Osint Me Tricky Thursday #4 – Website OSINT

Tricky Thursday is back and today we are looking at website-focused OSINT.

I briefly touched on the topic in the first instalment of the Tricky Thursday thread here.

So how do you go about gathering intel about web domains?

1. Whois

In the pre-GDPR era, this used to be a phenomenal tools for domain lookup, allowing us to universally identify various information, like registrant details, contact details, admins, hosting, etc.

The whois resources are now heavily restricted but still offer some snippets of information that could be relevant.

who.is – one of the most popular websites, but there are some alternatives that do essentially the same thing:

https://www.whois.net/

https://lookup.icann.org/

https://centralops.net

https://domains.markmonitor.com/whois/

Also you can just run the ‘whois’ command (followed by the domain name or IP address) in your terminal and receive information that way.

.

2. Domain reputation check

Reputation might be an arbitrary thing, but often you might just need a quick YES / NO answer regarding website legitimacy, as opposed to longer research.

The good thing about the reputation ranking, which derives from a mixture of corporate expertise and community submissions, is that it can alert users to malicious content on a website they are about to visit.

Simply paste the website URL into one of these resources and check out the score:

https://www.threatminer.org – a threat intelligence portal that combines the information from several well-respected infosec industry platforms;

https://www.joesandbox.com – an online malware analysis platform, which also conducts URL scans;

https://www.virustotal.com/gui/home/url – this website pulls information from antivirus scanners and URL / domain blacklisting services and alerts on dangerous or malware infected sites;

https://talosintelligence.com – a reputation evaluation tool from CISCO. Also returns whois records;

https://www.ipvoid.com – includes a number of IP blacklist checks, whois lookup, dns lookup, ping.

3. Associated domains

If you would like to see what other websites are located on a shared hosting server used to host a target domain, use these tools:

https://www.ipfingerprints.com/reverseip.php – to find other sites running on a webserver;

https://dnslytics.com/reverse-ip – find domains sharing the same IP address or subnet;

https://urlscan.io – one of my favourite tools, it has many more functionalities but when it comes to associated domains, the great features here include searching for structurally similar pages, sub domains and domain trees;

https://publicwww.com – search engine for comparing source codes of websites.

urlscan.io

4. Resources for inactive domains

Domains might come and go, but what appears on the internet stays there!

https://archive.is – this archive site will allow you to archive other websites as well as search for those already in their archives;

https://archive.org/web – Wayback Machine, for snapshots of websites taken periodically

http://www.cachedpages.com – cached versions of pages;

http://cachedview.com – contains copies of the websites cached by Google;

https://loc.gov/websites – Library of Congress archived websites;

https://www.webarchive.org.uk/ukwa – specific to the UK websites, but still a useful source of archived content.

5. Private network IP address ranges

If you encounter any of the following groups of IP addresses  (IPv4), remember they are reserved for private networks:

10.0.0.0 – 10.255.255.255

169.254.1.0 – 169.254.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

1 thought on “Osint Me Tricky Thursday #4 – Website OSINT”

Leave a Reply

Your email address will not be published.