How to use urlscan.io

Main News

How to use URLSCAN part2

Bangaly Koita 2 years ago

This is the part 2 of How to use URLSCAN part1 – osintafrica

Now, let’s move further, we can see in blue color, 11 menus available.

Now we will describe the utility of each menu

Summary

Click on the “Summary button” to find more details about the menu.

The menu contains all details about the submitted domain.

When you look at the image above, the following details are visible:

The number of domains and IPs that were contacted by the submitted domain.

The main IP address with location and the domain hosting provider are also available.

The certificate detail used by the website with his validity period.

The website was scanned 3 times

Show scan

This submenu will show you the number of times the domain has been already scanned. You can click on each scan to have more details such as how the domain looks at the time it was scanned, the IP address, ASN behind the domain at the time it was scanned.

Domain classification

The second part of the Summary menu is the classification of the domain provided by Google Safe Browsing.

The image above shows that Google Safe Browsing classified the domain as “No classification” which means that the domain is cleaned following the rating score available on Google Safe Browsing.

Domain and IP information

7 submenus are available at the section.

The menu IP/ASNs contains the information about all the IPs addresses contacted by the domain while being submitted with their ASN (Autonomous System Number).

You can click on each IP address and ASN to find more information.

The submenus “IP Detail” and “Domains” and “Domain Tree” contain some information about the IPs and the domains contacted by the submitted domain. You can click on each section to see the information available.

The submenu “LINK” contains all the link redirecting to others domains or URLS.

You can click on each link to get more details about.

The submenu “Certs” contains the list of all certificates used by the submitted domain with the validity period.

You can click on the crt.sh on the right side to get more details about the certificate

The submenu “Frames” will show you if the website is using any URL Frames.

Image

After describing different submenus from the Summary, from the right side, once the domain has been submitted, the main image from the website will appear in real time.

We can see how the website behind the domain submitted looks like. This is very important during an investigation, for example when you are analysing a phishing issue, it is necessary to view the website without connecting directly to it.

You can click on “Live screenshots” and “Full Image” to have better visibility of the image.

Detected technologies

Here, we can find some technologies used by the domain. Notice that this is very important for you as analyzer. For example, When the website is compromised, the threat actor might embed a malicious code into the website, by checking this, you might find out the malicious code embedded within your website, checking this, can also help you to find some technologies that need to be updated or are not in used anymore.

Page Statistics

This section shows you the whole details about the submitted URL such as HTTP request, domains, subdomains, cookies, IP etc …

Part 3 (How to use URLSCAN part3 – osintafrica)

Main News

How to use URLSCAN

Bangaly Koita 2 years ago

URLSCAN is used to perform different types of web scan and also to analyze different IOCs such as IP address, domains, Hashes, filenames and others.

URLSCAN is a tool used by different security teams such as Security Analyst, Cyber Threat Intelligence, Threat Hunting, Incident response team and others.

The tool is divided in 2 versions (community version and paid version).

We will talk about the community version that is available for free.

In order to connect to the Web application, you need to type the domain (urlscan.io), once you connect to the domain, you will get to the following screen.

In our case, we need two menus (Home and Search)

HOME

Once we click on this menu, we can see the scanned queried by the users from different locations.

By default, the tool is showing the public scan mode, if you want to leave the default mode and scan anything, the scan will be visible by everyone.

So, we advise you to click on option and used the private mode if you do not want other people to see the query you entered, this option can also help to avoid alerting the threat actor about your findings.

URLSCAN can anonymize your identity.

Examples:

If you want to hide your location, you can click on “country selection” or auto (be aware that the Country selection for the private mode works only on the Commercial plans.)
You can change the “User Agent”. For example, if the website you want to scan is for the mobile phone – you can choose one of the Android User Agent.

You can also customize your own User Agent.

The “HTTP referer” can be used to custom the HTTP header before scanning.

Now, lets scan in a private mode a URL in hazard and analyze its behavior.

After submitting the URL, we can see the IP address 151.101.129.140 from the submitted URL following the submitted URL and the effective information.

From the right side, we can see 5 menus.

The menu “Lookup” will direct you to find different tools such as (Virus Total, crt.sh, Riskiq …). The tools can help you find more details about the submitted domain (click on each of them to learn more about).

The option “Go To” will bring you to the domain submitted webpage (be careful before you click on it in case it is a malicious domain, you might be compromised).

The option “Rescan” is used to rescan the submitted URL.

The option “Add Verdict” and “Report” are used to add some comments about the submitted domain and contains some details about the scan report.

The next part is described in the part 2 (How to use URLSCAN part2 – osintafrica)