Hello and welcome to a somewhat different ‘Week in OSINT’ that you are used to. There have been two ‘specials’ in the past, where one was sort of a review about Onyphe and the other dealt with large data sets and I even had the pleasure of having AccessOSINT and MWOsint as guest authors. Since the posts about a single subject where received very positive, I decided to finish a draft I had laying around for well over a year.
This time I'll take you along some of my favourite web sites that deal with domain names, DNS and things related, with an extra tip here or there. These are absolutely not all web sites that I use, but these are my personal favourites in many cases due to the following reasons: They are free, the results they provide are solid and they are easy to use.
SecurityTrails provides current and historical data on DNS records. This means you can find an overview of which IP a website has been hosted at pretty much any given moment in time. Besides that they provide an overview of subdomains and in the DNS records you can find extra information about who runs the mail servers, other technical information like SPF records et cetera.
Link: https://securitytrails.com
If you want a completely free resource that has historical Whois data, then this is one of the very few sites around you can visit. You can search on a domain, email or phone number and even on a name. Warning though, when searching on a given name (or clicking one in the Whois results), will return results from everybody that has the same name. So be careful, it may not lead back to the same person!
Link: https://domainbigdata.com/
RiskIQ has a public database that can be queried after creating a free account. It contains historical Whois data, DNS information, trackers, certificates and a lot more information. You can search by IP address and find websites that were hosted there, or find domain names registered by an email address and lots more. You have 15 queries via their API per day, or 200 web searches in (I think) a week before you hit the paywall. But for professional purposes it might be a good investment.
Link: https://community.riskiq.com/
With IPinfo.io you can find information on an IP address of ASN. Fill in the IP address you want to know more about, and receive information about the owner, whether there is a VPN, TOR exit node or proxy detected and abuse contact information. If you fill in the IP address directly in the URL (like: https://ipinfo.io/178.162.208.194) you get a small and handy overview, like this:
Link: https://ipinfo.io/
When you are diving into an IP address, you can use a site like ipinfo.io to query some basic information. It will show you the ASN (or the block of IP addresses it's part of) and who it was assigned to and some other basic information. If you want to know more, like what other websites are within that block of IP addresses or what web sites run on the same IP addresses, visit the Hurricane Electric BGP or the website of BGP View.
Personally I do prefer the site of Hurricane Electric, since they provide Whois information on subranges of assigned IP addresses, and not only on ASN level. Besides that, they have some extra tools, like the "Looking Glass" that is used to run multiple traceroutes from their core routers from all over the world.
Hurricane Electric: https://bgp.he.net/
BGP View: https://bgpview.io/
The website ViewDNS has been around for a long time, and features a lot of useful tools in one overview. You can find domain names via email address, find web sites hosted on a given IP, find all sites that use a specific mail server (not so handy for shared hosting), reverse lookups and lots more. Pretty much a one-stop-shop for the start of an investigation.
Link: https://viewdns.info
Reverse analytics by dnslytics provide a service where you can find web sites that use the same Google Analytics code. There are multiple websites that provide such a service, but the one that usually never disappoints me is this one. Besides being free, it also gives me the highest success rate when searching. And even though the free tier only gives back 10 results, it's a lot more useful than other 'freemium' search tools that obfuscate nearly result until you pay.
Link: https://dnslytics.com/reverse-analytics
The site urlscan.io scans any online web site, saves a screenshot and provides details on the techniques used to build it. But that's not all, it gives insight into outgoing and incoming/referring links, HTTP requests made, text within the web site, IP history, and it's possible to track the changes made to a web site over time by comparing different scans of the same URL over time.
Tip: Use the "search" option in the top menu to find web sites that have gone offline, but were scanned by other users in the past.
Link: https://urlscan.io/
Have a good week and have a good search!