Web Scanner searches online data to help you find suspicious websites, hidden files, or domain details. It allows you to search websites, dark web pages, and more to uncover risks such as fake sites or exposed files.
Our Web Scanner feature searches the following data sources:
Datasources | Description |
|---|---|
Web Scan | Searches website content and SSL certificates to identify risks like fraudulent sites. |
Dark Web Scan | Queries Tor network sites to uncover hidden content, such as scam pages. |
Open Directory Scan | Finds publicly accessible folders that host files, such as executables. |
Banner Scan | Examines non-web services (e.g., SSH or DNS) for configuration details. |
WHOIS Scan | Reveals who owns a domain and when it was registered. |
Web Scan
The Web Scan datasource retrieves data from website content and SSL certificates, making it useful for detecting phishing or misconfigured sites. Community users can use it to monitor for fraudulent websites mimicking trusted brands.
Example: Detect PayPal Imposters
This query identifies websites using PayPal’s favicon (logo) but hosted on domains other than paypal.com, which may indicate phishing attempts.
favicon_murmur3 = 309020573 AND domain != "http://paypal.com"This helps users spot potential scams by filtering for non-legitimate domains.
Example: Monitor certificate expiration
This query finds websites with SSL certificates expiring within the next 24 hours, which may signal neglected or risky sites.
ssl.not_after > "now" AND ssl.not_after < "now+1d"Use this to check the certificate status of sites you manage or monitor.
Dark Web Scan
The Dark Web Scan datasource searches content on the Tor network, helping users identify hidden sites that may host fraudulent or malicious content.
Example: Find PayPal-related scams
This query locates dark web sites with “paypal” in their titles, which could indicate scam or phishing pages.
datasource = ["torscan"] AND htmltitle = "*paypal*"This is useful for researching potential fraud targeting your community.
Example: Identify ransomware sites
This query searches for dark web sites with “ransomware” in their titles, such as leak sites.
datasource = ["torscan"] AND htmltitle = "*ransomware*"Use this to stay informed about emerging threats.
Example: Western Union
If you stack Web Scan, Browser Scan, and Dark Web Scan datasources together, you can return information about IPs with server titles that contain “Western Union” across both the surface web and the dark web.
datasource = ["browserscan", "webscan", "torscan"] AND htmltitle = "*Western Union*"Open Directory Scan
The Open Directory Scan datasource identifies public folders hosting files, which can reveal unintended exposures, such as executable files.
Example: Find Cloudflare-hosted executables
This query locates .exe files in open directories hosted on Cloudflare’s network (ASN 13335).
datasource = ["opendirectory"] AND name = "*exe" AND geoip.asn = 13335This helps identify potentially risky files accessible online
Example: Detect recent Mimikatz files
This query finds instances of the Mimikatz credential-dumping tool uploaded in the last 30 days.
datasource = ["opendirectory"] AND name = "mimikatz.exe" AND scan_date >= "now-30d"Use this to monitor for tools commonly used by attackers.
Banner Scan
The Banner Scan datasource examines non-HTTP services, such as SSH or DNS, to reveal their configurations and versions.
Example: Identify OpenSSH servers
This query finds IPs running OpenSSH 9.8 on the default SSH port (22).
datasource = ["services"] AND port = 22 AND banner = "SSH-2.0-OpenSSH_9.8"This is useful for auditing service configurations on your network.
Example: Locate PowerDNS servers
This query identifies DNS servers running PowerDNS on port 53.
datasource = ["services"] AND port = 53 AND banner = "*PowerDNS*"Use this to verify DNS server setups.
WHOIS Scan
The WHOIS Scan datasource retrieves domain registration details, enabling users to confirm who owns a domain and when it was registered.
Example: Find Squarespace domains
This query identifies domains registered through Squarespace with unredacted owner names.
datasource = ["whois"] AND registrar = "Squarespace Domains LLC" AND name != "REDACTED FOR PRIVACY"Example: Identify CrowdStrike domains
This query finds domains containing “crowdstrike” registered by CrowdStrike, Inc.
datasource = ["whois"] AND domain = "*crowdstrike*" AND organization = "CrowdStrike, Inc."Use this to confirm domain authenticity.
Important
When you run a query in Web Scanner, you can stack Web Scan, Browser Scan, and Dark Web Scan data sources together in pairs or all together. You cannot stack or combine Open Directory Scan, Banner Scan, or WHOIS Scan data sources together.
Combine Datasources for Broader Searches
Users can combine Web Scan, Browser Scan, and Dark Web Scan data sources to search across surface and dark web data simultaneously.
Example: Search for Western Union references
This query searches for “Western Union” in server titles across Web Scan, Browser Scan, and Dark Web Scan.
datasource = ["browserscan", "webscan", "torscan"] AND htmltitle = "*Western Union*"