Skip to content

presack/StealthOps

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

162 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

StealthOps

Privacy-hardened OSINT and network reconnaissance. DNS, WHOIS, MX records, HTTP headers, and 17 threat-intel enrichment providers — with optional Tor routing for operational security.

Web dashboard


Install

Windows (PowerShell — no admin required):

irm https://github.com/presack/StealthOps/releases/latest/download/install.ps1 | iex

Installs to %LOCALAPPDATA%\Programs\StealthOps\, adds to PATH, and configures the Linux binary in WSL2 automatically. Windows and WSL2 share the same API key store.

Linux (x86_64):

curl -fsSL https://github.com/presack/StealthOps/releases/latest/download/install.sh | bash

Installs to ~/.local/bin/, SHA256-verified.

After installing, open a new terminal and run:

stealthops --console

To configure API keys for enrichment providers:

stealthops --configure-keys

Three interfaces

Console — interactive mode (primary)

The console is the primary workflow. It keeps session state, supports tab-like enrichment shortcuts, and accepts direct target input without any prefix.

Console mode

stealthops --console

Key commands:

# Query
8.8.8.8                       look up a target (any IP, domain, or URL)
                              defanged indicators accepted: 8.8[.]8.8, example[.]com
last / reload / full          recall / re-fetch (bypass cache) / expand last result

# Enrichment
enrich all                    persistent mode: run all providers on every query
all                           run all providers now on the last target
vt / shodan / cs / ab ...     run a single provider (uses last target if omitted)
providers                     provider status, keys, aliases, and session usage

# Bulk triage
bulk 8.8.8.8, example.com    inline list (comma or space separated)
bulk /path/to/file.txt        read from file (one per line)
bulk                          paste mode — type indicators, blank line to submit

# Keys
set-key                       interactive API key setup wizard
set-key virustotal <key>      set a key directly

# Routing
mode stealth                  route through Tor
mode public                   direct route

# Other
help                          grouped command reference
web                           launch web server in background

CLI — single-shot queries

stealthops 8.8.8.8
stealthops example.com --enrich all
stealthops example.com --mode stealth
stealthops 8.8.8.8 --enrich vt,shodan --json
stealthops --web
stealthops --providers
stealthops --update

CLI output


Web dashboard

stealthops --web

Opens at http://127.0.0.1:5000. Select enrichment providers via checkboxes, toggle stealth mode, and download PDF reports — all from the browser. Includes a Settings page (⚙ icon) for managing API keys without touching the command line, and a Bulk page for triage CSV export.


Bulk triage

Submit a list of mixed indicators (IPs, domains, ASNs) and get a single CSV spreadsheet covering all of them — useful for quickly triaging a set of IOCs before deciding which ones warrant deeper investigation.

Console:

bulk 8.8.8.8, 1.1.1.1, example.com   inline list (comma or space separated)
bulk indicators.txt                   read from file (one indicator per line)
bulk                                  paste mode — type indicators, blank line to submit

The CSV is saved to ~/Downloads/stealthops-bulk-YYYYMMDD-HHMMSS.csv. The session's active enrichment selection is used (e.g. enrich all or a specific provider list).

Web UI: navigate to /bulk, paste indicators into the text box, select providers (VT + AbuseIPDB + GreyNoise + OTX pre-checked), and submit. A progress bar tracks completion; click Download CSV when done.

Triage columns (24 total — blank where not applicable to the indicator type):

Group Columns
Core Target, Type, PTR/Hostname, Resolved IPs, ASN, Organization, Country, CIDR, City
Domain Registrar, Created, Expires, Domain Status, Nameservers, MX Hosts
Threat intel VT Malicious, VT Reputation, AbuseIPDB Score, AbuseIPDB Risk, GreyNoise, Shodan, OTX Pulses, IPv4 Prefixes
Notes

Web UI


Enrichment providers

17 providers. Run stealthops --configure-keys to enter keys interactively, or use set-key in console mode.

