Knowledge is power—and perhaps the best way to acquire that knowledge is by using OSINT, or Open Source Intelligence. OSINT entails gathering information from open sources in order to gauge threats, conduct investigations, or simply become better informed about a target system.
Among the numerous OSINT tools out there, one that is both simple and effective is Wtfis—a command-line interface tool that makes multi-step domain and IP investigations seamless and human-readable.
In this post, we'll demystify what Wtfis is, how it works, and how you can begin using it to enhance your cybersecurity investigations.
Prefer watching instead of reading? Here’s a quick video guide
https://youtu.be/yuOoh6xqkGs?embedable=true
What is Wtfis?
Wtfis is a new command-line OSINT tool that allows you to search for information on IP addresses, hostnames, and domains in an easy-to-read format. Even its name, which is a joke on "What the F* is," amusingly reveals the tool's primary purpose—determining exactly what some internet domain or IP address is, where it originates from, and what it does.
Unlike most tools, which spit raw JSON or junk results, Wtfis tries to give you helpful insights within a clean and readable format. It's meant for humans—rather than computers.
Why Use Wtfis?
- Human-Friendly Output: Parsing is no longer a problem for those messy terminal dumps. Clear sections and easy-to-read output await you.
- API Integrations: It sources data from a variety of providers such as VirusTotal, Whois, IPinfo, among others.
- Great for Recon and Triage: Whether red teaming in recon or blue teaming to respond to alarms, it serves to quickly pick out suspicious signs.
- Open Source: You can use it for free, inspect it freely, and make changes as you see fit.
Installing Wtfis
You can download Wtfis from GitHub straight away. You need Python 3.8+ and pip. Here is a quick start guide:
Clone the Repo
https://github.com/pirxthepilot/wtfis
Or Install Directly
pip install wtfis
You can now execute the tool with:
wtfis openexploit.in # Change the target
Or to make it even more convenient, rename it or add it to your PATH for faster access.
API Keys Setup
To unlock richer results, you can link Wtfis to external data sources. You'll need API keys from services such as:
- VirusTotal
- IPinfo
- WhoisXML API
- AbuseIPDB
Once you have your keys, you can set them up with the .env file or environment variables.
Sample .env configuration:
VT_API_KEY=openexploit_virustotal_key
IPINFO_TOKEN=openexploit_ipinfo_token
WHOISXML_API_KEY=openexploit_whoisxml_key
ABUSEIPDB_API_KEY=openexploit_abuseipdb_key
The more APIs you hook up, the richer your results will be.
How to Use Wtfis
Investigating a Suspicious Domain
Let's say you get a suspicious-looking domain in a phishing email: openexploit.in (it's my domain, but for now just assume)
To investigate, you'd do:
wtfis openexploit.in
Wtfis will spit out a clean report, potentially containing:
- Whois information (registrar, creation date, contact email)
- IP resolution (which IP addresses it resolves to)
- Hosting provider and ASN
- Geolocation information (country, city)
- Threat intelligence (flags from VirusTotal, AbuseIPDB)
- Passive DNS history (previous IPs used)
- Subdomains
Checking a Suspicious IP
You see an unfamiliar IP 56.60.161.97 in your firewall logs. Run:
wtfis 56.60.161.97
You might see:
- ISP name and location
- ASN information
- Domain names hosted
- Threat level score (if it shows up in abuse databases)
- Reverse DNS records
This is extremely helpful during incident response, threat hunting, or vulnerability scans.
JSON Output
# Get JSON output
wtfis openexploit.in --json
Export to Markdown
# export Wtfis output to a Markdown
wtfis openexploit.in > openexploit-osint-report.md
Best Use Cases for Wtfis
- Phishing Analysis: Use it to profile domains in suspicious emails.
- Threat Hunting: Correlate unknown IPs and domains observed in logs or alerts.
- Red Team Reconnaissance: Map target infrastructure through passive DNS and subdomain discovery.
- Malware Analysis: Rapidly scan C2 servers or IOC lists derived from malware samples.
- Security Blogging or Reporting: Convert raw indicators into intelligence-ready presentations for blogs, reports, or dashboards.
User Tips
- Utilize in scripts or automation workflows—Wtfis has JSON output (--json) support for parsed structuring.
- Pipe results into Markdown for readable intelligence briefs.
- Layer with other tools such as amass, dnsx, or nmap for multi-layered insights.
- Use API quotas and rate limits judiciously. Certain services place caps on free tiers.
Limitations to Remember
Wtfis is potent, but it's no magic bullet. There are a couple of limitations:
- API Dependence: Certain features won't function without API keys.
- No Real-Time Traffic Inspection: It's OSINT, not a sniffer.
- Static Analysis Only: It won't run malware or click links.
- Data Freshness: Certain APIs cache data for performance.
Always treat OSINT tools as pieces of a larger puzzle.
Conclusion
Tools like Wtfis offer an edge. It combines the depth of traditional OSINT with the elegance of human-friendly design—making it easier for both beginners and pros to get meaningful answers, fast.
If you haven’t already, give it a spin, and consider integrating it into your daily toolkit. You’ll be surprised at how much you can uncover with a single command.