Security professionals often need to quickly look up and correlate data during OSINT, reconnaissance, discovering vulnerabilities, finding security breaches in networks, and more. Fortunately, there are search engines in their arsenal of tools that are designed to be used by hackers and professionals. These can provide valuable data for their security operations.
Search engines used by hackers, or simply security professionals (we’ll repeat it once more for those in the back: hackers are not exclusively cybercriminals), are valuable tools for both red teams and blue teams, as well as security researchers, analysts, and others. These tools can help in finding exposed devices, tracking threats, preparing for spear phishing simulations, and much, much more in the area of security operations.
The 10 best search engines used by hackers
We have tested and aggregated a list of the best search engines often used by security professionals—and anyone wanting to perform a deeper search than those offered with traditional search engines like Google. And we’re not talking about private search engines; we’ve already compiled a list dedicated to the best private search engines to ensure data privacy while online.
This list identifies search engines that help security professionals obtain information about connected devices, private information on individuals (in a more curated manner than that provided by traditional search engines), breached credentials, and more. Let’s start here:
Being called both “the search engine for hackers” as well as “the world’s first search engine for Internet-connected devices”, it’s easy to guess why Shodan is the first logical choice. Shodan is a network security monitor and search engine that indexes data from any type of electronic device that’s ever been connected to the Internet. And by any type, we mean it: webcams, routers, servers, smart TVs, refrigerators, traffic lights, heating systems, and much, much more.
Imagine Google, but instead of seeing the usual images next to different websites and their content, on Shodan you see results in various forms including IP addresses, types of devices, country, and of course SSH, Telnet, and HTTP server banners. But the real value of Shodan is in its ability to help both red teams and blue teams.
For the defenders, Shodan can play an important role in providing visibility to their devices and open ports, and even search for device vulnerabilities to some known exploits. Basically, blue teams are able to retrieve OSINT data and identify devices they need to secure. Simultaneously, Shodan helps red teams and penetration testers with reconnaissance and information gathering, even going as far as discovering security flaws in target devices.
Shodan also offers one of the best cybersecurity APIs out there for anyone wanting to integrate their services into apps, with great documentation and libraries that make it easy to set up. Some of the Shodan API’s features are support for Python, Ruby, PHP, C#, Go, Hackell, Java, Node.js, Perl, PowerShell and Rust, REST API, network alerts, on-demand scanning, and a streaming API used to watch real-time data feeds.
Right next to Shodan, we have Censys. Censys is similar to Shodan in that it monitors every device exposed on the Internet, and in the form of a search engine, provides data and aggregates reports on how devices, websites and certificates are configured and deployed.
Censys constantly collects information on connected devices and internet servers to help you get the most accurate data about any device connected to the internet, along with details on open ports, protocols and valid certificates. It also identifies server versions, unpatched vulnerabilities, routers, OS versions, and more. Additionally, there is a separate certificate search engine, as well as an IPv4 search engine to find IP address information.
The many use cases for Censys include monitoring the constantly evolving attack surface, finding unknown digital assets, scanning those assets for CVEs, tracking threats, automating the vulnerability management process, and preventing phishing attacks and malware distribution.
GreyNoise comes in at third place, and can be seen as the complete opposite of Shodan and Censys: while those two are search engines that scan for devices, GreyNoise can actually tell you who is scanning the internet, using the above-mentioned benign scanners, as well as those that are more malicious in nature, such as botnets looking for vulnerable devices.
GreyNoise wouldn’t be of interest to everyday internet users, as the internet’s background noise doesn’t affect them at all. But for hackers and security professionals working for organizations that own thousands of IP addresses and in general have large networks, GreyNoise is the perfect search engine. It helps filter out the security alerts coming from all sides, not allowing meaningless internet background noise to interfere with security operations in the SOC.
GreyNoise was developed by Andrew Morris, with whom we’ve already featured an in-depth, candid interview. We were fortunate to get into the nitty gritty of how to use GreyNoise in our #ProTips to differentiate alerts created by internet background noise from alerts related to actual targeted attacks: Just enter an IP address or a word, and GreyNoise visualizer will show you information on it. Use it to identify compromised devices, emerging opportunistic threats, and also for threat intelligence, by using their integrations with other OSINT and threat intelligence platforms. You can even search for GreyNoise IPs from the Shodan interface or API.
“The cyberspace search engine”, ZoomEye is an IoT OSINT search engine that lets users find connected devices. Using Xmap and Wmap to search for devices connected to the Internet, it fingerprints against all found information and lets users access the curated data from exposed devices and services.
