What it does

darkrecon is a multi-source OSINT lookup CLI. Subcommands one-shot a specific kind of input — a domain, an email, a SHA-1 — against the right upstream source. Two sources need no API key (crt.sh and HIBP); the rest require an operator-stored key. Designed for the threat-intel analyst use case where you have one IOC and want every external context in one command.

Subcommand-AND-async dispatch. Async subcommands enter tokio::runtime::Builder::block_on; sync ones (here: config) short-circuit before the runtime is built. Saves startup time and keeps the dependency graph clean.
HIBP k-anonymity is privacy-preserving. The hash subcommand sends only the first 5 hex chars of the SHA-1 to pwnedpasswords, matches the suffix locally, and includes the Add-Padding: true header for timing-attack resistance. The full hash never leaves the binary. Verified with SHA-1 of "password" → 52,256,179 breaches.
crt.sh for subdomain enum. The domain subcommand queries https://crt.sh/?q=%.<domain>&output=json with a 60-second default timeout (crt.sh is notoriously slow). Multi-SAN rows are split and deduped.
Operator key vault. config --set KEY VALUE stores API keys at ${DARKRECON_HOME:-~/.darkrecon}/keys.toml with mode 0600. config --list masks values to first 4 chars: "abcd…". Strings ≤ 4 chars collapse entirely — a 3-char key can't slip through.

Subcommands

Command	Status	What it does
`domain <DOMAIN>`	working	crt.sh subdomain enumeration (no API key needed)
`hash <SHA1>`	working	HIBP pwnedpasswords k-anonymity check (no API key needed)
`email <ADDR>`	stub	HIBP v3 breach API — needs `hibp_breach_key`
`bulk -f <PATH>`	stub	Auto-detect-per-line + interleaved-throttle multi-source lookup
`config --set KEY VALUE`	working	Store an API key in `keys.toml` (chmod 600)
`config --list`	working	Show configured keys, first 4 chars only

Sources catalogue

Source	Status	Notes
crt.sh	working	No key. Slow (occasional 502/503). Used by `domain`
HIBP pwnedpasswords	working	No key. k-anonymity. Used by `hash`
HIBP v3 breach API	stub	Needs `hibp_breach_key`
VirusTotal	stub	Needs `vt_key`. File hash, URL, IP, domain reputation
Shodan	stub	Needs `shodan_key`. Host services + exposed-port intelligence
IntelX	stub	Needs `intelx_key`. Leak-site search
URLScan	stub	Needs `urlscan_key`. Public scan results for a given URL
PhishTank	stub	Needs `phishtank_key`. Community-reported phishing URLs

Privacy: the working sources are designed to leak the minimum about your queries — HIBP's k-anonymity sends only the SHA-1 prefix, crt.sh queries leak the queried domain (unavoidable). Future sources (VirusTotal, Shodan, IntelX) send the full IOC in the clear to the upstream — operator should review each source's privacy policy before automating queries about client IOCs.