I was on twitter recently and a thread came up asking about everyone’s favourite tools, tips and tricks for network and service discovery – check it out here. I posted a bunch of websites I like to use and got a response asking if I would be putting the tools on my blog, so here we are.

Before I start, I did a similar post to this around 2 months ago when I first started my blog, check it out if you like. However, I knew I could do a much better job now including more tools, better descriptions, along with how to actually use them.

To provide examples as I go through this post, any indicators will be pulled from recently reported on https://www.abuseipdb.com/, https://urlhaus.abuse.ch/browse/ and https://www.malwaredomainlist.com/mdl.php. Right, lets get into it, hope you enjoy.

CENSYS.IO

WHAT IS IT?

Censys.io is a site which lets you search details on IP’s, certificates and websites. It can do a lot more, such as monitor your own organisations attack surface. However in this case, we will look at the searching capabilities.

SIGN UP / LIMITATIONS

This is one of the best parts of Censys.io. Unlimited searches on the data I mentioned above, no paid tiers and free sign up isn’t required.

HOW TO USE IT

Censys is a very simple site to use. Just follow this :

Go to the site and then decide if you want to search an IP, Website or Certificate.

Click on these and then enter your search option. To learn more about how to use censys.io searches there are a few helpful links on the site :

• https://censys.io/domain/help?q=& Shows the query syntax
• https://censys.io/domain/help/examples?q=& Shows search examples
• https://censys.io/domain/help/definitions?q=& Shows how data is defined within Censys.io

There is a great guide here on how to use censys and different use cases – https://0xpatrik.com/censys-guide/

SHODAN.IO

WHAT IS IT?

Shodan is a search engine for any internet connected devices and systems. Like Censys, it can also be used for network monitoring using https://monitor.shodan.io/ however that is not what we are covering here.

SIGN UP / LIMITATIONS

Shodan limits the number of searches for a non registered user to 10. Therefore, it is worth quickly creating a free account. I am not sure the exact limitations on the free account, however shodan’s pricing tier can be seen here https://developer.shodan.io/pricing

HOW TO USE IT

Shodan again is relatively easy to use. I’m not going to try and re write things here, as there are already some great guides out there.

This guide from Daniel Miessler is the best I have found, I highly recommend it. It explains Shodan, and how to use it well. https://danielmiessler.com/study/shodan/

Once you are accustomed with the platform, here are a bunch of queries. https://github.com/jakejarvis/awesome-shodan-queries

VIZ.GREYNOISE.IO

WHAT IS IT?

GreyNoise collects and analyses untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet. Mass scanners (such as Shodan and Censys), search engines, bots, worms, and crawlers generate logs and events omnidirectionally on every IP address in the IPv4 space.

This makes it a bit different from other sites on this list. In most cases, the best use of this site is to check if an IP hitting your network is directly targeting it, or instead if it is just targeted scanning.

SIGN UP / LIMITATIONS

Signing up to greynoise is worth it. Sign up allows you to use various search filters and a 15 day trial access to the API.

The full pricing list for greynoise can be seen here https://viz.greynoise.io/pricing

HOW TO USE IT

Greynoise, as like most other sites on this list; is fairly easy to use. Here are some guides and examples to use the platform.

Explanation of search terms : https://viz.greynoise.io/cheat-sheet/queries

Query examples : https://viz.greynoise.io/cheat-sheet/examples

NETOGRAPH.IO

WHAT IS IT?

Netograph.io is a platform which allows you to search domains, IPs, meta tags and other information. The best part about the site is that it maps the information nicely together giving you a clear, informatic overview of web connected devices; and their connections.

SIGN UP / LIMITATIONS

To my knowledge, no sign up or pricing plans are currently in place on this site.

HOW TO USE IT

Pretty simple, take any IP, Domain etc and search. The site already has most details already cached. If the IP or site you want to search hasn’t been searched before, it will only take the site a couple of minutes to do so.

Here are some examples :

IP search for a known malicious IP

Search for a phishing domain

INTELX.IO

WHAT IS IT?

Intelligence X is a very powerful search engine and data archive. It gets data from the darknet, document sharing platforms, whoisdata, public data leaks among various other sources.

This allows users to search for things such as email addresses, bitcoin addresses and such, along with the other usual indicators.

SIGN UP / LIMITATIONS

Intelx.io is worth creating a free account on. With a public, non logged in account, you get 5 searches a day. this goes up to 10 when logged in. It is also worth creating a free account as this gives you a 7 day trial with more access along with API access.

See the free pricing list here – https://intelx.io/product. The only annoying thing is payment is required to see certain data categories fully. If you work in Academia you can get a higher level of access for free.

HOW TO USE IT

You can search for anything you like on intelx and see what it returns. For example, I searched the IP I showed earlier in the post and it returned 13 pastes the IP was included in (all blocklists)

FOFA.SO

WHAT IS IT?

Simply put, an alternative to shodan.io . If you have ran out of shodan searches for the day, or just want somewhere else to check an indicator, this is a good site. It allows you to search for similar things such as IPs, domains, hosts, title’s and headers.

SIGN UP / LIMITATIONS

Any pricing options are in Chinese only at https://fofa.so/vip

I have never hit any search limitations on this site, however as above I just use it as an alternative when necessary.

HOW TO USE IT

See shodan above. Any query syntax I use shodan seems to work on fofa. If you require assistance, there is a link on the homepage of the site to their query syntax.

ONYPHE.IO

WHAT IS IT?

