Integration with 3rd party tools

This module will search the hash (sha512) of every content received for a capture, and give contextual information in the investigation popup.

SaneJS uses CDNJS as a datasource. If the hash matches, you will see the library name, version and exact file matching in CDNJS.

The module is enabled by default, as SaneJS is publicly available, but you can change that by setting the enabled to false in config/modules.json, section SaneJS.

allow_auto_trigger is currently not used.

This module will do a whois lookup for the domains (including CNAMEs) and IPs listed in the investigation pop-up.

uWhoisd queries the whois servers using the command line whois command.

The module is not enabled by default. In order to use it, you need to run your own instance of uWhoisd and configure the ipaddress and port accordingly in config/modules.json, and set enabled to true in section UniversalWhois.

allow_auto_trigger will automatically trigger a whois lookup for each domains, CNAMEs, and IPs for all the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

This module allows to submit a downloaded file to a Pandora instance.

The module is not enabled by default but if you have a pandora instance available, you simply need to se the url key to the appropriate value (ex.: https://my.pandora.instance).

This module triggers a request against the Passive DNS endpoint of RiskIQ for the domain of the final URL (after all the redirects).

The module is not enabled by default because you need to create an account, and use an API key.

Important: the query limit for a standard API key is very low, so you will hit it very fast if you do not have a paid plan with them.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

This module generates the hash (SHA1) of all the ressources of a capture and search them on Hashlookup. Hashlookup is a public API to lookup hash values against known database of files (the list of sources is on the website).

The module isn’t enabled by default. If you want to enable it, you need to set enabled to true in config/modules.json, section Hashlookup, and you will use the public instance.

allow_auto_trigger will automatically trigger a lookup for all the ressources immediately after the capture is done. If you turn it to false, the lookup will be triggered when you click on Hashlookup hits in the menu of the capture page.

Note: The link to view the hits will only be visible to authenticated users.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

Phishtank is a service that analizes and validates phishing webistes, they also provide an hourly dump of the currently active phishing URLs they’re aware of. In order to avoid too many queries on the public API, we developped a simple standalone system called Phishtank Lookup that loads the hourly dump and makes it accessible via its API.

The only URLs passed to the module are the ones up to the rendered page. Soon, we will add a lookup for the IP address and URLs of all the entries on the tree.

The module is not enabled by default. In order to use it, you can either use the public instance, or install your own instance of Phishtank Lookup.

To enable it, set enabled to true in section Phishtank. If you install your own instance, you need to set the url key to the appropriate value (e.g. http://127.0.0.1:5300). If you use the public instance, you can leave it to null and it will default back to it.

allow_auto_trigger to true (default if the module is enabled) will automatically trigger a lookup.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

VirusTotal is well known for having a huge database of malicious binaries, but it can also analyze URLs, and will give you information about them.

By default the module will only submit the URL for analysis to Virus Total is you set autosubmit to true in config/modules.json, section VirusTotal.

The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.

The module is not enabled by default because you need to create an account, and use an API key.

Important: the query limit for a standard API key is 4/minute so you will hit it very fast if you do not have a paid plan with them.

allow_auto_trigger will automatically trigger a query (and submit if enabled) for each URLs in the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

urlscan.io is a service to scan and analyze websites. It is quite similar to Lookyloo that way, but is aimed at identifying malicious activities, and has a very different approach to represent a capture.

The similarity and differences make it a great complement to Lookyloo.

By default the module will only submit the initial URL (with referer and user-agent) for analysis to urlscan.io is you set autosubmit to true in config/modules.json, section UrlScan.

The module is not enabled by default because you need to create an account, and use an API key (you need to create an account).

There are a few options to configure the visibility of the captures you’re making on urlscan.io, and you can configure it with the force_visibility key:

Important: The API key is rate limited and you should keep an eye on the quotas, especially since they vary depending on the visibility you’re using.

allow_auto_trigger will automatically submit the URL (if autosubmit is enabled) for each URLs. Be careful with the quotas of the key you’re using with this feature.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

Connecting Lookyloo to MISP - Open Source Threat Intelligence Platform will make it possible to share captures within your sharing community.

To use this module, you need to have access to a MISP instance and set at least an url and an apikey in config/modules.json, section MISP. You may also want to set verify_tls_cert to false if you’re using a self-signed certificate, and modify the timeout if the MISP instance is very slow.

allow_auto_trigger is currently not used.

Important: the MISP publish and lookup features are only available for authenticated users.

Phishing Initiative is a database of known phishing websites.

By default the module will only submit the URL for analysis to Phishing Initiative if you set autosubmit to true in config/modules.json, section PhishingInitiative.

The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.

The module is not enabled by default because you need to create an account, and use an API key.

allow_auto_trigger will automatically trigger a query (and submit if enabled) for each URLs in the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

IntelMQ is an Open-Source OSINT processing tool.

Starting with IntelMQ 3.0, the LookyLoo expert bot enqueues a screenshotting task at the configured LookyLoo instance and saves the (public) LookyLoo link in the event data.