IP/Domain OSINT

IP/Domain OSINT

When researching IP addresses, it is important we know the context of the search we are performing. There are a multitude of sources to research IP addresses and they can vary depending on what information we want to learn about them.

For offensive security, threat hunting, and attack surface mapping, we want current registration data, and any associated data points that our searches may return. These can include hosted domains, ASN, associated network artifacts, etc.

For defensive operations, such as those of the security blue team, we are looking for historical data and activity data of the IP address.

Domains, more than almost any other target, have one of the largest assortments of associated data points. The most important that we will look for out of this section is the Registration data, the hosting data, site information, archived data, and analytics

There are tons of highly effective tools for subdomain enumeration and brute forcing, but they can be quite noisy. During the Passive Recon phase of a penetration test, we can start with any subdomains recorded by other sources to plan out our attack/test.

  • RDAP - Registration Data Access Protocol is the successor to WHOIS. Like WHOIS, RDAP provides access to information about Internet resources (domain names, autonomous systems, and IP addresses). Unlike WHOIS, RDAP provides:

    • A machine-readable representation of registration data;

    • Differentiated access;

    • Structured request and response semantics;

    • Internationalisation;

    • Extensibility.

  • Whois - A Whois domain lookup allows you to trace the ownership and tenure of a domain name.

  • Shodan.io - Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters.

  • VirusTotal - Analyze suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community

  • AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

  • Cisco Talos Intelligence - "Search by IP, domain, or network owner for real-time threat data."

  • IBM X-Force - Scan for a multitude of things such as IP/Domain, File Hash, Vulnerabilities, upload files for analysis, etc. A Threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers

  • IP.Teoh.io - VPN & Proxy IP Detection Tool. Check if an IP is currently blacklisted or is using a VPN/proxy

  • IPVoid - Various tools for IP information. WHOIS, DNS, DNSDIG, MX Record, Blaklisted by any services, etc.

  • ViewDNS - Huge toolbox with various utilities for enumerating information about a domain.

  • DNSDumpster - Free domain research tool that can discover hosts related to a domain.

  • MXToolbox - Checks MX information for the given domain

  • DNSLytics - Find out everything about a domain name, IP address or provider. Discover relations between them and see historical data. Use it for your digital investigation, fraud prevention or brand protection.

  • HostSpider - Command line tool that gathers tons of information about a domain including DNS records, subdomains, WHOIS, Cloudflare IP, and more!

  • OmnisintLabs - Project Crobat: Rapid7's DNS Database easily searchable via a lightening fast API, with domains available in milliseconds.

  • Sublist3r - Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines.

Last updated