Checking bulk IP addresses and domains' reputation using VirusTotal and AbuseIPDB APIs. Can generate HTML reports.
To use the script, you need VirusTotal and AbuseIPDB API keys. Provide them via environment variables (recommended) using a .env file:
VT_API_KEYS=key1,key2,key3
ABUSE_API_KEYS=key1,key2
You can list multiple API keys separated by commas; the script rotates among them per item to better handle rate limits.
You can use multithreading to run the code faster!
It is recommended to have licenced API keys and generate an HTML report, CLI output is sometimes buggy with multithreading on
Also you need to have Python 3 and need to install requirements using pip install -r requirements.txt
You can use the script in different ways. I added some values for you to test in 'target-list.txt'
Options included in script:
_____ _____ _ _
| __ \ / ____| | | |
| |__) |___ _ __ | | | |__ ___ ___| | _____ _ __
| _ // _ \ '_ \| | | '_ \ / _ \/ __| |/ / _ \ '__|
| | \ \ __/ |_) | |____| | | | __/ (__| < __/ |
|_| \_\___| .__/ \_____|_| |_|\___|\___|_|\_\___|_|
| |
|_| Version 1.1
usage: RepChecker.py [-h] [-V] [-i [Value]] [-r] [-vt] [-ab] [-vr [Threshold number]] [-ar [Threshold number]] [-p PATH] [-t [Threads]] [-o <file.html>]
Analyze IP addresses and domains using VirusTotal and AbuseIPDB APIs.
options:
-h, --help show this help message and exit
-V, --version Prints current version of the script and exit.
-i [Value], --input [Value]
To check single value.
-r, --report Generate HTML report.
-vt, --virustotal Disable VirusTotal
-ab, --abuse Disable AbuseIPDB
-s [Seconds], --sleep [Seconds]
Seconds to sleep after VT calls (default 2)
-vr [Threshold number], --virustotalreports [Threshold number]
Virustotal malicious reports threshold. Default 1.
-ar [Threshold number], --abusereports [Threshold number]
AbuseIPDB malicious reports threshold. Default 1.
-p PATH, --path PATH Provide path of the txt file contains targets. Default 'target-list.txt'.
-t [Threads], --threads [Threads]
Use multiple threads. It is recommended to use it if you have licenced API keys. Also cli output is buggy when used. I recommend using it with -r.
-o <file.html>, --output <file.html>
Output HTML file (adds .html if missing). Skips interactive prompt when -r is used.
If you don’t input anything, the code runs using `target-list.txt` with VirusTotal and AbuseIPDB. You can input domains but they are only checked on VirusTotal (AbuseIPDB does not support domains).
Use target-list.txt, output on cli:
RepChecker.py
Use target-list.txt, create an HTML report. Also filter the Malicious thresholds:
RepChecker.py -r -vr 5 -ar 50
-r is for creating an HTML report, -vr 5 and -ar 50 filter the 'malicious list' at the end. This way, it lists only values flagged at least 5 times on VirusTotal and reported 50 times on AbuseIPDB.
Use multithreading and create an HTML report
RepChecker.py -t 16 -r
Create HTML report to a given path without prompt
RepChecker.py -r -o myreport.html
Reports are saved to a ./reports directory by default (created if missing). If you pass only a filename to -o, it is placed under ./reports. If you include a directory in -o, it is saved to that path.
Provide path to target list, create an HTML report
RepChecker.py -p /PATH/ -r
Check single value, output only on cli
RepChecker.py -i 8.8.8.8
Disable Virustotal checking, to disable AbuseIP you can use the -ab option
RepChecker.py -vt
The command-line output of RepChecker.py -i 8.8.8.8 -r will be like the following:
Analyzing value: 8.8.8.8
==VirusTotal=====================================
Address: 8.8.8.8
AS Owner: GOOGLE
Last Analysis Stats:
harmless: 68
malicious: 2
suspicious: 0
undetected: 17
timeout: 0
==AbuseIPDB====================================
Address: 8.8.8.8
ISP Name: Google LLC
Abuse Score: 0
Report Counts: 54
Usage Type: Data Center/Web Hosting/Transit
==================================================
Malicious Values are: (at least 1 reported on VirusTotal or 1 on AbuseIPDB)
8.8.8.8
Successfully checked on 1 values out of 1
The HTML file report will be like in the following image below:
There are some features I want to add in future. Maybe I won't add at all.
- Adding Multithreading!
- Change the code's base, add functions to each task, beautify it. This way the code is more coder friendly and easier to extend. It started with reading from a txt file and outputting to a txt file using only the VirusTotal API.
- Add option to enable/disable AbuseIPDB or VirusTotal checks.
- Add option to check hashes and other items that VirusTotal supports.
- Adding a "config" file to store all configs, letting user to change the configs using cli or text editor.
- An option to sleep a time interval between values since some firewalls might block the traffic.
- Detect which API key failed, put it on report. If an API key fails, select the next API key and continue
- Adding GUI
- Adding an option to turn of cli output (Verbose)
RepChecker.py: Thin entrypoint that runs the CLI.repchecker/cli.py: CLI, argument parsing, orchestration.repchecker/config.py: Environment and runtime configuration loader.repchecker/runner.py: Concurrency and overall check execution.repchecker/apis/virustotal.py: VirusTotal API adapter.repchecker/apis/abuseipdb.py: AbuseIPDB API adapter.repchecker/report.py: HTML report builder.repchecker/targets.py: Target list loading.repchecker/utils.py: Shared constants, escaping, banner.
Run the interactive web UI:
python -m repchecker.web_app
Then open http://localhost:8001
Features:
- Manage
.envAPI keys (add/remove, masked display) - Edit
target-list.txtandwhitelisted_ips.txt - Run checks with options (VT/Abuse toggles, thresholds, threads, sleep, single value)
- View historical reports from
./reports
Reports are saved to a ./reports directory by default.
Build and run in the background with Docker Compose:
docker compose up -d --build
Then open http://localhost:8001
Notes:
- The container maps port
8001:8001and runs withrestart: unless-stoppedso it keeps running after you close the terminal. To stop:docker compose down. - The project folder is bind-mounted into
/appinside the container. This persists.env,target-list.txt,whitelisted_ips.txt, and./reportson your host. - On first start, the container auto-creates
.env,target-list.txt,whitelisted_ips.txt, and thereports/directory if missing. - You can also run without Compose:
- Build:
docker build -t repchecker:web . - Run (detached):
docker run -d --name repchecker -p 8001:8001 -v "$PWD:/app" repchecker:web
- Build:
If your environment inspects HTTPS (e.g., Cloudflare Zero Trust/Gateway) or uses a custom root CA, place any .crt or .pem file in the project root. The container will auto-install them into the trust store at startup and configure Python requests to use the system CA bundle.
Steps:
- Put your CA file(s) (PEM format) in the project root (e.g.,
mycorp-root.pem). - Rebuild/restart:
docker compose up -d --build.
Alternative: configure your TLS gateway to not decrypt the following API domains:
www.virustotal.comapi.abuseipdb.com
Build the image:
docker build -t repchecker:latest .
Run the CLI inside Docker (mount current dir to access target-list.txt, whitelisted_ips.txt, and .env):
docker run --rm -it \
-v "$PWD:/app" \
--env-file ./.env \
repchecker:latest python RepChecker.py -ab -s 2 -t 8 -r
Notes:
- Use
-pto pass a different target list path, or-ifor a single value. - You can also pass keys inline with
-e VT_API_KEYS=... -e ABUSE_API_KEYS=....