Provider Alias Targets Key required
VirusTotal vt IP · Domain · URL Yes
ViewDNS vd IP · Domain · URL Yes
MXToolbox mx IP · Domain · URL Yes
DNSDB ddb IP · Domain · URL Yes
urlscan.io us IP · Domain · URL Yes
AlienVault OTX otx IP · Domain Yes
Shodan IP · ASN Yes
Censys cs IP · ASN Yes
GreyNoise gn IP · ASN Yes
Spur IP Yes
AbuseIPDB ab IP Yes
ipinfo.io IP No (free tier)
DNSDumpster dd Domain · URL Yes
SecurityTrails st Domain · URL Yes
BGPView bv ASN No (free)
Spamhaus ASN-DROP ASN No (free)
RIPEstat rs ASN No (free)

Keys are stored in %LOCALAPPDATA%\StealthOps\keys.env (Windows) or ~/.config/stealthops/keys.env (Linux). Environment variables take precedence if set.


Stealth mode (Tor)

In stealth mode, all queries are routed through Tor and DNS is resolved via DNS-over-HTTPS through the Tor SOCKS5 proxy — no direct connections from your host.

stealthops --install-tor          # install managed Tor runtime
stealthops example.com --mode stealth
stealthops --console              # then: mode stealth

Tor discovery order: TOR_PATH env var → managed runtime → bundled → system PATH.


Advanced

Deployment modes

Mode How to activate Auth API keys
Personal default none --configure-keys or env vars
Server SERVER_MODE=1 form login per-user, encrypted in SQLite
Training TRAINING_MODE=1 HTTP Basic Auth env vars, shared

Server mode

Multi-user web deployment with per-user encrypted API key storage. Users log in and manage their own keys via the web Settings page.

python main.py --generate-fernet-key          # generate encryption key (once)
python main.py --create-user alice
SERVER_MODE=1 FERNET_KEY=<key> python main.py --web

Admin key management:

python main.py --set-key virustotal <key> --all-users
python main.py --copy-keys alice bob
python main.py --list-users

Training mode

For shared workshop deployments. Enables HTTP Basic Auth, 24-hour result cache, elevated rate limits, and runs all available providers on every query (provider selection is hidden from participants).

TRAINING_MODE=1 TRAINING_AUTH_USER=stealthops TRAINING_AUTH_PASS=<passphrase> python main.py --web

Cloud / Docker deployment

The deploy/ directory contains scripts for three platforms:

Script Platform Purpose
deploy/create-vm.sh GCP Provision an e2-small VM, open firewall, print IP
deploy/vm-setup.sh Any VM Install Docker + nginx, issue Let's Encrypt cert, start container
deploy/azure.sh Azure Deploy to Azure Container Apps
deploy/gcp.sh GCP Deploy to Cloud Run (serverless, legacy)

VM approach (recommended for training events — works on GCP, Azure, AWS, or any Linux VM):

# GCP — provision VM from Cloud Shell
bash deploy/create-vm.sh <name> stealthops-prod <zone>

# Azure / AWS — provision a Linux VM manually, then SSH in and run:
bash deploy/vm-setup.sh <subdomain.yourdomain.com> <email>

# Redeploy after a code change
git pull && sudo docker compose build --no-cache && sudo docker compose up -d

vm-setup.sh is cloud-agnostic — it only needs a Linux VM with a public IP and ports 80/443 open. create-vm.sh is the GCP-specific provisioning step.

Azure Container Apps:

bash deploy/azure.sh <resource-group> [location] [app-name] [env-name]
# e.g.: bash deploy/azure.sh rg-stealthops eastus stealthops stealthops-env

Build from source

Requires Python 3.12:

py -3.12 -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -r requirements.txt
python main.py --console

Build standalone binaries:

.\scripts\build.ps1              # Windows EXE → dist\windows\stealthops.exe
bash ./scripts/build-linux.sh    # Linux binary → dist/linux/stealthops (run in WSL2)
.\scripts\release.ps1 v1.2.3     # Stamp version, build both, publish GitHub release

License

MIT

About

A personal OSINT web research tool similar to CentralOps, but hosted privately and routed through TOR. Includes web interface and CLI.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors