Domain names are one of the top things you will check when it comes to a cybersecurity investigation. They are the key to open a treasure trove that, when analyzed correctly, may reveal deep secrets about the company, individuals, servers, IPs, network technology and DNS zones behind the TLD.
As we've mentioned in previous articles, OSINT tools are the ones that already empower infosec investigations in all companies and countries in the world. Nowadays domain tools are part of the basic cybersecurity toolkit of all security researchers.
That's why in this article we will show you how to investigate and analyze any domain names with traditional terminal-based tools, as well as web-based domain utilities.
The data provided by these tools will definitely help you to trace connections between individuals, companies, servers, domain names, and IP addresses in no time, helping you to create a complete data-set about your target.
- Top 7 Domain Tools used by Security Researchers
- Online domain tools alternatives to fetch DNS, URL, technology and historical website data
- Using SecurityTrails API and SurfaceBrowser™ domain tools in your infosec research
- Final thoughts
Top 7 Domain Tools used by Security Researchers
When it comes to domain investigation and threat intelligence data, Unix and Linux offer a great software to investigate any domain name in the world.
DNS & Domain tools
Dig is a popular Linux/Unix command line tool that allows you to query DNS servers against any type of DNS record stored in the name servers. By using dig command you can easily fetch information about nameservers, host addresses, mail exchangers, and more. Available on Linux, Unix and MacOS, it uses a simple syntax to query any remote host within milliseconds.
Running the command
This should be the expected output:
[email@example.com ~]$ dig securitytrails.com ; <<>> DiG 9.11.5-P1-RedHat-9.11.5-2.P1.fc29 <<>> securitytrails.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23778 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1452 ;; QUESTION SECTION: ;securitytrails.com. IN A ;; ANSWER SECTION: securitytrails.com. 600 IN A 22.214.171.124 ;; Query time: 224 msec ;; SERVER: 126.96.36.199#53(188.8.131.52) ;; WHEN: Mon Feb 25 11:34:30 -03 2019 ;; MSG SIZE rcvd: 63
Ping is a very popular command across all major operating systems. As it's a cross-platform utility that works on Linux, Unix, Windows and MacOS. Its main purpose is to verify network communication with other computer and network devices.
The ping command will send an ICMP echo request to the remote host that you want to ping, and then you will get response that will help you to debug network latency issues, troubleshooting, or for domain information discovery, such as a IP address behind any website.
Using ping as a domain tool can be done by simply running:
[[email protected] ~]$ ping securitytrails.com PING securitytrails.com (184.108.40.206) 56(84) bytes of data. 64 bytes from 220.127.116.11 (18.104.22.168): icmp_seq=1 ttl=56 time=53.8 ms 64 bytes from 22.214.171.124 (126.96.36.199): icmp_seq=2 ttl=56 time=53.10 ms 64 bytes from 188.8.131.52 (184.108.40.206): icmp_seq=3 ttl=56 time=52.7 ms 64 bytes from 220.127.116.11 (18.104.22.168): icmp_seq=4 ttl=56 time=54.9 ms 64 bytes from 22.214.171.124 (126.96.36.199): icmp_seq=5 ttl=56 time=55.7 ms 64 bytes from 188.8.131.52 (184.108.40.206): icmp_seq=6 ttl=56 time=53.9 ms 64 bytes from 220.127.116.11 (18.104.22.168): icmp_seq=7 ttl=56 time=55.4 ms 64 bytes from 22.214.171.124 (126.96.36.199): icmp_seq=8 ttl=56 time=55.3 ms 64 bytes from 188.8.131.52 (184.108.40.206): icmp_seq=9 ttl=56 time=63.3 ms 64 bytes from 220.127.116.11 (18.104.22.168): icmp_seq=10 ttl=56 time=54.6 ms --- securitytrails.com ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 20ms rtt min/avg/max/mdev = 52.696/55.357/63.338/2.807 ms
This can help you to know a few details about the remote server such as:
- Is the remote host responding to ICMP echo requests? Or is it denying the communication by using a firewall?
- How much network delay do we get from the remote server?
- What's the percentage of packet loss while communicating with the remote host?
- What's the IP address behind the website?
The host domain utility is one of the most useful tools to perform DNS lookups. Popular uses of host command include resolving IP addresses, reverse IP and domain name records, test ISP DNS servers, but it can also be used to check for different types of DNS records, such as MX and NS.
It has built-in support for IPv4 and IPv6 addresses, query class options to detect HS (Hesiod) or CH (Chaosnet) class resource records and full DNS zone transfers, among many other things.
[[email protected] ~]$ host securitytrails.com securitytrails.com has address 22.214.171.124 securitytrails.com mail is handled by 10 aspmx2.googlemail.com. securitytrails.com mail is handled by 10 aspmx3.googlemail.com. securitytrails.com mail is handled by 1 aspmx.l.google.com. securitytrails.com mail is handled by 5 alt1.aspmx.l.google.com. securitytrails.com mail is handled by 5 alt2.aspmx.l.google.com.
Domain owner information utilities
Whois command is a TCP-based client that queries the WHOIS world wide databases where domain name owner information is stored, including full names, address, email address, telephone, name servers, etc.
Although the main usage is to fetch information from any domain name in the world, it can also be used to query information about IP addresses, such as: NetRange, CIDR, Net Type, Origin ASS, Organization name, city, postal code, country and other details such as last registry update.
Output example querying an IP address:
Domain network mapping toolkit
Nmap is the top network mapper and infrastructure discovery utility used by cybersecurity professionals. It is used to find filtered, open and closed ports, as well as for identifying vulnerabilities across local and remote systems.
It also has a great support for application version detection, enabling you to discover name and full versions of any software running on the remote machine. OS detection is another cool feature that will advise the name of the operating system, as well as hardware details of the involved network devices.
Let's take a look at a simple port scanning ran against our main host here at securitytrails.com:
[[email protected] ~]$ nmap -p 1-1024 securitytrails.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 12:49 -03 Nmap scan report for securitytrails.com (126.96.36.199) Host is up (0.050s latency). Not shown: 1022 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 6.04 seconds
Traceroute is a network utility used to track down the route through the internet between one origin host, and a remote destination. It is available on most modern operating systems, including Linux, Unix, MacOS and Windows.
The classic version offers support for IPv4 type of IP addresses, while the traceroute6 or tracert6 is used to trace the route of IPv6 based addresses.
It's widely used between network/system administrators and infosec researchers to evaluate network problems, discover established connections between hosts, measure round-trp times for all packets, as well as summarizing the results.
[[email protected] ~]$ traceroute securitytrails.com traceroute to securitytrails.com (188.8.131.52), 30 hops max, 60 byte packets 1 * * * 2 mlg4bras2.antel.net.uy (184.108.40.206) 6.807 ms 6.826 ms 7.069 ms 3 cbb4mlg1-be122-605.antel.net.uy (220.127.116.11) 14.020 ms 32.288 ms 32.281 ms 4 ibe2mlg1-0-4-0-0.antel.net.uy (18.104.22.168) 32.250 ms ibe2mln1-0-3-0-1.antel.net.uy (22.214.171.124) 32.175 ms ibe2mlg1-0-3-0-1.antel.net.uy (126.96.36.199) 32.069 ms 5 188.8.131.52 (184.108.40.206) 45.671 ms 45.662 ms 45.581 ms 6 220.127.116.11 (18.104.22.168) 48.028 ms 41.833 ms 46.733 ms 7 * * * 8 22.214.171.124 (126.96.36.199) 56.594 ms 188.8.131.52 (184.108.40.206) 56.200 ms 56.217 ms 9 220.127.116.11 (18.104.22.168) 57.145 ms 22.214.171.124 (126.96.36.199) 43.017 ms 43.017 ms 10 * * * 11 * * * 12 * * * 13 * * *
mtr (My Traceroute) is one of the most popular network diagnostic commands, it's the perfect combination between ping and traceroute utilities in a single network software.
It works in a similar way to traceroute, but at the same time it sends low TTL-based packets to each host, and depending on the response it could indicate packet loss, big delay times or other problems such as overloaded links.
It can be ran with several options, such as report mode, packet count, avoid DNS resolution, get raw output format, and enable IPv4 and IPv6 support.
