Week in OSINT #2020–24

Week in OSINT #2020–24

ip address whois analytics dns
This week a ‘domain special’, where I dive into different sites related to domains, DNS, IP addresses and web sites.

Hello and welcome to a somewhat different ‘Week in OSINT’ that you are used to. There have been two ‘specials’ in the past, where one was sort of a review about Onyphe and the other dealt with large data sets and I even had the pleasure of having AccessOSINT and MWOsint as guest authors. Since the posts about a single subject where received very positive, I decided to finish a draft I had laying around for well over a year.

This time I'll take you along some of my favourite web sites that deal with domain names, DNS and things related, with an extra tip here or there. These are absolutely not all web sites that I use, but these are my personal favourites in many cases due to the following reasons: They are free, the results they provide are solid and they are easy to use.

  • SecurityTrails
  • DomainBigData
  • RiskIQ PassiveTotal
  • IPinfo.io
  • BGP Information
  • ViewDNS
  • Reverse Analytics
  • urlscan.io

SecurityTrails

SecurityTrails provides current and historical data on DNS records. This means you can find an overview of which IP a website has been hosted at pretty much any given moment in time. Besides that they provide an overview of subdomains and in the DNS records you can find extra information about who runs the mail servers, other technical information like SPF records et cetera.

Historical DNS information for a site
Historical DNS information for a site

Link: https://securitytrails.com

DomainBigData

If you want a completely free resource that has historical Whois data, then this is one of the very few sites around you can visit. You can search on a domain, email or phone number and even on a name. Warning though, when searching on a given name (or clicking one in the Whois results), will return results from everybody that has the same name. So be careful, it may not lead back to the same person!

Now behind a Whois-proxy, but not in 2017
Now behind a Whois-proxy, but not in 2017

Link: https://domainbigdata.com/

RiskIQ PassiveTotal

RiskIQ has a public database that can be queried after creating a free account. It contains historical Whois data, DNS information, trackers, certificates and a lot more information. You can search by IP address and find websites that were hosted there, or find domain names registered by an email address and lots more. You have 15 queries via their API per day, or 200 web searches in (I think) a week before you hit the paywall. But for professional purposes it might be a good investment.

Finding domain names by Whois phone number
Finding domain names by Whois phone number

Link: https://community.riskiq.com/

IPinfo.io

With IPinfo.io you can find information on an IP address of ASN. Fill in the IP address you want to know more about, and receive information about the owner, whether there is a VPN, TOR exit node or proxy detected and abuse contact information. If you fill in the IP address directly in the URL (like: https://ipinfo.io/178.162.208.194) you get a small and handy overview, like this:

IP address for de500.nordvpn.com
IP address for de500.nordvpn.com

Link: https://ipinfo.io/

BGP Information

When you are diving into an IP address, you can use a site like ipinfo.io to query some basic information. It will show you the ASN (or the block of IP addresses it's part of) and who it was assigned to and some other basic information. If you want to know more, like what other websites are within that block of IP addresses or what web sites run on the same IP addresses, visit the Hurricane Electric BGP or the website of BGP View.

Personally I do prefer the site of Hurricane Electric, since they provide Whois information on subranges of assigned IP addresses, and not only on ASN level. Besides that, they have some extra tools, like the "Looking Glass" that is used to run multiple traceroutes from their core routers from all over the world.

Shoutout to Jerry Vermanen, with this specific IP address within AS33915
Shoutout to Jerry Vermanen, with this specific IP address within AS33915

Hurricane Electric: https://bgp.he.net/
BGP View: https://bgpview.io/

ViewDNS

The website ViewDNS has been around for a long time, and features a lot of useful tools in one overview. You can find domain names via email address, find web sites hosted on a given IP, find all sites that use a specific mail server (not so handy for shared hosting), reverse lookups and lots more. Pretty much a one-stop-shop for the start of an investigation.

Revisiting the Norton scam again…
Revisiting the Norton scam again…

Link: https://viewdns.info

Reverse Analytics

Reverse analytics by dnslytics provide a service where you can find web sites that use the same Google Analytics code. There are multiple websites that provide such a service, but the one that usually never disappoints me is this one. Besides being free, it also gives me the highest success rate when searching. And even though the free tier only gives back 10 results, it's a lot more useful than other 'freemium' search tools that obfuscate nearly result until you pay.

Finding connected sites
Finding connected sites

Link: https://dnslytics.com/reverse-analytics

urlscan.io

The site urlscan.io scans any online web site, saves a screenshot and provides details on the techniques used to build it. But that's not all, it gives insight into outgoing and incoming/referring links, HTTP requests made, text within the web site, IP history, and it's possible to track the changes made to a web site over time by comparing different scans of the same URL over time.
Tip: Use the "search" option in the top menu to find web sites that have gone offline, but were scanned by other users in the past.

Screenshot and detailed information on a scanned web site
Screenshot and detailed information on a scanned web site

Link: https://urlscan.io/

Have a good week and have a good search!

Previous Post Next Post