██╗ ██╗███████╗███╗ ██╗ ██████╗ ███╗ ███╗
██║ ██║██╔════╝████╗ ██║██╔═══██╗████╗ ████║
██║ ██║█████╗ ██╔██╗ ██║██║ ██║██╔████╔██║
╚██╗ ██╔╝██╔══╝ ██║╚██╗██║██║ ██║██║╚██╔╝██║
╚████╔╝ ███████╗██║ ╚████║╚██████╔╝██║ ╚═╝ ██║
╚═══╝ ╚══════╝╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝
OSINT Breach Scanner v4.0
VENOM is a terminal-based OSINT tool for investigating digital footprints across email addresses, usernames, phone numbers, and domains. It aggregates data from 25+ free APIs and services, with optional paid-tier enrichment via API keys.
Intended use: security research, penetration testing, personal exposure audits, and investigating your own accounts or infrastructure. Always obtain proper authorisation before investigating third-party targets.
- Installation
- Quick Start
- All Commands & Flags
- API Keys — What They Are & How to Get Them
- Module Reference — Email
- Module Reference — Username
- Module Reference — Phone
- Module Reference — Domain / IP
- Module Reference — Password
- Output Formats
- Google Dorks
- How It Works Internally
- Rate Limits & Responsible Use
- Troubleshooting
Run the installer — it handles Python detection, dependency installation, and creates a global venom command on both Linux/macOS and Windows.
# Linux / macOS
python3 install.py
# Windows (Command Prompt or PowerShell, run as Administrator)
python install.pyThe installer will:
- Verify Python 3.8+ is available
- Install
requestsandrichvia pip - Copy
venom.pyto a permanent location - Create a
venomwrapper script in your PATH
pip install requests rich
python venom.py --help| Requirement | Version |
|---|---|
| Python | 3.8 or higher |
| requests | any recent |
| rich | any recent |
No other dependencies. All APIs used are HTTP-based.
# Scan an email address (all free modules)
venom -e target@example.com
# Scan a username across 50+ platforms
venom -u johndoe
# Look up a phone number
venom -p +447700123456
# Investigate a domain
venom -d example.com
# Full combined scan with paid HIBP key, save reports
venom -e target@example.com -u johndoe -d example.com \
--hibp-key YOUR_KEY --bd-key YOUR_KEY \
-o report.json --html report.html
# Check if a password has been seen in breaches (k-anonymity — safe)
venom --check-password "hunter2"venom [-h] [-e EMAIL] [-u USERNAME] [-p PHONE] [-d DOMAIN]
[--check-password PASSWORD]
[--hibp-key KEY] [--bd-key KEY] [--hunter-key KEY]
[--no-social] [--no-github] [--no-dns] [--no-dorks]
[--no-leakcheck] [--no-intelx] [--no-wayback] [--no-ssl]
[--no-permute] [--no-urlscan] [--no-otx] [--no-pulsedive]
[--no-keybase] [--no-steam]
[-o OUTPUT] [--html HTML_OUTPUT]
| Flag | Short | Description |
|---|---|---|
--email |
-e |
Email address to investigate |
--username |
-u |
Username / handle to enumerate |
--phone |
-p |
Phone number in E.164 format (e.g. +447700123456) |
--domain |
-d |
Domain or IP address to investigate |
--check-password |
Check a password against HIBP k-anonymity API (password is never transmitted) |
Multiple targets can be combined in one run:
venom -e alice@example.com -u alice_handle -p +12025551234 -d example.com| Flag | Required? | Description |
|---|---|---|
--hibp-key KEY |
Optional | HaveIBeenPwned v3 API key — unlocks full breach & paste lookup |
--bd-key KEY |
Optional | BreachDirectory RapidAPI key — unlocks password hash lookup |
--hunter-key KEY |
Optional | Hunter.io API key — increases domain email search quota |
| Flag | What it skips |
|---|---|
--no-social |
Social platform enumeration (50+ sites) |
--no-github |
GitHub profile + commit email harvest |
--no-dns |
DNS / WHOIS / IP resolution |
--no-dorks |
Google dork query generation |
--no-leakcheck |
LeakCheck.io lookup |
--no-intelx |
IntelligenceX breach index |
--no-wayback |
Wayback Machine CDX check |
--no-ssl |
SSL/TLS certificate grab |
--no-permute |
Username permutation + social sweep |
--no-urlscan |
URLScan.io domain history |
--no-otx |
OTX AlienVault threat intel |
--no-pulsedive |
Pulsedive threat feed lookup |
--no-keybase |
Keybase identity profile |
--no-steam |
Steam community profile |
| Flag | Description |
|---|---|
-o report.json |
Save full findings as JSON |
--html report.html |
Save a styled dark-mode HTML report |
VENOM works fully without any API keys — all core modules use free, unauthenticated endpoints. Keys unlock higher rate limits or paid-tier data.
