Terminal-native passive OSINT CLI for local-first public-source investigation workspaces
Project description
REKOS
REKOS is a terminal-native passive OSINT CLI for local-first public-source investigation workspaces. It helps organize targets, evidence, source outputs, entities, relationships, normalized findings, and correlation-quality scores in a SQLite-backed case folder.
REKOS is designed for passive public-source workflows:
- Public-source investigation workspace
- Target and evidence organizer
- Username, profile, domain, URL, and indicator correlation tool
- Local-first OSINT case workspace
- No login automation, bypass, credential collection, or active exploitation
A case is a local workspace for one public-source research thread. Cases are stored under ~/rekos_cases/<case_name> by default. Each case keeps its own SQLite database, source outputs, evidence artifacts, graph records, findings, and exports.
Installation
REKOS requires Python >=3.10. Python 3.12 is recommended.
Windows PowerShell
Install:
py -m pip install --upgrade rekos
Run:
rekos
Uninstall:
py -m pip uninstall -y rekos
macOS / Linux
Install:
pipx install rekos --python python3.12
Run:
rekos
Uninstall:
pipx uninstall rekos
If your default Python is already >=3.10:
pipx install rekos
Latest version from GitHub
Use this only if you need fixes that are already on GitHub but not yet published on PyPI.
Windows PowerShell
py -m pip uninstall -y rekos
py -m pip install --force-reinstall git+https://github.com/VladTepes84/Rekos.git
macOS / Linux
python3 -m pip uninstall -y rekos
python3 -m pip install --force-reinstall git+https://github.com/VladTepes84/Rekos.git
If the rekos command is not found
Windows PowerShell
py -m pip show rekos
py -m rekos version
macOS / Linux
python3 -m pip show rekos
python3 -m rekos version
Run rekos with no arguments to open the quickstart screen.
Users run REKOS commands such as rekos investigate username <case> <username> and rekos investigate domain <case> <domain>. REKOS calls available passive sources through its source adapters and continues cleanly when optional external tools are absent.
Local development install
git clone https://github.com/VladTepes84/Rekos.git
cd Rekos
python -m venv .venv
. .venv/bin/activate
python -m pip install -e ".[dev]"
pytest
rekos
Optional Integrations
sherlockenables thesherlock_usernamesource when thesherlockcommand is installedmaigretenables themaigret_usernamesource when available in the REKOS runtimeexiftoolormediainfofor file metadata collection- Playwright is optional for URL screenshots; HTTP snapshots still work without it
Users always run rekos, not Sherlock or Maigret directly. rekos investigate username <case> <username> automatically uses the username sources available in the current environment.
Why Rekos Exists
Rekos is not trying to replace tools like Sherlock, Maigret, or theHarvester.
The goal is to provide a lightweight passive OSINT workflow with case-oriented investigations instead of isolated lookups and disconnected outputs.
Rekos focuses on:
- local-first investigations
- passive public-source workflows
- normalized findings
- relationship tracking
- evidence organization
- CLI-native workflows
The project intentionally avoids:
- active exploitation
- authenticated automation
- breached datasets
- aggressive crawling
- AI-generated investigation claims
Quick Start
rekos new-case social_test
rekos investigate username social_test username
rekos investigate email social_test alice@example.com
rekos enrich email social_test alice@example.com
rekos check-breach social_test alice@example.com
rekos findings social_test
rekos findings social_test --verbose
rekos score social_test
rekos graph-summary social_test
rekos export-case social_test --output social_test.zip
Normal workflow:
- Create a case with
rekos new-case. - Add or investigate a target with
rekos investigate username,rekos investigate email,rekos investigate domain, orrekos snapshot-url. - Review normalized results with
rekos findings. - Score correlation quality with
rekos score. - Inspect relationships with
rekos graph-summaryorrekos list-entities. - Export the workspace with
rekos export-case.