[[email protected] ~]$ mtr securitytrails.com -c 150 --no-dns --report HOST: securitytrails.com Loss% Snt Last Avg Best Wrst StDev 1.|-- ??? 100.0 150 0.0 0.0 0.0 0.0 0.0 2.|-- 188.8.131.52 2.0% 150 7.1 14.5 2.7 224.0 24.4 3.|-- 184.108.40.206 3.3% 150 20.6 28.2 3.9 289.4 46.0 4.|-- 220.127.116.11 3.3% 150 30.4 21.9 3.7 203.3 31.4 5.|-- 18.104.22.168 6.0% 150 42.5 37.5 20.4 460.0 43.7 6.|-- 22.214.171.124 24.0% 150 32.3 44.0 18.6 548.7 70.8 7.|-- ??? 100.0 150 0.0 0.0 0.0 0.0 0.0 8.|-- 126.96.36.199 6.0% 150 48.9 59.3 46.9 244.8 24.9 9.|-- 188.8.131.52 1.3% 150 48.3 56.3 45.1 368.8 33.0 10.|-- 184.108.40.206 4.7% 150 58.4 75.1 52.5 284.6 41.8
Online domain tools alternatives to fetch DNS, URL, technology and historical website data
Is there any other way to perform domain investigation without the need for manual terminal-based commands?
Fortunately, there are plenty of web-based interfaces on specialized websites that can help us to get our valuable domain, DNS and IP address information without the need of manual commands.
While the previous mentioned Unix/Linux commands were pretty helpful for specific tasks, there are also many online tools that can help you to achieve the same results without the need of writing any command line instructions.
You will be able to perform almost any type of DNS query from a web-based interface, just by clicking a few buttons, as you can see n the next screenshot.
Website Technology Detection & Analysis
URLScan is an amazing service that will be your perfect tool when you need to analyze all the possible details about any website.
Just enter a URL and it will start analyzing the HTTP connection and website details such as loaded libraries, hosts and IPs involved, network information, datacenter where it's hosted, and much more.
Wappalyzer on the other hand, is a very useful domain tool that will help you to identify website technologies used on any website.
You will be able to perform a domain and IP lookup and detect ecommerce platforms, content management systems, analytics and stat software, CDN technologies, CRM software, as well as web-development frameworks, libraries and server software.
This software can also be integrated with your Firefox and Chrome browser with its native extensions.
It also offers NodeJS npm module, and a full API service so you can integrate and detect website technology with your own apps.
Domain Historical Screenshots
Internet Archive is one of the oldest websites dedicated to find and store files, screenshots, multimedia resources as well as software found on any websites.
The best thing about this website is that allows you to search for different website versions to see how a specific URL looked back in the past, what text was included in their HTML code, images, and much more.
This can be browsed using a useful timeline where you can go back and forward between different yearly or monthly versions.
In our case, the domain securitytrails.com is a pretty new website, and that's why the Internet Archive has only 2017 and 2018 versions in their database:
Online Whois Tools
ICANN Whois is a perfect example of how you can get whois information about almost any domain name. Their WHOIS Search service allows you to search for WHOIS information from generic domains TLDs.
ARIN Whois service is another great alternative, offering almost the same whois dns domain tools as ICANN.
Using SecurityTrails API and SurfaceBrowser™ domain tools in your infosec research
Our powerful SurfaceBrowser™ and intelligent API domain tools are the key part of any threat intelligence and cybersecurity investigation.
These tools are widely used by security analysts, incident response teams, cyber forensic researchers, brand, and fraud investigators, along with cybersecurity hunt teams.
When you do you need these kind of tools? Let's find out.
The existing domain tools that can be found on the Internet will allow you to perform a good intel-gathering process while you research information about any website on the planet.
Getting information about who is the person or company behind a domain name or IP address, as well as the full list of DNS records, different types of DNS zones, along with SSL certificate data becomes crucial when you are investigating any target.
Once you finish the phase of information gathering, you can then start crossing data from the different sources you have, to build up a cybersecurity map about your infrastructure, or while auditing any external company.
Enterprise Domain and DNS Monitoring
SurfaceBrowser™ Domain tools along with our API access allow you to keep tracking your domain names, DNS zones, and Nameservers in order to detect any changes made to the DNS records, along with your Name Servers.
You will be able to detect this by querying manually, or by integrating your apps with our powerful API.