What it does: The most authoritative breach database. Returns every breach and paste an email has appeared in, with breach name, date, record count, and data types exposed (passwords, credit cards, etc.).
Cost: ~£3.50/month (personal tier)
How to get it:
- Go to haveibeenpwned.com/API/Key
- Purchase a subscription (monthly, cancel any time)
- Your key will be emailed and shown in the account dashboard
Usage:
venom -e you@example.com --hibp-key abc123def456...Without a key: VENOM skips HIBP entirely and tells you how to get a key. All other breach sources (LeakCheck, BreachDirectory, IntelX) still run for free.
What it does: Returns password hashes and partial plaintext password hints found in breach dumps for a given email or username. Uses RapidAPI infrastructure.
Cost: Free tier available (50 requests/month free on RapidAPI)
How to get it:
- Create a free account at rapidapi.com
- Search for "BreachDirectory" and subscribe to the free plan
- Go to your RapidAPI dashboard → Apps → copy your "X-RapidAPI-Key"
Usage:
venom -e you@example.com --bd-key your_rapidapi_key_hereWithout a key: BreachDirectory queries are skipped with a helpful message.
What it does: When scanning a domain (-d), Hunter.io discovers email addresses publicly associated with that domain — including names, job titles, and confidence scores.
Cost: Free tier (25 requests/month, no card required)
How to get it:
- Sign up at hunter.io
- Go to Dashboard → API → copy your API key
Usage:
venom -d example.com --hunter-key your_hunter_keyWithout a key: Hunter.io still runs but with a lower anonymous rate limit. If you hit the limit it will show "no response" — add a key to restore it.
All of these work without any configuration:
| Service | What it provides |
|---|---|
| LeakCheck.io | Breach source list for email/username/phone |
| EmailRep.io | Reputation score, risk flags, first/last seen |
| Gravatar | Profile existence + display name, real name, linked accounts |
| GitHub API | Profile, repos, gists, commit emails, org memberships |
| GitLab API | Profile, bio, location |
| OTX AlienVault | Threat pulses for emails, domains, IPs |
| Shodan InternetDB | Open ports, CVEs, CPEs (no key version) |
| URLScan.io | Domain scan history, malicious verdicts |
| HackerTarget | Passive DNS, reverse IP |
| Pulsedive | Risk scoring for domains/IPs |
| Keybase | Full profile + cryptographically verified linked identities |
| Twitter/X oEmbed | Account confirmation + display name |
| Telegram | Username registration check |
| Steam | Public profile (display name, location, join date) |
| npm registry | User existence + exposed email |
| PyPI | User existence + package count |
| IntelligenceX | Breach/paste index (anonymous tier) |
| Crt.sh | Certificate transparency logs |
| Wayback Machine | Archive history |
| Google DNS over HTTPS | MX, TXT, SPF, DMARC, DKIM records |
| RDAP / rdap.org | WHOIS registration data |
| ip-api.com | IP geolocation, ASN, proxy/hosting flags |
| BGPView | ASN lookup, network owner, prefix |
| HIBP Pwned Passwords | k-anonymity password breach check |
| NumLookup | Phone carrier + line type |
Run with -e email@example.com
Checks email structure, detects:
- Valid format
- Domain and TLD
- Sub-addressing tags (e.g.
user+shopping@gmail.com) - Disposable / temporary email domains (300+ known domains)
- Role-based inbox detection (
admin@,noreply@,support@, etc.) - Privacy provider detection (ProtonMail, Tutanota, etc.)
Resolves MX records to identify the mail provider: Google, Microsoft 365, Yahoo, ProtonMail, Apple iCloud, Zoho, Fastmail, Tutanota, Mailgun, SendGrid, Amazon SES, Yandex, and more. Shows all MX hosts.
Splits the email local-part on separators (., _, -) to infer a possible first and last name, with a gender hint based on a dictionary of common names. Clearly flagged as not authoritative.
Queries the domain's DNS records to assess whether it is protected against email spoofing:
- SPF — checks for
v=spf1TXT record; classifies policy ashardfail (-all),softfail (~all),+all(dangerous), or missing - DMARC — checks
_dmarc.<domain>forv=DMARC1; showsp=reject/quarantine/noneand the aggregate report address (rua=) - DKIM — probes 13 common selectors (google, mail, default, selector1/2, mimecast, protonmail, etc.)
