Domain & URLs

Getting Informations

Get information on an IP
whois <IP>

# Get IP address associated to a domain
nslookup domain.fr
ping domain.fr

# Knockknock is a small automated script allowing you to find domain names
# For a registrant (person or company)
python3 k2.py -n company -d

# Many tools
https://intelx.io/

# Estimate the creation date of a website
http://carbondate.cs.odu.edu/
https://github.com/Lazza/Carbon14


Online Passive Identification Tools

Target Mapping and Informations

# Informations about the target
https://securitytrails.com/

# Robtex is a great and complete tool
https://www.robtex.com

# Getting technology informations
https://builtwith.com

# Mapping the target website can be good to get an overview
www.visualsitemapper.com

Side-domains Identification

# Then you can find domains and subdomains associated to an IP by using Passive Reverse DNS
https://www.virustotal.com/gui/home/search

# RiskIQ Passive DNS

# You can identify new domains in the "RelationShip" section
# of Builtwith
https://builtwith.com/relationships/xxx.fr

# When you have a name or a e-mail adress you can perform a reverse whois lookup to find domain
# names oned by a person of a company
https://viewdns.info/reversewhois/

# Multi tool
https://osint.sh/


Getting page title

# One line
# Getting page title without following redirections
for i in $(cat urls_or_subdomains.txt); do echo "$i | $(curl --connect-timeout 3 $i -s -v 2>&1 | grep -Poz '((?<=title>)(.*)(?=</title>)|(?<=Location:)(.*)/|(Could not resolve host:.*))' | tr -d '\0' | sed -r 's/(https?:\/\/.*\/?)(.*)(301 Moved Permanently)/\3 \2\1/g' )"; done


Investigate a website (crosspost methodology)

# Thread by Aware Online about some website investigation methodology
https://twitter.com/aware_online/status/1308312883248467975

# 1 - Tactical informations
# 2 - WHOIS
# 3 - Archives
# 4 - Text
# 5 - Reverse Image Search
# 6 - Images and EXIF data
# 7 - Source code
# 8 - Others TLD
# 9 - Mentions of target
# 10 - Check infos via RSS
# 11 - SSL certificates
# 12 - Robots/Sitemap
# 13 - Port scans
# 14 - Reverse IP lookup
# 15 - Reverse DNS lookup
# 16 - Monitoring changes
# 17 - Malware check


r3con1z3r (https://github.com/abdulgaphy/r3con1z3r)

# OSINT Tool used to perform some OSINT tests and generates a report
# HTTP Headers, Whois, Traceroute, DNS, nmap, website on the same server, Reverse IP, Page Links
# Take care, not really passiv
./r3con1z3r.py google.com


Domain spoofing and typosquatting

# Tools like spoofcheck (https://github.com/BishopFox/spoofcheck) 
# It checks SPF and DMARC records for weak configuration that allow domain spoofing
# Domain is spoofable if lack of an SPF or DMARC record, SPF record never specifies ~all or -all, DMARC policy is set to p=none or is nonexistent
./spoofcheck.py [DOMAIN]
# urlcrazy allow to generate typo for a given domain and will check different elements
# such as IP, country, Nameserver and MX
https://github.com/urbanadventurer/urlcrazy/

# Default search
$ urlcrazy domain.com

# You can also search with popularity estimate
$ urlcrazy -p domain.com


More Information Gathering

# EyeWitness (https://github.com/FortyNorthSecurity/EyeWitness)
# It can take screenshots of websites, RDP services and open VNC servers, provide some server header info and identify defualt credentials
./EyeWitness.py -f filename --timeout optionaltimeout --open (Optional)
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml --timeout 8 --headless
./EyeWitness -f rdp.txt --rdp
# XRay tool (https://github.com/evilsocket/xray)
# Bruteforce subdomains using wordlist and DNS requests, then Shodan, then ViewDNS is key is provided.
# Then it will launch banner grabbing and info collectors (not passiv)
xray -shodan-key yadayadayadapicaboo... -viewdns-key foobarsomethingsomething... -domain fbi.gov