Skip to main content
Domain, IP, and DNS analysis forms the backbone of technical OSINT investigations. Start with passive sources (certificate logs, historical DNS) before running active enumeration.

Core tools

ObjectiveToolQuick Command
SubdomainsAmassamass enum -d target.com -o subs.txt
CertificatesCRT.shcurl https://crt.sh/?q=%25.target.com&output=json
Historical DNSSecurityTrailsFree API 50/month
Neighbor IPsBGP.heCIDR
ReputationVirusTotalvt ip_info <ip>
Quick scanNmap-onlineno VPN
SubdomainsSubdomain Centerhttps://www.subdomain.center
SubdomainsSubdomainRadarhttps://www.subdomainradar.io
Historical DNSDNSTrailshttps://dnstrails.com/
Historical DNSDNS Historyhttp://dnshistory.org
ReputationTaloshttps://www.talosintelligence.com/
ScanBinary Defensehttps://www.binarydefense.com/banlist.txt
BGP RankingCIRCL BGPhttps://bgpranking.circl.lu
Botnet TrackerMalwareTechhttps://intel.malwaretech.com/
BOTVRIJ.EUBOTVRIJhttp://www.botvrij.eu/

Threat intelligence feeds

The following feeds provide real-time and historical IP/domain reputation data, malware C2 lists, phishing feeds, and certificate intelligence. Integrate these into your investigation workflow to enrich IP and domain findings.
FeedSourceURL
C&C TrackerBambenekhttp://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
CertStreamCertStreamhttps://certstream.calidog.io/
CCSS ForumCCSS Forumhttp://www.ccssforum.org/malware-certificates.php
CI Army ListCINS Scorehttp://cinsscore.com/#list
Cisco UmbrellaCisco Umbrellahttp://s3-us-west-1.amazonaws.com/umbrella-static/index.html
CloudmersiveCloudmersivehttps://cloudmersive.com/virus-api
Critical StackCritical Stackhttps://intelstack.com/
CrowdSecCrowdSechttps://app.crowdsec.net/
Cyber CureCyber Curehttps://www.cybercure.ai/
CywareCywarehttps://cyware.com/community/ctix-feeds
DataPlaneDataPlanehttps://dataplane.org/
FocsecFocsechttps://focsec.com
DigitalSideDigitalSidehttps://osint.digitalside.it/
Disposable DomainsDisposable Domainshttps://github.com/martenson/disposable-email-domains
Emerging ThreatsEmerging Threatshttp://rules.emergingthreats.net/fwrules/
ExoneraTorExoneraTorhttps://exonerator.torproject.org/
ExploitalertExploitalerthttp://www.exploitalert.com/
FastInterceptFastIntercepthttps://intercept.sh/threatlists/
Feodo TrackerFeodo Trackerhttps://feodotracker.abuse.ch/
FireHOLFireHOLhttp://iplists.firehol.org/
FraudGuardFraudGuardhttps://fraudguard.io/
Grey NoiseGrey Noisehttp://greynoise.io/
Hail a TAXIIHail a TAXIIhttp://hailataxii.com/
HoneyDBHoneyDBhttps://riskdiscovery.com/honeydb/
IcewaterIcewaterhttps://github.com/SupportIntelligence/Icewater
Infosec CERT-PAInfosec CERT-PAhttps://infosec.cert-pa.it
InQuest LabsInQuest Labshttps://labs.inquest.net
I-BlocklistI-Blocklisthttps://www.iblocklist.com/lists
IPsumIPsumhttps://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt
James BrineJames Brinehttps://jamesbrine.com.au
Kaspersky FeedsKasperskyhttps://support.kaspersky.com/datafeeds
MaldatabaseMaldatabasehttps://malcore.io
MalpediaMalpediahttps://malpedia.caad.fkie.fraunhofer.de/
