Keklick in Plain English: A Step-by-Step Guide to Hunting Command-and-Control (C2) Networks
Quick takeaway: Keklick is a free, open-source toolkit that helps security teams discover, map, and report malicious infrastructure—without writing a single line of code.
In the next 3,000 words you will learn how to install it, run your first hunt, and turn raw data into a board-ready PDF report.
1. Why C2 Matters (Even if You’re Not a Security Guru)
Imagine malware as a quiet burglar in your house.
The burglar does not smash windows; instead, he opens a tiny, hidden door and slips out stolen items to an accomplice waiting on the sidewalk.
That accomplice is the command-and-control (C2) server.
C2 servers live on seemingly normal domains and IP addresses, but they are the brains of an attack campaign.
If you can find every domain or IP that talks to the burglar, you can slam the door shut before more data walks out.
Keklick automates the boring parts of this hunt—probing, correlating, and visualizing—so you can focus on the decision-making.
2. A One-Minute Feature Tour
| Feature | What it does for you | Typical moment you’ll use it |
|---|---|---|
| C2 Infrastructure Discovery | Starts with one suspicious domain or IP and finds related ones | SOC alert says “evil.example.com”; you want the whole family tree |
| Interactive Network Map | Draws nodes (domains/IPs) and edges (shared certificates, DNS history) | Need a single slide for your manager |
| Threat-Intel Enrichment | Queries AbuseIPDB, VirusTotal, AlienVault OTX, etc. | You have 50 IPs; only 10 minutes to decide which ones to block |
| One-Click PDF Report | Exports everything into a tidy document | Hand evidence to legal or incident-response team |
| No-Code Interface | Point, click, filter, zoom | You prefer dashboards over Python scripts |
3. Before You Begin: System Requirements
-
Memory: 2 GB RAM (4 GB recommended for large datasets) -
Disk: 4 GB free space (Docker image plus temporary scan data) -
OS: Any modern Linux, macOS, or Windows 10/11 -
Either Docker & Docker Compose or Python 3.9+ and Go 1.21+ (your choice)
4. Installation Option A: Docker (Fastest Route)
-
Clone the repository git clone https://github.com/0x6rss/keklick.git cd keklick -
Build and run the container docker build -t keklick . docker run -p 5000:5000 keklick -
Open http://localhost:5000in your browser.
You should see the clean Keklick dashboard.
Tip: If port 5000 is already in use, change the left side of
-p 8080:5000.
5. Installation Option B: Manual (Full Control)
| Step | Command / Action | Notes |
|---|---|---|
| 1 | git clone https://github.com/0x6rss/keklick.git && cd keklick |
Source code on disk |
| 2 | Install Go 1.21+ | Grab the tarball from https://golang.org/dl/ and unpack to /usr/local/go |
| 3 | Add Go to your path | export PATH=$PATH:/usr/local/go/bin |
| 4 | Install httpx | go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest |
| 5 | Install HEDnsExtractor | git clone https://github.com/HuntDownProject/HEDnsExtractor.git && cd HEDnsExtractor && make && sudo cp hednsextractor /usr/local/bin/ |
| 6 | Install Python dependencies | pip install -r requirements.txt |
| 7 | Launch the app | python app.py |
| 8 | Visit http://localhost:5000 |
Ready to hunt |
6. Optional: Add Your Own API Keys
Out of the box, Keklick works without keys, but enrichment is richer when you supply them.
-
Open app.pyin any text editor. -
Find the dictionary named API_KEYS. -
Replace the placeholder strings with real keys:
API_KEYS = {
"abuseipdb": "YOUR_ABUSEIPDB_KEY",
"otx": "YOUR_ALIENVAULT_OTX_KEY"
}
-
Save and restart the container or Python process.
No keys? No problem. The tool still performs core discovery.
7. Core Technologies Under the Hood
| Tool | Role | Example Output |
|---|---|---|
| httpx | Probes web servers for status codes, redirects, tech stack | 302 Found, nginx/1.18, X-Powered-By: Express |
| HEDnsExtractor | Reverses IP history—finds every domain ever pointed to that IP | 1.2.3.4 once hosted abc.evil, xyz.evil, mail.evil |
Keklick stitches these outputs together, removes duplicates, and hands the data to a graph renderer so you can see relationships at a glance.
8. Your First Hunt in Five Steps
-
Input: Type a domain or IP you already distrust (e.g., malicious.example). -
Search Type: Leave it on Auto Detect unless you know exactly what you have. -
Limit: Start with 50 results; raise later if needed. -
Click Search and wait. -
Explore: The left pane shows a network map similar to the image below.
Each circle is a domain or IP.
Lines indicate shared SSL certificates, common DNS records, or overlapping WHOIS data.
Hover or click any node to open a detail card.
9. Deep-Dive Tools in the Right-Click Menu
| Menu Item | What You’ll Learn | Quick Tip |
|---|---|---|
| Threat Intelligence | Reputation scores from VirusTotal, AbuseIPDB, etc. | Anything above 5 detections deserves a closer look. |
| SSL Certificate | Subject Alternative Names (SANs) reveal extra domains. | Ten domains on one cert? Probably the same actor. |
| DNS Records | Historical A, NS, and MX changes. | Sudden NS change can flag a domain takeover. |
| WHOIS | Registrar, creation date, contact email. | Reused email addresses often link campaigns. |
| Timeline | When each asset first appeared. | Helps decide if infrastructure is new or long-lived. |
10. Exporting a Board-Ready PDF Report
-
Click the Report button in the top toolbar. -
Wait 20–30 seconds. -
Download the PDF.
The file contains:
-
A high-resolution snapshot of the network map -
A table of every node with key attributes -
Threat-intel summaries -
Timestamp of analysis
Attach it to an incident ticket or email it to stakeholders.
11. External Integrations (Quiet Helpers)
Keklick queries the following services automatically if you provide keys or if free quotas allow:
-
AbuseIPDB – IP reputation -
AlienVault OTX – Pulse indicators -
VirusTotal – Multi-engine verdicts -
Shodan – Open ports and banners -
Censys – Certificates and host data -
FOFA – Chinese-space search engine -
URLScan.io – Page screenshots and behavior
12. Real-World Scenario: From One Alert to a Full Brief
Monday 09:15 – Your EDR shouts:
malware.exe contacted abc.evil.
09:17 – You open Keklick, paste abc.evil, hit Search.
09:18 – Map shows 15 domains and 6 IPs linked by shared SSL certificate.
09:20 – AbuseIPDB column reveals 3 IPs with 20+ user reports each.
09:22 – Click Report, download PDF, attach to incident ticket.
09:25 – Network team blocks the entire subnet before coffee gets cold.
13. Frequently Asked Questions (FAQ)
Q1: Does Keklick guarantee zero false positives?
A: No tool can. Keklick surfaces relationships; humans still interpret them.
Q2: Is it legal to scan unknown domains?
A: Only if you have explicit authorization. Always follow your company’s policy and local laws.
Q3: How large is the Docker image?
A: Roughly 1.2 GB on first build. Subsequent pulls are incremental.
Q4: Can I run Keklick on Windows natively?
A: Docker works on Windows 10/11. Manual installation requires WSL or a full Linux toolchain.
Q5: The browser freezes with huge datasets—what now?
A: Reduce the result limit or use the built-in filters (status code, first-seen date) to shrink the graph.
14. Glossary in Plain Language
| Term | Simple Definition | Everyday Analogy |
|---|---|---|
| C2 (Command and Control) | The hidden server that tells malware what to steal next | The mastermind texting burglars inside the house |
| SSL Certificate | A website’s ID card; may list multiple aliases | One driver’s license showing both your real name and three nicknames |
| DNS History | A log of where a domain pointed over time | Post-office change-of-address forms |
| WHOIS | Public record of who owns a domain | Property deed showing owner’s name and address |
15. Closing Thoughts: Tools Think Fast, Humans Think Deep
Keklick does the tedious work—probing ports, parsing certificates, drawing graphs—so you can spend your time on judgment, context, and communication.
Remember: the map is not the territory. Always corroborate findings, seek proper authorization, and keep your reports honest.
Happy hunting, and stay lawful.
