Web Search searches online data to help you find suspicious websites, hidden files, or domain details. It allows you to search websites, dark web pages, and more to uncover risks such as fake sites or exposed files.
Our Web Search feature searches the following data sources:
Datasources | Description |
|---|---|
Web Search | Searches website content and SSL certificates to identify risk fraudulent sites |
Dark Web Search | Queries Tor network sites to uncover hidden content, such as scam pages |
Open Directory Search | Finds publicly accessible folders that host files, such as executables |
Banner Search | Examines non-web services (e.g., SSH or DNS) for configuration details |
WHOIS Search | Reveals who owns a domain and when it was registered |
Web Search
The Web Search datasource retrieves data from website content and SSL certificates, making it useful for detecting phishing or misconfigured sites. Community users can use it to monitor for fraudulent websites mimicking trusted brands.
Example: Detect PayPal Imposters
This query identified websites using PayPal’s favicon (logo) but hosted on domains other than paypal.com, which may indicate phishing attempts.
favicon_murmur3 = 309020573 AND domain != "http://paypal.com"Example: Monitor certificate expiration
The query identifies websites with SSL certificates expiring within the next 24 hours, potentially indicating neglected or risky sites.
ssl.not_after > "now" AND ssl.not_after < "now+1d"Dark Web Scan
The dark web scan data source searches content on the Tor network, helping users identify hidden sites that may host fraudulent or malicious content.
Example: Find PayPal-related scams
This query locates dark web sites with “PayPal” in their titles, which could indicate scam or phishing pages.
datasource = ["torscan"] AND htmltitle = "*paypal*"Example: Identify ransomware sites
This query searches for dark websites with “ransomware” in their titles. such as leak sites.
datasource = ["torscan"] AND htmltitle = "*ransomware*"Example: Western Union
If you stack Web Scan, Browser Scan, and Dark Web Scan data sources together, you can return information about IPs with server titles that contain “Western Union” across both the surface web and the dark web.
datasource = ["browserscan", "webscan", "torscan"] AND htmltitle = "*Western Union*"Open Directory Scan
The Open Directory Scan data source identifies public folders hosting files, which can reveal unintended exposures, such as executable files.
Example: Find Cloudflare-hosted executables
This query loads .exe files in open directories hosted on Cloudflare’s network (ASN 13335)
datasource = ["opendirectory"] AND name = "*exe" AND geoip.asn = 13335Example: Detect recent Mimikatz files
This query finds instances of the Mimikatz credential-dumping tool uploaded in the last 30 days.
datasource = ["opendirectory"] AND name = "mimikatz.exe" AND scan_date >= "now-30d"Use this to monitor for tools commonly used by attackers.
Banner Scan
The Banner Scan data source examines non-HTTP services, such as SSH or DNS, to reveal their configurations and versions.
Example: Identify OpenSSH servers
This query finds IPs running OpenSSH 9.8 on the default SSH port (22)
datasource = ["services"] AND port = 22 AND banner = "SSH-2.0-OpenSSH_9.8"Example: Locate PowerDNS servers
This query identifies DNS servers running PowerDNS on port 53.
datasource = ["services"] AND port = 53 AND banner = "*PowerDNS*"WHOIS Scan
The WHOIS Scan data source retrieves domain registration details, enabling users to confirm who owns a domain and when it was registered.
Example: Find Squarespace domains
This query identifies domains registered through Squarespace with unredacted owner names.
datasource = ["whois"] AND registrar = "Squarespace Domains LLC" AND name != "REDACTED FOR PRIVACY"Example: Identify Crowdstrike domains
This query finds domains containing “crowdstrike” registered by CrowdStrike, Inc.
datasource = ["whois"] AND domain = "*crowdstrike*" AND organization = "CrowdStrike, Inc."Important: When you run a query in Web Scanner, you can stack Web Scan, Browser Scan, and Dark Web Scan data sources together in pairs or all together. You cannot stack or combine Open Directory Scan, Banner Scan, or WHOIS Scan data sources together.
Combine data sources for broader searches
By combining Web Scan, Browser Scan, and Dark Web Scan data sources, you can retrieve information about IPs with server titles including “Western Union” from both the surface web and the dark web.
datasource = ["browserscan", "webscan", "torscan"] AND htmltitle = "*Western Union*"