Origin IP Finder is a professional, multi-source reconnaissance and verification tool designed to identify likely origin hosts behind reverse proxies and CDN layers.
It combines passive intelligence, confidence scoring, active response verification, and visual capture into one workflow to produce reliable and actionable results.
- Multi-source candidate discovery from DNS, CT logs, Shodan, Censys, and RDAP/ASN enrichment
- Weighted confidence scoring with clear reason output
- Optional active verification using response similarity and header fingerprinting
- Automated full-page screenshot capture for discovered candidates
- Parallel processing for discovery, verification, and screenshot steps
- Structured JSON output stored by target for clean project organization
- Automatic Playwright browser install fallback for screenshot mode
- Collect candidate IPs from multiple intelligence sources.
- Enrich each candidate with ASN and provider context.
- Score candidates using weighted evidence and confidence thresholds.
- Optionally verify content similarity against the target host.
- Optionally capture full-page screenshots of candidate endpoints.
- Save structured results to the JSON output directory.
- Python 3.9+
- Internet access
- Install dependencies:
pip install dnspython requests playwright- Install browser engine for screenshots:
python -m playwright install chromiumThis repository includes a tracked config.yaml with empty keys so users can clone, edit, and start quickly.
Edit config.yaml and paste your credentials:
shodan_api_key: ""
censys_api_id: ""
censys_api_secret: ""
dnsdb_api_key: ""
passivetotal_api_key: ""
securitytrails_api_key: ""Notes:
- Leave fields empty to run with free/public sources only.
- Environment variables and .env are also supported for private setups.
Basic scan:
python origin_finder.py example.comScan with screenshots:
python origin_finder.py example.com --screenshotScan with active verification:
python origin_finder.py example.com --verifyFull workflow:
python origin_finder.py example.com --verify --screenshot --screenshot-parallel 5 --verbose- domain: Target domain to investigate
- --config, -c: Config file path
- --min-score: Minimum score to print in terminal output
- --output, -o: Custom output JSON file path
- --verbose, -v: Print detailed evidence in terminal
- --ipv6: Include IPv6 candidates
- --screenshot, -s: Capture screenshots for candidates
- --screenshot-dir: Screenshot base directory
- --screenshot-parallel: Screenshot concurrency value
- --verify: Enable active response verification
- --levenshtein-threshold: Similarity threshold for verification
- -h, --help, -help: Show command help
JSON results are saved under:
- json/target_domain_slug/target_domain_slug_YYYYMMDD_HHMMSS.json
Screenshots are saved under:
- screenshots/target_domain_slug/
Each JSON report contains:
- scan_metadata
- summary
- high_confidence_ips
- probable_origin_ips
- low_confidence_ips
- scoring_explanation
- verification_explanation
The scoring pipeline weighs multiple independent signals, including:
- Direct origin-style DNS records
- Recency of DNS evidence
- Certificate SAN correlation
- ASN context and CDN penalty handling
- Threat intel presence (Shodan/Censys)
Default confidence bands:
- High confidence: score >= 85
- Probable origin: score >= 75 and < 85
- Low confidence: score < 75
- Start with default scoring and verification enabled for high signal quality.
- Use screenshots for fast visual triage and reporting.
- Use verbose mode when you need evidence-level transparency.
- Keep API credentials private and rotate them regularly.
- config.yaml is intentionally tracked with empty values for onboarding.
- Local secrets in .env are ignored by git.
- Runtime artifacts (json output, screenshots, local DB) are ignored by git.
Use this tool only on systems you own or have explicit authorization to assess.