2 min read

IP Rep - utation Tool

I am by no means a programming wizard, this is my first python project - be nice. I created a simple Python tool that checks the reputation of IP addresses by pulling data from services like VirusTotal, AbuseIPDB, GeoIP to provide a quick overview of the IP’s reputation.

Getting a quick glance at an IP's reputation

I found while conducting analysis or incident response, I was entering an IP into a handful of IP reputation sites in different tabs to get an idea on the IP's history, this quickly became repetitive and time-consuming, I wanted to speed up that process by gathering all the important data in one place. Instead of going back and forth between sites, i wanted to get a snapshot of the reputation from a few different sources on one page.

So lately I have been working on a simple Python tool in my spare time, The tool that I have called "IP Rep" (how original) ... checks the reputation of the entered IP address from services like VirusTotal, AbuseIPDB, GeoIP and soon to be Spur and Scamalytics, by pulling the data using each services API to display all the information I need in a quick view with links to the site if further analysis into the data that I have not collected is required.

What the tool provides

The tool provides a quick view of the IP’s Geo-location Information, displaying the City, Region and Country. VirusTotal's Threat Reputation verdict rating, giving you a sum of results from submitted vendor analysis.

obfuscated the IP.

Below that is my favourite part AbuseIPDB's 'Confidence of Abuse %' graph, Reported Times, ISP, IP Usage, Registered ASN for the IP and the last Report Date. The COA Graph and the VirusTotal Threat Reputation had to be custom made, figuring out what fields they are calculating these numbers against and then replicating those calculations in the tool.

I still wanted to be able to quickly go to the particular site if further analysis was required, so I made the titles generate direct links to the websites with the IP already entered, meaning you don’t have to copy and paste the IP into each site. Just click the link, and you’re good to go.

I included a function that if AbuseIPDB returns the IP as a Private IP we get a message stating the IP is not a public IP.

What’s Next?

So far I have found it to be a handy little tool for quick info gathering, although I still want to make some improvements:
- Input sanitation, to ensure only valid IP's are entered.
- Display to be dynamic resizable.
- VPN/Proxy usage information from Spur.
- Possibly a UI overhaul with ways to add API Keys via the GUI.

Wrapping Up

So, that’s the gist of the tool. It’s been a helpful addition to my workflow, and I thought I’d share, I will eventually share the tool via GitHub to hopefully help others, a simple solution to a repetitive task, I’m always looking for ways to make things more efficient. If you’ve got any thoughts or ideas for improving it, feel free to reach out—I’m always looking to improve!

Published by:

Joel Wadley