Fetches all TXT records and classifies each one: Google site verification, Microsoft 365 / Azure token, Facebook domain verification, Apple verification, Stripe, Atlassian/Jira, Docker Hub, Keybase, HIBP domain, Notion, HubSpot, GitHub Pages, Zoho, DKIM keys, SPF, DMARC.
Attempts to extract the admin/registrant contact email from RDAP registration data (often redacted by privacy services, but exposed on older or non-GDPR registrations).
Hashes the email with MD5 and probes Gravatar:
- Confirms if an account exists
- Fetches the full profile JSON: display name, real name, location, bio, and any linked platform accounts the user has connected
Queries EmailRep's public tier:
- Reputation score (high / medium / low / none)
- Suspicious flag
- Reference count (how many sources have seen this email)
- Tags (e.g.
spam,blacklisted,data_breach,free_provider) - First seen / last seen dates
- Malicious activity, recent malicious activity, spam source, blacklisted flags
Searches certificate transparency logs for certificates that contain this email address. Reveals domains and organisations the email has been used to register TLS certificates for.
Searches the AlienVault Open Threat Exchange for threat intelligence pulses referencing this email. Surfaces threat actor names, campaign names, and tags.
Queries Dehashed for the approximate number of breach records indexed for this email. The full records require a paid Dehashed account, but the count is free.
Looks up the email in Pulsedive's threat feed database. Returns a risk rating (none / low / medium / high / critical), associated threat names, and feeds.
Full breach lookup via HaveIBeenPwned v3:
- Every breach the email appears in, with name, date, record count, data types, and sensitivity flag
- Every paste (Pastebin, etc.) with source, date, and title
Returns password hashes (SHA-1 / MD5 / bcrypt, etc.) and partial plaintext hints for each breach record. Hashes are decoded from Base64 to hex for display.
Free public tier breach source lookup. Returns the list of breach sources where this email was found.
Queries the IntelX public search index (anonymous tier) for breach, paste, and dark web indexed records referencing this email.
Searches public GitHub commit history for this email address. Surfaces any repos where the email appears in a commit author field — a common accidental exposure vector.
Derives up to 15+ username variants from the email local-part (e.g. john.doe@ → johndoe, jdoe, j.doe, doejohn, johnd, etc.) and runs each through the full 50+ platform social enumeration. Useful when the email local-part differs from the person's public handles.
Generates ready-to-run Google search queries targeting:
- Pastebin dumps
- SQL / TXT data files
- Credential / leak + password mentions
- GitHub / GitLab source code
- Trello / Notion board exposure
- Breach forum mentions (RaidForums, BreachForums)
- Paste sites (GhostBin, HasteBin, DPaste)
- Spreadsheet leaks (CSV, XLSX)
- Scribd / SlideShare document exposure
Run with -u handle
Checks 50+ platforms in parallel (20 concurrent threads) using platform-specific "not found" signals for accurate detection:
Developer / Tech: GitHub, GitLab, Replit, Keybase, HackerNews, Pastebin, npm, PyPI, Bitbucket, Codepen, DockerHub, HackerEarth, LeetCode, Codeforces, HackTheBox, TryHackMe, Hackaday
Social: Twitter/X, Instagram, Reddit, TikTok, LinkedIn, Pinterest, Tumblr, Snapchat, Mastodon, Bluesky, Threads, VKontakte, Telegram, About.me, Medium, Substack
Gaming: Twitch, Steam, Roblox, Chess.com
Creative: YouTube, DeviantArt, Flickr, Spotify, SoundCloud, Bandcamp, Vimeo, Behance, Dribbble, 500px
Commerce: Etsy, Fiverr, Upwork, Patreon, ProductHunt
Other: Gravatar
Full profile via the GitHub API: name, bio, email, company, location, blog, follower/repo counts, join date. Lists up to 5 recent repos with language and star count, and up to 3 gists.
Scans the first 5 commits of each public repo for real email addresses in commit author metadata. Surfaces emails the user may not realise are publicly visible.
Lists all public organisations the user belongs to (name, URL, description).
Fetches the GitLab public profile: bio, location, website, join date.
Probes the npm CouchDB registry for the username. If found, also checks for any exposed email address in the public profile.
Checks if a PyPI account exists under this username and counts public packages.
Full Keybase profile via the public API: full name, bio, location, plus all cryptographically-verified linked identities (Twitter, GitHub, Reddit, HackerNews, Mastodon, personal websites, etc.).
