Skip to content

Search Engines

When approaching a target, it’s often helpful to gather as much information as possible before going loud and knocking on their proverbial digital door. Below are some tools I regularly use during the initial stages of a test.

keep in mind

OSINT is part of the recon stage and should always be part of your first steps

Shodan

Shodan is one of the most popular OSINT tools available. It actively scans IP space and ports, allowing you to search for services, banners, and keywords. Essentially, if a service announces itself to the world, Shodan can help you find it in a clean interface. A free membership is available, though results are limited.

Censys

Similar to Shodan, Censys lets you search IPs or domains for detailed results. It also offers a premium service geared toward enterprises. A standout feature of Censys is its certificate search, which can uncover domains using Let's Encrypt certificates, potentially revealing phishing domains or other insights.

Grayhat Warfare

This search engine focuses on open Amazon S3 buckets. While results can be hit or miss, it often provides insights into directory structures, technologies in use, and naming conventions. Occasionally, it uncovers valuable internal documents, making it worth a query.

Greynoise

Greynoise is the "anti-Shodan." It identifies IPs associated with internet scanning, providing context about their activities. If you suspect an IP is scanning, Greynoise can confirm its reputation and details.

Hunter.io

Hunter.io is a tool for finding and validating email addresses by domain. While its validation accuracy is around 50%, its passive approach to email discovery makes it incredibly useful. A free account allows up to 25 searches per month (per account...).

WiGLE

WiGLE helps locate WiFi SSIDs by mapping where they’ve been detected. Since it relies on user-submitted data, results may be incomplete but are often a good starting point for WiFi-related investigations.

urlscan.io

Urlscan.io consolidates a wealth of information about a website into one place. Input a domain, and it provides a screenshot, technology stack, DNS data, IP info, and HTTP transaction paths. The detailed HTTP transactions tab is especially useful for analyzing large sites.

SecurityHeaders.com

SecurityHeaders is a quick and effective tool for analyzing a website's HTTP security headers. By simply entering a domain, you can get a report card-style overview of headers like CSP, HSTS, X-Frame-Options, and more.

DNSdumpster

DNSdumpster offers DNS reconnaissance, including a visual domain map that’s helpful for both red and blue teams. The graphical representation can reveal relationships and assets associated with a target domain.

SecurityTrails

Another DNS tool, SecurityTrails is useful for ensuring comprehensive DNS data collection. It offers an API for integration, but I’ve yet to fully explore its paid features to assess their value.

Robtex

Robtex is a comprehensive passive DNS tool. Its shared section reveals assets in the same IP space as your target. While paid options exist, the reverse DNS information is the most valuable feature in my opinion.

Certificate Search does exactly what its name implies. It allows you to view the history of issued and expired certificates for a queried domain, providing valuable insight into a domain's certificate lifecycle and potential associated subdomains.

HaveIBeenPwned

HaveIBeenPwned allows you to check whether an email has been part of a data breach. It’s a must-have for anyone in infosec and a great tool for personal use given the frequency of breaches.

Wayback Machine

The Wayback Machine is a classic tool that can uncover indexed pages from the past, often revealing valuable information no longer available on live sites.

Google Dorking

Need I say more? Google Dorking remains one of the simplest and most effective ways to uncover hidden treasures.