Most users only need these commands:
rekos
rekos new-case acme-osint
rekos investigate username acme-osint alice.example
rekos investigate email acme-osint alice@example.com
rekos enrich email acme-osint alice@example.com
rekos check-breach acme-osint alice@example.com
rekos investigate domain acme-osint example.com
rekos snapshot-url acme-osint https://example.com/profile/alice
rekos findings acme-osint
rekos findings acme-osint --verbose
rekos score acme-osint
rekos search acme-osint example.com
rekos graph-summary acme-osint
rekos export-case acme-osint --output ./acme-osint.zip
Use rekos findings <case> --verbose for grouped analyst detail. Add --show-uuids only when full finding IDs are needed.
Users run only rekos. Sherlock and Maigret are optional integrations that REKOS orchestrates internally when available.
During rekos investigate username <case> <username>, REKOS generates safe username variants, runs available passive username sources, stores raw source output, normalizes discovered profile URLs into findings, updates the entity graph, records timeline events, and computes correlation-quality scores. Results are correlation indicators, not proof of identity ownership.
During rekos investigate domain <case> <domain>, REKOS runs passive DNS, RDAP with registry/WHOIS fallback, HTTP/HTTPS endpoint checks, TLS certificate metadata collection, and crt.sh certificate transparency lookup when available. It records registration evidence, DNS records, web endpoint metadata, redirects, TLS certificate summaries, SPF/mail-security summaries, provider hints from TXT records, and certificate transparency findings.
During rekos investigate email <case> <email>, REKOS validates and normalizes the address, extracts the domain, checks passive public DNS MX/SPF/DMARC records, records provider hints, and stores a local Gravatar MD5 hash without checking account existence.
Use rekos enrich email <case> <email> for optional passive enrichment such as unverified username candidates derived from the local-part and public Gravatar avatar metadata. Use rekos check-breach <case> <email> only when REKOS_HIBP_API_KEY is configured; it records breach exposure metadata from Have I Been Pwned without collecting passwords or credential material.
Domain, URL, and snapshot workflows reject localhost, private/internal IP ranges, link-local addresses, metadata-service IPs, reserved, multicast, and unspecified IP targets. REKOS is for public-source targets only.
How REKOS Works
- Target input: user-provided usernames, domains, URLs, files, notes, and indicators are stored in a local case.
- Source orchestration: REKOS runs passive adapters such as username sources, DNS, RDAP/WHOIS fallback, web/TLS checks, crt.sh, Wayback, metadata tools, and HTTP snapshots when available.
- Findings normalization: raw source output is converted into normalized findings such as discovered profiles, URLs, domains, metadata records, archive records, and registration records.
- Graph correlation: entities and relationships connect usernames, profiles, domains, URLs, files, and notes.
- Quality scoring: REKOS scores correlation quality from source confidence, exact or normalized matches, duplicate source confirmation, evidence presence, and graph relationships.
- Evidence export: raw outputs, artifacts, reports, SQLite data, and manifests can be exported with
rekos export-case.
Why Rekos Exists
Rekos is not trying to replace tools like Sherlock, Maigret, or theHarvester.
The goal is to provide a lightweight passive OSINT workflow with case-oriented investigations instead of isolated lookups and disconnected outputs.
Rekos focuses on:
- local-first investigations
- passive public-source workflows
- normalized findings
- relationship tracking
- evidence organization
- CLI-native workflows
The project intentionally avoids:
- active exploitation
- authenticated automation
- breached datasets
- aggressive crawling
- AI-generated investigation claims
Passive Sources And APIs
REKOS uses only passive public-source integrations.
Current integrations include:
- Sherlock
- Maigret
- public RDAP services
- public DNS resolution
- crt.sh certificate transparency data
- Wayback Machine CDX API
- passive HTTP/TLS metadata collection
REKOS does not use:
- private breached credential datasets or password material
- private leaks
- authenticated scraping
- account automation
- active exploitation techniques
Optional breach exposure checks use legitimate public APIs such as Have I Been Pwned when the user provides an API key. REKOS records exposure metadata only and does not collect passwords, credential material, or account ownership claims.
