Domains, more than almost any other target, have one of the largest assortments of associated data points. The most important that we will look for out of this section is the Registration data, the hosting data, site information, archived data, and analytics.
Domain.html is a tool that allows us to research multiple data points associated with a domain that might be handy during an investigation.
  • Registration Data - This tool will check the domain for whois based registration data against multiple sources to get the most up to date data.
  • Hosting Data - This is the information that shows which provider is physically hosting the domain. Be sure to look for indicators if the target domain is hosted by a hosting provider, or self hosted by your target.
  • Exposed Data - Any information that may be exposed to the public. (Other sources are better)
  • Archive Data - When researching a domain, sometimes you can find older cached or saved versions of the website that may yield valuable information. These include Google Cache,, and the WayBack Machine.
  • Analytics data - This is a grab bag of handy searches, ranging from general site details and analytics, to similar sites on the web, or checks for backlinks to from other sites.
  • Threat Data - Discussed under the Blue - Threat Data section
  • Shortened URL metadata.

Domain Toolboxes

These next few tools are collections of utilities focused around domains. Some can be used for research on other network artifacts like IP addresses and email records, but DNS records and domain related metadata is really where they shine.
  • ​ViewDNS - Huge toolbox with various utilities for enumerating information about a domain.
  • ​DNSDumpster - Free domain research tool that can discover hosts related to a domain.
  • ​MXToolbox - Checks MX information for the given domain
  • ​W3DT - W3dt.Net is an online network troubleshooting site dedicated to providing relevant real-time data regarding networks, websites and other technical resources.
  • ​DNSLytics - Find out everything about a domain name, IP address or provider. Discover relations between them and see historical data. Use it for your digital investigation, fraud prevention or brand protection.
  • ​HostSpider - Command line tool that gathers tons of information about a domain including DNS records, subdomains, WHOIS, Cloudflare IP, and more!

Whois Vs. RDAP

Whois is a great tool for gathering registration data for IP addresses and domains. The only problem with it is that there is not a clearly defined structure to organize registration data points and keep them maintained. Enter RDAP. A new Standard as of 2019, RDAP lookups will quickly replace WHOIS lookups.


There are tons of highly effective tools for subdomain enumeration and brute forcing, but they can be quite noisy. During the Passive Recon phase of a penetration test, we can start with any subdomains recorded by other sources to plan out our attack/test.
  • ​ - Project Crobat: Rapid7's DNS Database easily searchable via a lightening fast API, with domains available in milliseconds.
  • ​censys-subdomain-finder - This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys.
  • ​ctfr - Abusing Certificate Transparency logs for getting HTTPS websites subdomains.
  • ​Sublist3r - Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
  • ​puredns - Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

Domain Certificates

Domain Certificates are an interesting and useful item to research when mapping out a target domain. Beyond the various attacks that can be performed by exploiting these certificates, looking up the domain certificates can lead to discovery of hosts, sub-domains, and related targets that were previously undiscovered.

Web Site Change Tracking

Some times a target will change a website and you will want to be notified right away, usually to see what has changed and how you can exploit it.
  • ​Follow that page - Follow That Page is a change detection and notification service that sends you an email when your favorite web pages have changed.
  • ​Visual Ping - Tool that can track multiple different kinds of changes in a particular webpage and alert on specific conditions.

URL Shortening and Redirections

Browser Proxy/Simulator

For when you want to look at a site, without interacting with it.
  • ​ - With Wannabroser you can have a look at the HTML-source code of any website from the view of any User-Agent you like. It's even possible to detect simple cloaking using Wannabrowser if the cloaking is just based on the visiting User-Agent.
  • ​ - Used for browser testing, but can be used for safely looking at various sites.
  • ​ - Capture snapshots of any website

Misc. Utilities

  • ​DNPedia - Domain Name Solutions, Statistics, Scripts, News and Tools
  • ​ - Obtain network information from F-Secure API.
  • ​Google's Online Dig command - Online version of the Dig command
  • ​SimilarWeb Traffic Analytics - Compare meta data about domains and traffic to other elements on the web
  • ​Backlink Checker - Tool to easily monitor backlinks for a particular domain.
  • ​DomLink - DomLink is a tool that uses a domain name to discover organization name and associated e-mail address to then find further associated domains.
  • ​ - Easily breakdown and visualize the elements of a URL link.
  • ​r3con1z3r - R3con1z3r is a lightweight Web information gathering tool with an intuitive features written in python. it provides a powerful environment in which open source intelligence (OSINT) web-based footprinting can be conducted quickly and thoroughly.
  • ​emailharvester - A tool to retrieve Domain email addresses from Search Engines.
  • ​ - getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. Inspired by Tomnomnom's waybackurls.
  • ​lbd - Checks if a given domain uses load-balancing.
  • ​Metagoofil - Tool for extracting metadata out of public documents.
  • ​ - This tool lists which web files on a website are cached and which are not. Furthermore it checks by which method these files are cached and what the expiry time of the cached files is.
  • ​CloudFlair - Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
  • ​cf-check - Check an Host is Owned by CloudFlare.
  • ​AnalyticsRelationships - Get related domains / subdomains by looking at Google Analytics IDs