The main aim of writing this blog is to explain different use cases and techniques for using Netlas.io for OSINT investigations.
Let’s start this with the installation process and then we will be deep diving into the usage part.
The Netlas.io can be used in three different ways as explained below -
- Website : The web version of it is pretty simple and cool.
- Chrome Extension: It simplifies the process of copying and pasting the IoCs in website by giving you a direct option to find information about the IoC while staying on the same page. Of course, all features are not possible to use via extension but instead it, it offers some additional features for extension which we will be learning later on.
- API/SDK: You can also integrate it in your own tool, website or script via their Rest API. I don’t have much knowledge of APIs so, i won’t be covering this topic.
Getting Familiar with Netlas.io Website
Link — https://netlas.io/
- Go to Netlas.io
- Click on “Try it” which is showed in the middle, or click on search button in upper header.
- Now, you will be able to see Login/Signup button on upper right corner.
- Log in if you already have a account or click on signup and enter your details or proceed with sing up with any social. (I personally suggest to use signup with gmail or microsoft account just for reducing the burden to manage the password.)
- That’s it we are done with installation part. Let’s explore the website.
You will see the page which is shown in screenshot once you are done with signup/login.
Now, you can directly search for IP address/domain for information about them. Let me show you an example with a domain name of a scam website so we don’t have to worry about copyright and other legal issues.
As you can see, its showing us details about the website. As this is a scam website and they have deleted the website now, we don’t have much info but in most of the cases, you will be finding a lot of cool stuff here which will be useful for your OSINT investigation.
The information we received -
- Whois Data
- MX and MX record
- Exposed ports and protocols
Note — Pay close attention to the tags. As you can see, their are two tags -
- google-cloud : which means the website was hosted on google cloud server.
- openresty : which on google search tells its a nginix distribution.
In some cases, it will also give you the possible CVE which can be exploited in some cases where we are working as criminal investigator. But remember, we don’t do any interaction with victim in OSINT and also, don’t try to cause any harm by misusing the CVE information.
You can also do reverse search on the ip address of the domain name, in order to find the associated domain which in many cases belong to the same individual or company.
Let’s understand the other features -
- IP/domain Info — We have already learnt about this above.
- Attack Surface Discovery Tool — Here you can create a attack surface simulation, its really useful when you have a lot of domains, ip address and many other info, it will help you in gathering information fastly and also in creating and connecting nodes.
- Response Search — It’s a goldmine of data. Here you can search for any internet connected assets using tags, filters and it display all detailed information it have about that particular asset. You can read information shown on that page to understand its capability and use cases.
4. DNS search — Here, we can search for information about any DNS(domain name server)
5. IP whois search — Here we do whois search by giving IP
6. Domain whois search — Here, we do whois search by giving domain
7. Certificate search — Here, we can search about certificates and can also filter out the data by tags.
That’s it for website version. Checkout their welcome tour for instructions about features and usage. Try it with a free account and then go for paid if you feel it would be useful. Their are many more features but its difficult to cover them in blog, so we will possibly we creating youtube video on it if we receive good feedback from the community.
Getting Familiar with Chrome Extension
- Open the below link -
- Click on “Add to Chrome”, click on continue to install if its displays a warning that its not scanned by enhanced browsing.
- Click on “Add extension” , once installed, pin the extension.
That’s it, we are done with installation.
Whenever you are browsing any website, just click on the extension icon and it will display you the details of the current domain name, which includes whois data, domain and ip address, exposed ports, and many more. You can also open the website in netlas website by directly click on view on netlas as shown in below screenshots.
It also has a special feature of Smart logo which is really cool but its not available in free plan and is limited to only those plans which supports CVE search.
That’s it for this blog. That’s it for today. Tomorrow, we will be learning about something new and cool. Guess what it can be and tell in comments.
If i missed something, let me know, so we can cover that topic or point in upcoming blogs.