Uses Twitter's public oEmbed endpoint to confirm a handle exists and retrieve the display name without requiring an API key.
Probes t.me/{username} and parses the response to confirm if the Telegram username is registered, and extracts the display name from the page's Open Graph title if available.
Queries the Steam Community XML profile endpoint for the vanity URL. Returns Steam ID64, display name, online state, location, join date, and profile summary.
- BreachDirectory (if
--bd-keysupplied) — password hashes for this username - LeakCheck.io — breach sources
- IntelligenceX — paste and dark web index hits
Targeted dorks for username exposure:
- Pastebin and GhostBin mentions
- Reddit and Twitter cross-references
- "doxxed / leaked / exposed" mentions
- Email / phone / address associations
- Breach forum mentions (RaidForums, Cracked.io)
- Trello board exposure
Run with -p +447700123456
Phone numbers must be in E.164 international format (country code + number, no spaces).
Matches the number against a 30+ country prefix table to identify the country of origin.
Queries NumLookupAPI for:
- Carrier name (e.g. "EE", "Verizon", "Vodafone")
- Line type: mobile / landline / VoIP
- Location (city/region)
Searches LeakCheck for breach records associated with this phone number.
Searches the IntelX breach and paste index for the phone number.
Searches OTX threat pulses for any references to the phone number (uncommon but surfaces phone numbers shared in threat intelligence reports).
Run with -d example.com or -d 93.184.216.34
Fetches A, AAAA, MX, NS, TXT, and CNAME records via Google DNS-over-HTTPS.
Structured registration data: registrar name, registration date, expiry date, last updated, and nameservers. Uses the RDAP protocol (more reliable than raw WHOIS).
- ip-api.com — city, region, country, ISP name, ASN, proxy flag, hosting flag, timezone
- BGPView — ASN number, ASN name/description, network prefix, network name
Free, no-key Shodan endpoint returning:
- All open ports
- CVE IDs for known vulnerabilities
- CPE software/hardware identifiers
- Tags (e.g.
self-signed,vpn,cloud) - Hostnames
SPF / DMARC / DKIM check on the domain (same as email module — useful for domain-only scans).
Classifies all TXT records to reveal which SaaS tools, verification tokens, and policies are attached to the domain.
Returns up to 10 recent URLScan.io scans for the domain, with date, IP, country, server header, malicious verdict, and scan ID.
Threat intel for the domain: pulse count, malware family references, country code, industry tags.
Threat intel for the resolved IP: pulse count, reputation score, country, city, ASN, malware family count.
Historical DNS resolutions for the domain — shows all hostnames that have ever resolved to each IP.
All domains co-hosted on the same IP address.
Risk score (none / low / medium / high / critical), threat names, feed memberships, last seen date, and retirement status.
First archived snapshot date, most recent snapshot, and total snapshot count from the Internet Archive CDX API.
Passive certificate pull (no scanning tool, just a socket connection):
- Subject CN and organisation name
- Issuer organisation
- Certificate validity window
- All Subject Alternative Name (SAN) domains
Queries crt.sh for all certificates ever issued for *.domain.com. Reveals every subdomain that has ever had a valid TLS certificate, including old or forgotten subdomains.
Checks the domain/IP against 5 major DNS blacklists:
- Spamhaus ZEN
- SpamCop
- Barracuda Central
- SORBS
- PSBL (Passive Spam Block List)
Finds email addresses publicly associated with the domain, with names, job titles, and confidence scores. Free tier with --hunter-key for higher quota.
Breach and paste index hits for the domain.
Domain-specific dorks:
- Exposed config / log / env files
- Leaked credentials in GitHub
- Admin panel exposure (wp-admin, phpmyadmin, adminer)
- API keys and tokens in source code
- Pastebin / dump site mentions
Run with --check-password "yourpassword"
Uses the HIBP Pwned Passwords k-anonymity API. The password is hashed with SHA-1 locally, and only the first 5 characters of the hash are sent to the API. The full password is never transmitted.
Returns how many times the password has appeared in known breach dumps. If the count is greater than zero, the password should be considered compromised.
Rich colour-coded output with tables, progress bars, and section rules. Designed for readability in 80-column+ terminals.
Complete machine-readable dump of all findings. Preserves the full raw API responses under relevant keys. Useful for piping into other tools or storing scan history.
Structure:
{
"timestamp": "2025-01-01T12:00:00",
"targets": {
"email": "target@example.com",
"username": "handle",
"phone": "+447700123456",
"domain": "example.com"
},
"findings": {
"emailrep": { ... },
"gravatar": { ... },
"hibp": { "breaches": [...], "pastes": [...] },
"social": { "found": [...], "not_found_count": 42 },
"domain": { "dns": {...}, "shodan": [...], ... },
...
}
}Self-contained dark-mode HTML report with:
- Target summary header
- HIBP breach table
- Social accounts found table
- Google dorks table
- Full JSON dump in a scrollable
<pre>block
VENOM generates ready-to-use Google search queries. These are not run automatically — they are printed to the terminal for you to copy and execute manually in a browser.
This is intentional: automated Google scraping violates Google's ToS and would quickly get the tool blocked. The dork URLs are pre-formatted so you just click or paste them.
Dorks are generated for:
- Email: Pastebin, SQL/TXT dumps, credential mentions, code repositories, spreadsheets, paste sites, breach forums
- Username: Pastebin, social cross-reference, doxxing mentions, personal data mentions, breach forums, Trello boards
- Domain: Exposed config/env/log files, GitHub credential leaks, admin panel discovery, token/secret exposure
VENOM is a single-file Python script (~3100 lines). It is structured in layers:
- Data collection functions — each API or service has a dedicated function returning a normalised dict
- Rendering functions — each data type has a
render_*function that prints to the Rich console main()— orchestrates the scan flow: parses args, calls collection functions in order, calls render functions, builds the report dict, optionally exports
Uses a ThreadPoolExecutor with 20 concurrent workers. Each platform URL is fetched with a 8-second timeout. The response body is checked against a platform-specific list of "not found" signals (e.g. Reddit returns "nobody on reddit goes by that name"). A 404 status code is also treated as "not found".
All DNS lookups use Google's DNS-over-HTTPS API (dns.google/resolve) rather than system DNS. This provides consistent, reliable results regardless of the system's resolver configuration, and avoids leaking hostnames to a local ISP.
Most free APIs impose rate limits. VENOM includes a 2-second retry on HIBP 429 responses. For all other services, if a rate limit is hit, the module gracefully returns None and the scan continues. For sustained use, stagger scans or use API keys for higher quotas.
| Service | Free Limit | Notes |
|---|---|---|
| HIBP Breaches | Requires key (~£3.50/mo) | Key has no hard rate limit |
| HIBP Passwords | Unlimited | k-anonymity, no account needed |
| LeakCheck | ~10 req/day | IP-based |
| EmailRep.io | ~10 req/day | IP-based |
| GitHub API | 60 req/hr | Unauthenticated |
| OTX AlienVault | ~100 req/hr | Unauthenticated |
| URLScan.io | Generous | No account needed to read |
| HackerTarget | 100 req/day | Free, unauthenticated |
| Shodan InternetDB | Unlimited | No key needed |
| Pulsedive | Generous | Anonymous tier |
| crt.sh | Generous | No auth |
| Wayback CDX | Generous | No auth |
| Hunter.io | 25 req/mo free | Use --hunter-key |
| ip-api.com | 45 req/min | HTTP only (no HTTPS on free) |
Always:
- Only scan targets you own or have explicit written permission to scan
- Don't automate bulk scanning — it will get IPs banned and affects other users of these free services
- Treat findings as leads, not conclusions — false positives exist in all breach databases
ModuleNotFoundError: No module named 'rich'
VENOM auto-installs dependencies on first run. If this fails (e.g. in a restricted environment), run:
pip install rich requests --break-system-packagesPermission denied when running as venom command
On Linux/macOS, ensure the wrapper script is executable:
chmod +x ~/.local/bin/venomSocial platform scan returns everything as "found" Some platforms (LinkedIn, Snapchat) return 200 for all requests. VENOM uses body-text heuristics to filter these, but aggressive WAF/bot protection can cause false positives. Verify any hits manually.
HIBP returns 401 Unauthorized Your API key is invalid or expired. Re-check it at haveibeenpwned.com/API/Key.
IntelX returns no results
The anonymous key (000...000) has very limited access. Results depend on what IntelX has indexed publicly. Full access requires a paid IntelX account.
crt.sh times out crt.sh can be slow under load. VENOM uses a 16-second timeout. If it times out, the module returns an empty list and scanning continues.
BreachDirectory shows "no key" message
Pass your RapidAPI key: --bd-key YOUR_RAPIDAPI_KEY. See API Keys.
Phone number returns "could not validate"
Ensure the number is in E.164 format: country code + number, starting with +. Example: +447700123456, not 07700123456.