With Lookyloo you can dissect a website while it is in motion.
Lookyloo is a web interface that captures a webpage and then displays a tree of the domains, that call each other.
Per the definition on Urban Dictionary:
People who just come to look.
People who go out of their way to look at people or something often causing crowds and more disruption.
People who enjoy staring at or watching other people’s misfortune. Oftentimes car onlookers to car accidents.
Same as Looky Lou; often spelled as Looky-loo (hyphen) or lookylou. In L.A. usually the lookyloos cause more accidents by not paying full attention to what is ahead of them.
The goal is to keep Lookyloo as focused as possible on the rendering of URLs an ease their investigation but there are quite a few usecases that are either covered by other tools that existed before, or required custom development.
Initially, the code using Playwright to capture URLs was integrated to Lookyloo itself with PlaywrightCapture but capturing an URL is a fairly common task (see Ail Framework) so it made sense to split it into a dedicated and standalone project called lacus. The advantage of using Lacus is that you can run the browsers loading arbitrary URLs on a dedicated machine that could potentially be compromised. PyLacus is the python module ou can use to integrate Lacus with your own tool.
Note that Lookyloo itself doesn’t requires a standalone lacus as it will fallback to LacusCore and run the capture on the same machine. If you want to implement a similar fallback mechanism to be able to either pick PyLacus or Lacuscore in your own project, have a look at the documentations of the respective projects, the API is made in a way it is relatively easy.
Capturing one single URL is nice, but sometimes you want to monitor it. It can either be in order to see if something unexpected changes (defacement), but also to be informed when a phishing website has been taken down, or to be informed when a newly registered domain that was a parking page becomes something else. That’s where the monitoring platform becomes useful. When enabled, you can trigger a monitoring session from Lookyloo, or via the python module, PyLookylooMonitoring.
The monitoring plarform will automatically notify you when something changes between the last two captures. The diff is done on all the URLs up to the final redirect, and by comparing the ressources loaded on that page (with the possibility to exclude some).
In order to get contact info for IPs and domains, it is handy to be able to get the relevant whois entry. uWhois will do that, but also keep a record of that entry, offering a WhoWas service too.
Sometime, URLs point to a file, and Lookyloo itself can’t do anything with that so if you enable the Pandora connector, you can submit that file (or any file encountered during the capture) to a Pandora instance and investigate it from there.
And if your pandora is configured that way, you can also submit a URL from there to Lookyloo.
Lookyloo will extract a lot of indicators out of the URL captures, and these indicators will be correlated across the captures on that lookyloo instance. It is not made (and won’t be) to either search on other Lookyloo instance, or share indicators with other systems (but you could implement it yourself using PyLookyloo if you really want to). The recommended way to do that is to use MISP as a storing/sharing platform for the indicators.