ZoomEye acts as a search engine where you can simply enter a query, or you can explore devices and services already indexed by the engine. Enter any query, an IP address, device, or just a keyword, and ZoomEye will find information about open ports on remote servers, the total number of hosted websites and found devices, and get you a vulnerability report, among its many capabilities.
As simple as they come, Hunter is a search engine that helps you find all of the email addresses that belong to a domain or organization. Enter the name of the company, and you’ll get a comprehensive list of verified emails under that domain, their activity, and public sources from which the address is discovered. You can also check on the deliverability of an email address, do these tasks in bulk, and even use the discovered emails to launch email accounts.
Their service can also be accessed as a Google Chrome extension, so you can find email addresses belonging to a website you’re visiting, and with their API you can confirm deliverability of an email address and get additional information on the organization.
WiGLE is a search engine for wireless network mapping. In fact, the first thing you see when you enter WiGLE’s interface is a map that, when zoomed in, shows hotspots and nearby networks. It does so by merging the location and information of wireless networks into a central database that is present via desktop and web app.
Security professionals use WiGLE to monitor for any insecure networks, and to see if they’re vulnerable to attacks. On the other hand, everyday users can use WiGLE to find open networks near them. It’s a fun service, even if you just want to see nearby open networks, telecommunications antennas, and the like.
Have you ever wanted to search for websites based on their source code? Well, there is a search engine that indexes source codes, and it’s PublicWWW. Just enter an HTML, JS or CSS code into this search engine and it allows you to find alphanumeric snippets, signatures or keywords within the code.
While claiming to be the ultimate solution for digital and affiliate marketing research, security professionals can use PublicWWW to discover sites that are part of malware campaigns, by querying libraries used in the campaign, and find which sites are affected. Even if it appears as a pretty simple and specific service, PublicWWW is a great option for hackers and security professionals to perform searches not possible on other, more traditional search engines.
Now, HaveIBeenPwned is a service even everyday Internet users should be checking periodically. In order to stay safe while browsing the internet, it’s important to ask ourselves: Have our accounts ever been affected by the numerous security breaches we hear about? Has any of our private data been compromised?
HaveIBeenPwned, or HIBP, is a free data breach service that helps users find out whether they have been affected by a data breach. Developed by Troy Hunt, one of the cybersecurity legends, HIBP aggregates and analyzes database dumps and pastes containing information about compromised accounts, and presents it as a public service. Anyone can type in their username or email address, and see if they have been “pwned”. Unfortunately, many email addresses have been involved in at least one data breach; your long forgotten MySpace account was probably compromised, yes.
HIBP offers advice on how to better protect yourself online, and functions as a “search engine” even for non-technical users.
One primer of OSINT are the people. For example, when you want to perform a spear phishing assessment, you would need to find as much personal data about the individuals involved as possible. People’s search engines can reveal a lot of information about them, and all in one place. One such search engine for this task is Pipl.
Used by government agencies, leading financial and insurance institutions, and media companies all over the world, Pipl is the true ‘people’ search engine. By interacting with searchable, public databases and obtaining relevant information from public sources and the deep web, it provides detailed personal, professional, social, demographic and contact information related to a given individual.
Pipl also offers their own API, which developers can use to easily integrate Pipl’s identity information into their applications, and helps security professionals verify identity and stop account takeovers and credential breaches.
Reposify is a platform and search engine that allows security professionals to identify and map an organization’s known and unknown digital assets outside the perimeter, alerts on any suspicious behavior and provides a risk rating in order to mitigate the risk appropriately.
By mapping and indexing the entire internet daily, monitoring and classifying exposed assets, and searching the external surface for possible entry points and vulnerabilities, Reposify allows organizations to find misconfigured devices, firewalls and routers; detect outdated software; and see their exposed assets from a malicious attacker’s point of view, to discover just how vulnerable they really are.
Security professionals use all kinds of security tools. Some work more on the offensive, as red team tools; some are well-suited for blue team toolkits; still others are specific for certain security operations, like phishing tools.
Search engines are tried and tested ways of aggregating and presenting information in a simple, easy-to-use way, so it’s easy to see how security professionals have adapted their own version of security tools for looking up and curating valuable information.
Are there any other search engines you use in your own security roles? Let us know on Twitter!
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
And do you need to quickly search for latest and past data about domain services, DNS servers, DNS records, IP addresses, open ports and SSL certificates? Well, in that case SecurityTrails API is right for you. Additionally, you can use our integrations with top security tools such as Spiderfoot, Splunk, Amass and Intrigue.io. Sign up today and start integrating our passive DNS, domain, IP, SSL and open ports discovery service.