This will allow you to detect any changes to your domain names almost instantly, and act rapidly to prevent any damage to your website.
Prevent website downtime
SSL certificates are now part of any web page on the Internet. All major web browsers are marking your web pages as insecure if they don't use an SSL certificate.
But what most companies and website owners are not doing is checking the SSL expiration date periodically, as this is a key component to keep your website online.
If your SSL certificate expires from one day to another and you accidentally deleted the renewal email (or it was labeled as spam by your spam filters), your website will lose most of its traffic, and a big red alert will keep your visitors -and potential customers- away from your page.
SurfaceBrowser™ allows you to find every possible detail about your SSL certificates such as SSL provider, original register time or SSL expiration dates. Analyzing SSL certificates is pretty easy from our all in one SSL platform.
You can also browse SSL certificates by creation year, company name and get a summary by validity, as you see below:
Better SEO & Domain Investments
There is a huge market behind domain names, and the people who are working actively on it selling and buying domains are called 'domainers'.
If you are a domainer or work for a sell/buy domain names company, you can get a huge potential by exploring our domain database.
Thousands of domains names are expiring every day, lot of them with a nice domain authority and page rank, along with thousands of do-follow links, which can cost a fortune these days.
Tracking different kinds of domain data is easy when you integrate your own apps with our API access; you can easily set up an alert service as soon as there are any changes to certain domain names.
The SecurityTrails toolkit, along with SurfaceBrowser™ are one of the best ways to start researching the true domain ownership. This can definitely help you to avoid buying stolen domain names, or when you need more information in order to offer a better domain negotiation before buying.
Prevent Phishing & Brand monitoring
Finding phishing domains names is easy when you have such a large domain database as SecurityTrails. Either with our API endpoints or with SurfaceBrowser™, you can start preventing phishing attacks to safeguard your company online reputation by analyzing domain names that use your main brand keywords.
Setting up a proactive phishing monitoring and reaction tool is easy when you integrate your apps with our powerful API. Let your app communicate with our API and send an alert email when a domain name containing any of your main domain keywords is found.
Discover new domains that attempt to spoof your product names, brands, company name and many other names registered/used by your organization.
Act before domains become a source of malware attacks, ad injectors or identity/personal details theft from phishing campaigns.
Domain-based risk management companies, as well as security technology vendors, VPN providers also use our domain database to build their security policies and domain scoring in order to protect their customers and investments.
Port Scanning made easy
Port scanning is one of the first things remote attackers will look into when analyzing your IP and network topology. It's a task that is often executed by using manual commands using popular port scanners like Nmap.
Discovering open ports of critical services such as FTP, or SSH can prevent a lot of cybersecurity issues for your company online presence.
On the other hand, for you as a security researcher, it can enable you to quickly discover sensitive network areas to "knock" after your initial cybersecurity analysis.
SurfaceBrowser™ can let you explore any open ports from any company on the word, summarize it and letting you explore all the results in a user-friendly and polished interface.
WHOIS historical records
Since the invention of ARPANET, there was a need to generate a WHOIS database for all those who were transmitting data across the network. At the beginning, it was just a contact directory were individuals could search for other people using ARPANET.
As the decades passed by, the Internet was created, domain registrars appeared in the scene, as well as law enforcement and trademark agencies. Companies, agencies, governments and individuals needed a better WHOIS service, and that was when ICANN established the current WHOIS clients and their WHOIS databases in 1998.
SurfaceBrowser™ WHOIS history feature, along with our historical WHOIS API endpoint gives you access to the WHOIS history database records for the past 10 years. Since 2009, we've been tracking, storing and filtering the WHOIS historical records of more than 3 Billion domain names.
When it comes to running a security investigation, there are a lot of domain tools to choose. You can use either the traditional terminal-based tools if you are an old school geek, or start digging with powerful online Domain, DNS, IP domain tools
Here at SecurityTrails, we use a lot of terminal-based domain research tools for our daily research, but at the same time, we integrate those with our powerful API platform to query our intelligent database.
Have you tried it yet? It's one of the best domain name information tools you'll ever see. If not, grab a free API access today, or book a SurfaceBrowser™ demo with our sales team, get in touch with us to get the most of your security research daily tasks.