MalShareMalSharehttp://www.malshare.com/
MaltiverseMaltiversehttps://www.maltiverse.com/
MalwareBazaarMalwareBazaarhttps://bazaar.abuse.ch/
Malware Domain ListMalware Domain Listhttps://www.malwarepatrol.net/
MetaDefenderMetaDefenderhttps://www.opswat.com/developers/threat-intelligence-feed
Netlab OpenDataNetlabhttps://data.netlab.360.com/
NoThink!NoThink!http://www.nothink.org
NormShieldNormShieldhttps://services.normshield.com
NovaSenseNovaSensehttps://novasense-threats.com
ObstractsObstractshttps://www.obstracts.com/
OpenPhishOpenPhishhttps://openphish.com/phishing_feeds.html
0xSI_f33d0xSI_f33dhttps://feed.seguranca-informatica.pt/index.php
PhishTankPhishTankhttps://www.phishtank.com/developer_info.php
PickupSTIXPickupSTIXhttps://www.celerium.com/pickupstix
REScureREScurehttps://rescure.fruxlabs.com/
RST CloudRST Cloudhttps://rstcloud.net/
Rutgers IPsRutgershttps://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-86400
SANS ICSSANS ICShttps://isc.sans.edu/suspicious_domains.html
SecurityScorecardSecurityScorecardhttps://github.com/securityscorecard/SSC-Threat-Intel-IoCs
StixifyStixifyhttps://www.stixify.com/
signature-basesignature-basehttps://github.com/Neo23x0/signature-base
SpamhausSpamhaushttps://www.spamhaus.org/
Sophos IntelixSophoshttps://www.sophos.com/intelix
SpurSpurhttps://spur.us
SSL BlacklistSSL Blacklisthttps://sslbl.abuse.ch/
StatvooStatvoohttps://statvoo.com/dl/top-1million-sites.csv.zip
StrongarmStrongarmhttps://strongarm.io
SIEM RulesSIEM Ruleshttps://www.siemrules.com
TalosTaloshttps://www.talosintelligence.com/
threatfeeds.iothreatfeeds.iohttps://threatfeeds.io
threatfoxthreatfoxhttps://threatfox.abuse.ch/
Technical BlogsTechnical Blogshttps://www.threatconnect.com/blog/ingest-technical-blogs-reports/
Threat JammerThreat Jammerhttps://threatjammer.com
ThreatMinerThreatMinerhttps://www.threatminer.org/
ThreatPipesThreatPipeshttps://www.threatpipes.com
ThreatExchangeThreatExchangehttps://developers.facebook.com/docs/threat-exchange/
TypeDB CTITypeDB CTIhttps://github.com/typedb-osi/typedb-cti
VirusBayVirusBayhttps://beta.virusbay.io/
threatnote.iothreatnote.iohttps://github.com/brianwarehime/threatnote
XFEXFEhttps://exchange.xforce.ibmcloud.com/
YetiYetihttps://yeti-platform.github.io/
1st Dual Stack1st Dual Stackhttps://IOCFeed.mrlooquer.com/
Yara-RulesYara-Ruleshttps://github.com/Yara-Rules/rules
VirusShareVirusSharehttps://virusshare.com/
CIRCL PDNSCIRCL PDNShttps://www.circl.lu/services/passive-dns
InTheWildInTheWildhttps://inthewild.io
360 Quake360 Quakehttps://quake.360.net
Cloudflare RadarCloudflare Radarhttps://radar.cloudflare.com/traffic
ValidinValidinhttps://app.validin.com
OSVOSVhttps://osv.dev
Coalition ESSCoalition ESShttps://ess.coalitioninc.com
CertsCertshttps://certs.io
CastrickCluesCastrickClueshttps://castrickclues.com
TheWebCoTheWebCohttps://thewebco.ai

Google Dorks for domains

site:*.target.com filetype:pdf
site:*.target.com intitle:"dashboard"
site:*.target.com intext:"confidential"

Build docs developers (and LLMs) love

Get started for freeTalk to us