18 REST endpoints. 14 OSINT sources. 10-tab investigator GUI with a live global threat map. One
./start.sh.
Every OSINT tutorial tells you to open 12 tabs — HIBP, DeHashed, Shodan, ransomlook, crt.sh, Sherlock, theHarvester, urlscan, VirusTotal, and so on — and stitch the answers together in your head. BreachIntel is what happens when a bored intern automates that stitching: type a domain, hit Scan, and the FastAPI backend fans out to 14 sources in parallel, computes an exposure score, dedupes the findings, and paints them on a military-style dashboard with a live global threat map. Everything works keyless by default; Shodan keys just unlock the geo/device layers.
git clone https://github.com/Danush-Aries/breachintel.git
cd breachintel
pip install -r requirements.txt
playwright install chromium # for forum scraping (optional)
./start.sh # → http://localhost:7474CLI still works too:
python3 breachintel.py example.com # rich CLI + ASCII map
python3 breachintel.py example.com --takedown # hosting + abuse-contact dossier
python3 breachintel.py example.com --tui # interactive terminal dashboard
python3 breachintel.py example.com --watch # continuous monitoringserver.py— FastAPI with 18/api/*endpoints; serves the SPA out ofui/.- 10-tab investigator — Operation (10-phase military recon → dossier), Breach Intel, Website Info, OSINT (WHOIS/subdomains/dorks/Sherlock mindmap), Intel Modules (11 sub-modules: Shodan footprint, ASN threat, typosquat, favicon-hash mmh3 pivot, etc), Recon+ (subdomain takeover, cloud buckets, Katana crawl), Ransomware (ransomlook.io mirror), Live Scrape, News (12 feeds), Radar (live global threat map with URLhaus + Feodo, OpenSky aircraft, CelesTrak satellites, 3D globe).
- Shodan key pool (
shodanpool.py) — rotates keys; even 0-credit keys still power/host/{ip}and/host/count(both free), which is enough for the geo layers. - Playwright-driven forum + Tor scraping (
forums.py) — respects a status sidebar (online/offline/seized +.onionreachability) so you don't hammer dead sites. - Local recon tools auto-detected — nmap, subfinder, httpx, nuclei, katana, whatweb, wafw00f, theHarvester, sherlock; each surfaces
installed: falsecleanly instead of failing.
| Operation dashboard | Breach Intel tab | Radar (global threat map) | Ransomware mirror |
|---|---|---|---|
![]() |
![]() |
![]() |
![]() |
| Page | What it does |
|---|---|
| Operation | 10-phase military operation (recon → enumeration → exposure → breach → threat → vuln → HUMINT → dossier) with attack-path & remediation analysis. Default landing — type a domain and Scan runs the whole op. |
| Breach Intel | Exposure score + verdict, grouped findings, severity filters with counts, takedown intelligence (hosting + verified abuse contacts), JSON export. |
| Website Info | Technical recon — IP/ASN profile, nmap ports, web fingerprint, WAF, DNS, HTTP security headers, nuclei vuln scan. |
| OSINT | WHOIS, subdomains (subfinder+crt.sh+HackerTarget), harvested emails, reverse-IP neighbours, inurl: dorks, Sherlock username footprint, theHarvester-style interactive mindmap. |
| Intel Modules | 11 modules: Shodan footprint, passive CVE inventory, email scorecard (A–F), ASN bad-neighborhood, typosquat triage, exposure timeline, credential index, attack-surface index, data-class breakdown, monitoring diff, favicon-hash pivot. |
| Recon+ | Offensive surface — subdomain-takeover detection, cloud bucket discovery (S3/GCS/Azure), full Shodan host intel via the key pool, live endpoint crawl (katana). |
| Ransomware | Live ransomlook.io mirror — recent victim posts, 577 groups, 145 markets. |
| Scrape | Live monitor — flags every new ransomware publication the moment it lands. |
| News | Hacking/breach news (12 feeds) + live forum-status sidebar (online/offline/seized + Tor). |
| Radar | Global live map — threats (URLhaus/Feodo), aircraft (OpenSky), satellites (CelesTrak/satellite.js), public cams, satellite imagery (Esri) and 3D globe. Click any spot for geo recon: nearby cameras (OSM + Shodan counts), reverse-geocode, exposed-device counts. |
Top bar: Report (download standalone HTML report) · History (every past scan, click to reload instantly from cache) · sidebar collapse, light/dark theme.
breachintel.py entry / argparse / mode dispatch
server.py FastAPI backend — /api/* endpoints, serves ui/
ui/ web app (index.html · styles.css · app.js)
sources.py free/no-key fan-out + compute_risk()
osint.py deep recon (RDAP, DNS, subdomains, nmap, httpx, WAF, dorks, sherlock, nuclei)
advanced.py 11 intel modules (Shodan footprint, email grade, ASN threat, typosquat, favicon mmh3 pivot)
recon_plus.py subdomain takeover, cloud buckets, Shodan host intel, katana crawl
takedown.py hosting → IP → ASN → RDAP abuse contact + dossier
sky.py live map: aircraft, satellites, public cams, geocode, OSM cameras, Shodan geo/CCTV
threats.py real-time threat feed (URLhaus + Feodo, geolocated)
ransomwatch.py ransomlook.io live mirror (recent / groups / markets)
forums.py forum + Telegram + Tor (.onion) monitoring (Playwright)
shodanpool.py Shodan API key pool (rotation, free host/count endpoints)
geo.py report.py tui.py watch.py CLI map / report / dashboard / monitor
- No paid keys assumed. Keyless by default; Shodan optional for geo/device.
- Camera ethics — only intentionally-public webcams + crowd-mapped OSM camera locations + Shodan aggregate counts. Private/unsecured camera feeds are never accessed.
- Archive sources (gau, waybackurls, crt.sh JSON) are flaky in some environments; live tools (katana, subfinder, Shodan) are preferred.
- Results cache in
localStorage— History reloads instantly.
pip install -r requirements.txt, then playwright install chromium (optional, for forum scraping). Local recon tools used if present: nmap, subfinder, httpx, nuclei, katana, whatweb, wafw00f, theHarvester, sherlock.
FastAPI · httpx · Playwright · Rich (CLI + TUI) · Leaflet + satellite.js (map/globe) · Shodan API · ransomlook.io mirror · URLhaus / Feodo tracker feeds · OpenSky / CelesTrak.
PRs welcome. New sources go in sources.py (fan-out) and only need to return a {finding_type, severity, evidence, url} dict — the risk scorer, dedupe pass, and UI pick them up automatically.
MIT — see LICENSE. UNCLASSIFIED // FOR AUTHORIZED USE ONLY.
- ponytail-for-python — code intelligence for Python codebases
- Agentic_Systems — reference implementations of agent patterns
- autonomous-coding-agent — full-auto engineering agent
- computer-use-agent — Claude drives your desktop via VNC
- browser-automation-agent — Claude drives Playwright
- blinkchat — realtime chat with vibes