ONYPHE is a search engine for open-source and cyber threat intelligence data collected by crawling various sources available on the Internet or by listening to Internet background noise. ONYPHE correlates this information with data gathered by performing active Internet scanning for connected devices. It then normalizes information and makes it available via an API and its search language.

SIGN UP / LIMITATIONS

ONYPHE have a variety of pricing categories for enterprises or single users. It is worth creating a free account as it provides you API access. See the full pricing plan here – https://www.onyphe.io/pricing/

HOW TO USE IT

I am actually not that familiar with the site, however I have had it recommend to me by others, hence why it is this list. If you want guides on how to use it, I recommend going to https://www.onyphe.io/blog/standard-information-categories/ or https://www.onyphe.io/blog/ which both have a lot of information on the platform and how the query syntax works.

APP.BINARYEDGE.IO

WHAT IS IT?

Binaryedge.io is another site very similar to shodan. They perform internet wide scans and then allow you to search the saved information on their site. I like binaryedge as their free tier allows a lot more searching.

SIGN UP / LIMITATIONS

A free user account is required to access the site, however this gives you access to 250 queries a month, which you can use in a shorter time period when performing searching.

See the full price list here – https://www.binaryedge.io/pricing.html

HOW TO USE IT

Binaryedge have a fantastic documentation site here https://docs.binaryedge.io/ which will explain to you any sort of query you need to run. Binaryedge also has a slack community where you can ask questions and learn from others – https://slack.binaryedge.io/

HUNTER.IO

WHAT IS IT?

Something a bit different now. Hunter.io lets you search for email addresses. This can either be via searching via a domain e.g. google.com, or to verify if an email address is valid e.g. employee name @ google.com

SIGN UP / LIMITATIONS

You can do some basic searching on the site without an account. However, it is worthwhile to create an account as this provides 50 free searches with full details a month.

The full pricing list for the site can be seen here https://hunter.io/pricing

HOW TO USE IT

Pretty simple. You’ve got 3 options.

Search a domain and see which email addresses are on the domain

Search a persons full names along with a domain to find their email address

Validate an email address

HAVEIBEENPWNED.COM

WHAT IS IT?

Have I been pwned is a site which allows you to check if email address’ have been involved in data breaches. You can also subscribe to be alert if one is.

SIGN UP / LIMITATIONS

Nothing like that here. You can subscribe on the homepage if you would like to be alerted if your email address is in a future breach. You can also donate to the site if you would like.

HOW TO USE IT

There is two functionalities of the site as I have already mentioned.

First off, you can search an email address to check if it has been involved in a breach.

As we can see, test@test.com has been included in 277 breaches and found in 1375 pastes.

Once this is done, you can subscribe to be notified if your email is involved in a breach. Use this link on the homepage.

URLSCAN.IO

WHAT IS IT?

urlscan, its in the name really. The site scan’s URLs and provides a lot of detailed information on it.

SIGN UP / LIMITATIONS

Scanning can be done without an account. To see the paid options on urlscan, including phishing feed and urlscanpro, see https://urlscan.io/about/

HOW TO USE IT

To use the site, just search a URL and it will return back a plethora of in depth information.

The search provides in depth detail of the behaviour of the URL when it is accessed. You can also see URLs with similar properties.

INTEZER ANALYZE

WHAT IS IT?

Intezer Analyze allows you to scan files or hashes and then performs analysis to determine what the code is doing and if it is malicious. It also allows you to search malware families to get samples.

You can also use the site to scan endpoints for malicious code.

SIGN UP / LIMITATIONS

A free account is required to use the site. However, Enterprise plans are available at https://www.intezer.com/intezer-analyze/#plans-table

It must be noted when using online sandboxes like this that any files you submit will be made public.

HOW TO USE IT

There are two ways to use the site. Firstly, you can scan hashes, files or whole endpoints. Once done, a result like below is returned.

Another way the site can be used is to gather samples, See below example for Emotet malware family. Sample access is limited unless you have an enterprise plan.

DNS DUMPSTER

WHAT IS IT?

DNSdumpster is a dns recon site which allows you to discover all hosts related to a domain.

SIGN UP / LIMITATIONS

None

HOW TO USE IT

Take any domain you like and hit search. This will give you all DNS Servers, MX records, TXT records and Host records. All of these artifacts are then mapped together as a visual aid.

VIRUSTOTAL

WHAT IS IT?

Virustotal is probably the most commonly used and popular free website out there for security professionals. It inspects URLs and files with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content.

SIGN UP / LIMITATIONS

The service is free however please be mindful that any samples submitted will be public. Paid virustotal services can be seen here https://support.virustotal.com/hc/en-us/articles/115003886005-VirusTotal-Premium-Services

HOW TO USE IT

Simple – submit a URL or file and wait for the results to be returned. Once the URL or file has been scanned, it will tell you which sites detect it as malicious, the behaviour of the file or URL and any community comments among other factors, see an example below.

APP ANY RUN

WHAT IS IT?

Appanyrun is a free interactive online malware analysis platform. The site lets you interactively check a URL or file.

SIGN UP / LIMITATIONS

The site is free however a free user account is required. It is also worth noting any files or URLs submitted are public.

The full pricing plan for appanyrun can be seen here https://app.any.run/plans

HOW TO USE IT

Appanyrun is simple to use. Submit a file or URL to the site and wait as the site scans the indicator for you. See the below example which shows the in depth detail provided by the site such as process mapping and attack matrix.

There we go, 15 free OSINT tools which will hopefully help you in searching and evaluating indicators. I hope you enjoyed the post, do you have any opinions on it, or did I miss any great free web based OSINT tools? Tell me at https://twitter.com/blueteamblog