Supported Sources
| Source | Target types | Dependencies | Notes |
|---|---|---|---|
sherlock_username |
username |
sherlock binary |
Runs Sherlock with safe subprocess arguments and parses public profile URLs. |
maigret_username |
username |
optional maigret package/tool |
Runs Maigret when installed; REKOS continues without it. |
wmn_username |
username |
none | Checks local public profile URL templates, including LinkedIn, with conservative passive HTTP validation. |
email_passive |
email |
none | Checks passive public MX/SPF/DMARC records and local email metadata only. |
email_enrichment |
email |
none | Derives unverified username candidates and checks public Gravatar avatar metadata. |
hibp_breach |
email |
REKOS_HIBP_API_KEY env var |
Optional Have I Been Pwned breach exposure check; no passwords or credential material. |
http_snapshot |
url |
none | Captures public HTTP response artifacts and optional Playwright screenshot. |
rdap_domain |
domain |
none | Uses public HTTPS RDAP lookup with registry and WHOIS fallback where available. |
dns_domain |
domain |
none | Fetches public DNS A/AAAA/MX/NS/TXT records and extracts SPF/provider hints. |
web_domain |
domain |
none | Performs passive HTTP/HTTPS endpoint and TLS certificate metadata checks. |
crtsh_domain |
domain |
none | Queries the public crt.sh certificate transparency endpoint. |
wayback_url |
url, domain |
none | Queries public Wayback CDX data and records archive URLs. |
Source utilities:
rekos sources list
rekos sources check
rekos sources run acme-osint rdap_domain example.com
Core Commands
rekos add-entity acme-osint --type domain --value example.com
rekos relate-entities acme-osint --from <entity_uuid> --to <entity_uuid> --type related_to --confidence medium
rekos list-targets acme-osint
rekos list-sources acme-osint
rekos show-investigation acme-osint
rekos report acme-osint --format md
Safety And Ethics
REKOS is passive-only OSINT tooling. Use it only for lawful, authorized, and ethical public-source research.
REKOS must not be used for:
- Logging into accounts or automating authenticated sessions
- Bypassing access controls, paywalls, CAPTCHAs, bot protection, or rate limits
- Credential collection, phishing, account abuse, or social engineering
- SMTP probing, password reset checks, breach checks, or account existence claims
- Exploitation, destructive operations, or aggressive crawling
- Claiming identity ownership from correlation results
Scores are correlation-quality indicators only. A high score means stronger local correlation support, not proof of identity, ownership, compromise, or intent.
Local Data Model
REKOS stores:
- Case metadata in SQLite
- Targets, entities, relationships, notes, timeline events
- Raw source outputs under
exports/ - Evidence and snapshot artifacts
- Normalized findings with correlation-quality scores
- Case ZIP exports with manifest data
Development
python -m pip install -e ".[dev]"
pytest
rekos --help
Before submitting a change:
pytest
python -m compileall rekos
git diff --check
Roadmap
- More passive source adapters with explicit safety boundaries
- Stronger report templates and case export validation
- Improved graph summaries and finding explainability
- Better import/export interoperability
- Optional UI views while keeping the CLI and local-first storage as the core
License
MIT License. See LICENSE.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rekos-1.3.4.tar.gz.
File metadata
- Download URL: rekos-1.3.4.tar.gz
- Upload date:
- Size: 86.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d5ad3abde5e88ac0fdb38309af082cf08dcfc74d390553db5b455f732eb4a241
|
|
| MD5 |
3c1dfa840e381c1af358f03f3a1cf869
|
|
| BLAKE2b-256 |
5581f95cf57b1f8bea2efb35e84a6379d3a15109f52e8cf016d56f0f63dbc1f5
|
File details
Details for the file rekos-1.3.4-py3-none-any.whl.
File metadata
- Download URL: rekos-1.3.4-py3-none-any.whl
- Upload date:
- Size: 72.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bbc39f7ea6cf8ff96ee56d05f129befb38490b22302c0d1e200bbbb015feb6ac
|
|
| MD5 |
e7f9eb6f4b14b083cb4702bf72f7c27b
|
|
| BLAKE2b-256 |
3fd9b850af4133b3de2f9444e36a936dcb916edb10f7a9b194466c1e5aca6386
|