🛠 GeoIP‑lookup Checker
Salute,
I want to share. with you a small utility that allows you to quickly view the geolocation of IP addresses and domains, as well as enrich HTTP traffic in Burp Suite by integrating it as a plugin.
I decided to start writing this tool to simplify interactions with external sources and subsequently combine several paired tools like autoswagger (reviewed here).
Here's a turnip, Tula itself works on top of curl and jq, uses the free API ip-api.com and can switch to the ipapi‑co provider. I’ll be happy if you hate me and help improve the product with real requests.
How does it work?
• GeoIP lookup (pretty) by IP or domain
• JSON mode produces “raw” JSON so that it can be conveniently processed by pipelines, for example jq, yq, any scripts or SIEM
• Reads a list of targets from a file and processes them sequentially with a slight delay so as not to exceed API limits
• Starts geoip http and tries different methods (GET, HEAD, OPTIONS, POST, PUT, PATCH, DELETE, TRACE) on the specified IP or host, showing status, headers and response time
• Responses are saved in ~/.cache/geoip-tool as JSON files. The key is formed from the target and language, and the TTL (time to live) is set in geoip_core.sh via CACHE_TTL_SEC, which reduces the risk of hitting the rate-limit
• You can add an extension to Burp that creates a GeoIP tab for each HTTP request. The extension takes the host from the request, calls the local command geoip json <ip> and displays prettified JSON in the tab - convenient for analyzing traffic and IP correlation.
• ip-api sends X-Rl (how many requests are left) and X-Ttl (after how many seconds the limits will be updated) headers in responses. In geoip-tool they are parsed and output to stderr
Where can this be useful?
• Quick check in the terminal
• Enrichment of SIEM logs and events (for example, an index in Elastic/Splunk)
• Analysis of HTTP behavior of services (what methods are allowed, what codes are received, what headers and redirects)
In the upcoming release there will be
• Full response in file and targeting in nmap, back
• Recursively go through target pages
• Punching all ports (not only 80/443)
• If the IP geolocation service sends the Retry-After header when responding to Too many requests (429), then you can pause for this time and then continue again
• Reverse lookup by IP and domain name, using a service like security trails
• Ability to slip a swagger and pull the handle on it
Installation via GHCR
$ docker run –rm ghcr.io/geminishkv/geoip-tool:v0.1.6 –help
$ docker run –rm ghcr.io/geminishkv/geoip-tool:v0.1.6 lookup 8.8.8.8
$ docker run –rm -e GEOIP_PROVIDER=ipapi-co ghcr.io/geminishkv/geoip-tool:v0.1.6 json 1.1.1.1
Installation from GitHub Release:
curl -L https://github.com/geminishkv/geoip-tool/archive/refs/tags/v0.1.6.tar.gz -o geoip-tool-v0.1.6.tar.gz
tar xzf geoip-tool-v0.1.6.tar.gz
cd geoip-tool-0.1.6
sudo make install
Scenarios
$ geoip json 1.1.1.1 | jq ‘.’ # JSON upload
$ geoip http example.com –https –follow
$ geoip http example.com –auto –aggressive
$ geoip http example.com –methods GET,HEAD,OPTIONS,TRACE
Project structure
• bin/geoip — launcher
• lib/geoip_core.sh - core: HTTP client, cache, provider selection
• lib/geoip_lookup.sh — pretty/ JSON/ batch lookup logic
• lib/geoip_http.sh — HTTP check, method enumeration, timeouts, headers
• examples/burp-extension/GeoIpTab.py - integration with Burp
• Dockerfile - image for GHCR
Footnote
• GeoIP is the determination of geographic information (country, city, ASN, provider, etc.) by IP address
• Lookup is a request to an external service using some identifier (IP, domain) and receiving a structured response
#appsec #devsecops #specialty #toolchain #techsolution #paper