CyberCheatsheets

SpiderFoot Cheat Sheet

OSINT automation platform correlating IPs, domains, emails, breaches, and social data from 200+ modules.

Reconnaissance & OSINTautomationcorrelationguiosintUpdated 2026-06-02

Overview

SpiderFoot automates OSINT collection and correlation via CLI or web UI. Modules query DNS, WHOIS, threat feeds, social networks, and dark web sources—building a graph of relationships for external threat intelligence and pentest recon.

Authorized testing only. Many modules contact external APIs and store sensitive results locally. Use scoped targets, API keys per ToS, and secure the SpiderFoot instance.

Install

sudo apt install -y spiderfoot

or

git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot && pip install -r requirements.txt
python3 ./sf.py -h

Essential commands

Web UI (default http://127.0.0.1:5001)

python3 sf.py -l 127.0.0.1:5001

CLI scan

python3 sf.py -s target.example.com -t DOMAIN_NAME -m sfp_dnsresolve,sfp_subdomain

List modules

python3 sf.py -M

Common workflows

Investigate domain – all modules (slow, noisy)

python3 sf.py -s target.example.com -t DOMAIN_NAME -u investigate

Passive only

python3 sf.py -s target.example.com -t DOMAIN_NAME -u passive

Specific module set —

python3 sf.py -s target.example.com -t IP_ADDRESS -m sfp_shodan,sfp_portscan_tcp

Output to CSV —

python3 sf.py -s target.example.com -t DOMAIN_NAME -o csv -f /tmp/sf_out.csv

API keys (~/.spiderfoot/spiderfoot.cfg or UI) —

# Configure keys in UI: Settings → API Keys# Shodan, VirusTotal, etc.

Flags reference

-s

Target seed (domain, IP, email, etc.)

-t

Target type (DOMAIN_NAME, IP_ADDRESS, EMAILADDR, …)

-m

Comma-separated module list

-u

Use case (all, passive, investigate, …)

-o

Output format (tab, csv, json)

-f

Output file

-q

Quiet

-M

List modules

-l

Listen address for web UI

Tips

  • Start with passive use case on production programs; investigate adds intrusive modules.
  • Web UI helps explore correlations; CLI suits repeatable scans.
  • Heavy scans need RAM and disk—SQLite DB grows quickly.
  • Validate SpiderFoot findings; modules vary in accuracy and freshness.
  • Run on isolated VM; stored OSINT may include employee PII.

References

Aide-mémoires similaires