Skip to content

ransomfeed/RF-lookup

BranchesTags

Repository files navigation

RF-Lookup πŸ”

Ransomfeed Advanced Domain Monitoring Tool

RF-Lookup is an advanced tool for monitoring domains and onion sites, designed to detect DNS changes and possible seizures by law enforcement before they become public. Originally based on FBI_Watchdog.

Prerequisites

  • Python 3.7 or higher
  • Firefox (for automatic screenshots)
  • Tor (optional, for onion site monitoring)
  • Git (for cloning repositories)

Key Features

  • πŸ” DNS Monitoring: Checks changes in DNS records (A, AAAA, CNAME, MX, NS, SOA, TXT)
  • 🌐 Onion Support: Monitors .onion sites through the Tor network
  • πŸ“Έ Automatic Screenshots: Automatically captures screenshots of suspicious pages
  • πŸ“Š HTML Reports: Generates detailed reports in HTML format
  • πŸ’Ύ Local Logging: Saves all alerts in local JSON files
  • πŸ”„ Auto-Update: Automatic update system from GitHub
  • πŸ“‹ CTI Integration: Automatic extraction of domains from intelligence files deepdarkCTI - this project is a dependency from which to retrieve domain names to monitor.

Installation

  1. Clone the RF-Lookup repository:
git clone https://github.com/ransomfeed/RF-lookup.git
cd RF-lookup
  1. Clone the CTI repository (external dependency):
git clone https://github.com/fastfire/deepdarkCTI.git
  1. Install Python dependencies:
pip install -r requirements.txt

Note: The deepdarkCTI repository is an external dependency necessary for RF-Lookup to function. It contains intelligence files with domains to monitor.

  1. Configure Tor (optional, for onion site monitoring):
# On macOS with Homebrew
brew install tor

# Start Tor
tor

Usage

Basic Start

python rf_lookup.py

System Test

python test_rf_lookup.py

CTI Domain Extraction Test

python test_cti_extraction.py

Onion Seizure Detection Test

python test_onion_seizure.py

Whitelist Functionality Test

python test_whitelist.py

Configuration

Automatic CTI Domain Extraction

RF-Lookup automatically extracts domains marked as "ONLINE" from files in the deepdarkCTI/ folder:

  • markets.md - Dark web markets
  • forum.md - Forums and communities
  • ransomware_gang.md - Ransomware groups

The system automatically analyzes these files at startup and monitors all found domains.

Whitelist Configuration

RF-Lookup supports domain whitelisting to exclude specific domains from monitoring. Create a whitelist.json file:

Quick Start:

cp whitelist.example.json whitelist.json
# Edit whitelist.json with your domains

Manual Configuration:

{
  "whitelist": {
    "description": "Domains to exclude from RF-Lookup monitoring",
    "clearnet_domains": [
      "example.com",
      "test-domain.org"
    ],
    "onion_domains": [
      "example.onion"
    ],
    "enabled": true
  },
  "settings": {
    "skip_whitelisted": true,
    "log_skipped_domains": true
  }
}

Configuration Options:

  • enabled: Enable/disable whitelist functionality
  • skip_whitelisted: Skip monitoring whitelisted domains
  • log_skipped_domains: Log which domains are being skipped

Custom Domains

If you want to add custom domains, modify the extract_online_domains_from_cti() function in the rf_lookup.py file:

File Structure

RF-lookup/
β”œβ”€β”€ rf_lookup.py              # Main script
β”œβ”€β”€ test_rf_lookup.py         # Test script
β”œβ”€β”€ whitelist.example.json    # Example whitelist configuration
β”œβ”€β”€ requirements.txt          # Python dependencies
β”œβ”€β”€ README.md                 # Documentation
β”œβ”€β”€ LICENSE                   # MIT License
β”œβ”€β”€ .gitignore               # Git ignore file
β”œβ”€β”€ deepdarkCTI/             # External CTI repository (cloned separately)
β”‚   β”œβ”€β”€ markets.md
β”‚   β”œβ”€β”€ forum.md
β”‚   └── ransomware_gang.md
└── [Automatically generated files]
    β”œβ”€β”€ rf_lookup_logs/      # Log folder (created automatically)
    β”œβ”€β”€ rf_lookup_results.json # Previous DNS results
    β”œβ”€β”€ onion_lookup_results.json # Previous onion results
    └── screenshots/         # Screenshots of suspicious pages

Monitoring Features

DNS Monitoring

  • Detects changes in DNS records
  • Identifies possible seizures through suspicious NS records
  • Saves change history

Onion Monitoring

  • Checks .onion site status
  • Detects seizure pages
  • Uses Tor proxy automatically

Alert System

  • Local logging in JSON format
  • Interactive HTML reports
  • Automatic screenshots of suspicious pages

System Requirements

  • Python: 3.7 or higher
  • Firefox: For automatic screenshots of suspicious pages
  • Tor: Optional, for onion site monitoring (port 9050)
  • Git: For cloning necessary repositories
  • Operating System: Windows, macOS, Linux

Dependencies

  • dnspython - DNS resolution
  • requests - HTTP requests
  • selenium - Browser automation
  • beautifulsoup4 - HTML parsing
  • rich - Colored output
  • PySocks - SOCKS proxy support

License

This project is released under the MIT License. See the LICENSE file for details.

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/AmazingFeature)
  3. Commit your changes (git commit -m 'Add some AmazingFeature')
  4. Push to the branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

External Dependencies

  • deepdarkCTI: Intelligence repository containing domains to monitor. Must be cloned separately in the project folder.

Disclaimer

This tool is intended exclusively for educational and research purposes. Users are responsible for complying with local laws and applicable regulations.

About

Ransomfeed Advanced Domain Monitoring Tool, to detect law enforcement and seizures

ransomfeed.it

Topics

osint cybersecurity ransomware fbi cybercrime osint-tool

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages