Open in app

Sign in

Write

Sign in

Automating Malicious IP Addresses Scanning with VirusTotal API and getting a detailed report

Muhammad Haris Maqsood
4 min readJun 7, 2024

--

VirusTotal, a widely-used service for analyzing files and URLs, offers an API for checking IP addresses. In this blog post, I will guide you through automating the process of scanning a list of IP addresses using Python and the VirusTotal API. By the end, you’ll have a functional script that can quickly fetch security reports for any IP addresses you need to monitor.

Prerequisites and Setup

To begin, you’ll need:

  1. A VirusTotal account and an API key. Sign up on the VirusTotal website and retrieve your API key from your account settings.

2. Python installed on your machine.

3. The requests library, which can be installed using pip:

pip install requests

Step-by-Step Guide: Writing the Python Script

The main task is to create a Python script that reads a list of IP addresses from a file, queries the VirusTotal API, and prints the resulting reports. Here’s how you can do it:

  1. Import Libraries: Begin by importing the necessary libraries. The request library will handle HTTP requests, and the JSON library will help in parsing the response data.

2. Define API Key and URL Template: Insert your VirusTotal API key and define the URL template for the IP address report endpoint. You will get this URL from the VirusTotal API documentation.

3. Read the IP List: Open the file containing IP addresses, read each line, strip any whitespace or newline characters (for this purpose, I used strip() method), and store them in a list. As you can see, sample IPs are saved in the text file named ‘iplist.txt’.

iplist.txt

4. Create the Request Function: Define a function that constructs the request URL, sets the headers with the API key, sends a GET request to the VirusTotal API, and it returns the response object and upon calling JSON() on response object, you will get the JSON object of the result.

5. Iterate and Print Reports: Loop through each IP address in the list, call the function to get the report, and print it in a readable JSON format. You can store it in the file instead of printing it on the console.

Complete Script:

import requests
import json

# Write Your VT API key here inside the quotes.
API_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxx'

# URL template to scan for the VT IP report API.
urlscan = 'https://www.virustotal.com/api/v3/ip_addresses/{}'

# Read the list of IPs from the file and add them to list.
with open('iplist.txt', 'r') as ipfile:
    ips=[]
    for line in ipfile:
        ips.append(line.strip())

# Function to get report for an IP address
def get_ip_report(ip):
    url = urlscan.format(ip)
    header = {"accept": "application/json", "x-apikey": API_KEY}
    response = requests.get(url, headers=header)
    #print(response.text)
    return response.json()

# Iterate over the list of IPs and get reports
for ip in ips:
    report = get_ip_report(ip)
    print(f'Report for IP: {ip}')
    print(json.dumps(report, indent=3))
    print('\n')

Running the Script

Save the script to a file, for example, vtscript.py . Then, execute the script using the following command.

python vtscript.py

Sample Output:

Here is the sample output. As it can be seen that data is returned in a JSON format.

Conclusion:

By following this Python script, you can scan IPs and generate reports using the VirusTotal API. You can further filter the results based on your requirements.

Virustotal
Python
Blacklisting
Cybersecurity
Infosec

--

--

Muhammad Haris Maqsood
Muhammad Haris Maqsood

Written by Muhammad Haris Maqsood

42 Followers
3 Following

Network and Cybersecurity Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams