Tricky Thursday is back and today we are looking at website-focused OSINT.
I briefly touched on the topic in the first instalment of the Tricky Thursday thread here.
So how do you go about gathering intel about web domains?
In the pre-GDPR era, this used to be a phenomenal tools for domain lookup, allowing us to universally identify various information, like registrant details, contact details, admins, hosting, etc.
The whois resources are now heavily restricted but still offer some snippets of information that could be relevant.
who.is – one of the most popular websites, but there are some alternatives that do essentially the same thing:
Also you can just run the ‘whois’ command (followed by the domain name or IP address) in your terminal and receive information that way.
2. Domain reputation check
Reputation might be an arbitrary thing, but often you might just need a quick YES / NO answer regarding website legitimacy, as opposed to longer research.
The good thing about the reputation ranking, which derives from a mixture of corporate expertise and community submissions, is that it can alert users to malicious content on a website they are about to visit.
Simply paste the website URL into one of these resources and check out the score:
https://www.threatminer.org – a threat intelligence portal that combines the information from several well-respected infosec industry platforms;
https://www.joesandbox.com – an online malware analysis platform, which also conducts URL scans;
https://www.virustotal.com/gui/home/url – this website pulls information from antivirus scanners and URL / domain blacklisting services and alerts on dangerous or malware infected sites;
https://talosintelligence.com – a reputation evaluation tool from CISCO. Also returns whois records;
https://www.ipvoid.com – includes a number of IP blacklist checks, whois lookup, dns lookup, ping.
3. Associated domains
If you would like to see what other websites are located on a shared hosting server used to host a target domain, use these tools:
https://www.ipfingerprints.com/reverseip.php – to find other sites running on a webserver;
https://dnslytics.com/reverse-ip – find domains sharing the same IP address or subnet;
https://urlscan.io – one of my favourite tools, it has many more functionalities but when it comes to associated domains, the great features here include searching for structurally similar pages, sub domains and domain trees;
https://publicwww.com – search engine for comparing source codes of websites.
4. Resources for inactive domains
Domains might come and go, but what appears on the internet stays there!
https://archive.is – this archive site will allow you to archive other websites as well as search for those already in their archives;
https://archive.org/web – Wayback Machine, for snapshots of websites taken periodically
http://www.cachedpages.com – cached versions of pages;
http://cachedview.com – contains copies of the websites cached by Google;
https://loc.gov/websites – Library of Congress archived websites;
https://www.webarchive.org.uk/ukwa – specific to the UK websites, but still a useful source of archived content.
5. Private network IP address ranges
If you encounter any of the following groups of IP addresses (IPv4), remember they are reserved for private networks:
10.0.0.0 – 10.255.255.255
169.254.1.0 – 169.254.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255