Our Web Scanner feature searches the following datasources:
| Datasources | Description |
|---|---|
| Web Scan | Raw web and certificate content. |
| Dark Web Scan | Dark web infrastructure from the Tor browser. |
| Open Directory Scan | Open directories and their files. |
| Banner Scan | Non-HTTP services and their banners. For example, SSH and DNS. |
| WHOIS Scan | Domain registration and change information from WHOIS. |
Web Scan
Our Web Scan datasource retrieves information from the raw web and certificate content.
Example
Use the Web Scan datasource in Web Scanner to return data about IPs with web servers using PayPal's favicon that are not on PayPal's domain.
Query example:
favicon_murmur3 = 309020573 AND domain != "http://paypal.com "
Example
You can also use the Web Scan datasource in Web Scanner to return information about IPs with certificates with expiration dates that occur in the next 24 hours.
Query example:
ssl.not_after > "now" AND ssl.not_after < "now+1d"
Dark Web Scan
Our Dark Web Scan datasource retrieves information from dark web infrastructure that is retrieved from the Tor browser.
Example
Use the Dark Web Scan datasource in Web Scanner to return information about dark web websites that reference “paypal” in their title.
Query example:
datasource = ["torscan"] AND htmltitle = "*paypal*"
Example
You can also use the Dark Web Scan datasource in Web Scanner to return information about dark web sites associated with ransomware. For example, leak sites.
Query example:
datasource = ["torscan"] AND htmltitle = "*ransomware*"
Important!: When you run a query in Web Scanner, you can stack Web Scan, Browser Scan, and Dark Web Scan datasources together in pairs or all together. You cannot stack or combine Open Directory Scan, Banner Scan, or WHOIS Scan datasources together.
Example
If you stack Web Scan, Browser Scan, and Dark Web Scan datasources together, you can return information about IPs with server titles that contain “Western Union” across both the surface web and the dark web.
Query example:
datasource = ["browserscan", "webscan", "torscan"] AND htmltitle = "*Western Union*"
Open Directory Scan
Our Open Directory Scan datasource retrieves information from open directories and their files.
Example
Use the Open Directory Scan datasource in Web Scanner to return information about open directories that contain .exe executables that are hosted by Cloudflare ASN 13335.
Query example:
datasource = ["opendirectory"] AND name = "*exe" AND geoip.asn = 13335
Example
You can also use the Open Directory Scan datasource in Web Scanner to return information about Mimikatz credential dumpers that have been discovered in the last 30 days.
Query example:
datasource = ["opendirectory"] AND name = "mimikatz.exe" AND scan_date >= "now-30d"
Banner Scan
Our Banner Scan datasource retrieves information from non-HTTP services and their banners. For example, SSH and DNS.
Example
Use the Banner Scan datasource in Web Scanner to return information about IPs that run OpenSSH 9.8 on default SSH port 22.
Query example
datasource = ["services"] AND port = 22 AND banner = "SSH-2.0-OpenSSH_9.8"
Example
You can also use the Banner Scan datasource in Web Scanner to return information about IPs that run PowerDNS on DNS servers hosted on port 53.
Query example:
datasource = ["services"] AND port = 53 AND banner = "*PowerDNS*"
WHOIS Scan
Our WHOIS Scan datasource retrieves information from domain registration and change information from WHOIS.
Example
Use the WHOIS Scan datasource in Web Scanner to return information about domains that are registered through Squarespace with registrants that have not redacted their names.
Example query
datasource = ["whois"] AND registrar = "Squarespace Domains LLC" AND name != "REDACTED FOR PRIVACY"
Example
You can also use the WHOIS Scan datasource in Web Scanner to return information domains that contain “crowdstrike” and are registered by Crowdstrike.
Query example:
datasource = ["whois"] AND domain = "*crowdstrike*" AND organization = "CrowdStrike, Inc."