Checking sites without visiting and recon tools

[digip]

So recently someone posted multiple posts on the forums looking to phish some info, get their parked domain some page rank while serving ads on their site. This is common with spam and we're pretty used to it around here. It is to be expected that automated spam will hit the forums, but also often used when serving malware to unsuspecting users and can inject on the fly, depending on what they see from your USER-AGENT in the browser, to users who visit the links posted on our forums. Most of us have our ways of inspecting links and are tech savvy enough to know not to fall for these scams, but some people just click shit anyway. For those who like to click all the things(I know I do, but hey, I click everything..what could go wrong) this post will be useful for those who don't already have an idea how to inspect a site on their own, without giving up their own IP in the process.

If you want some basic info on these links, a shortened url, email address, etc there are plenty of online tools you can use that can safeguard you from having to ever visit the site in the first place, while comparing multiple site crawlers and malware indexers to do the work for you.

I use a few of these directly in my browser's address bar to check against site's I don't trust or want to inspect without visiting(I do this by way of shortcuts built into my browser's search features). Share your own written tools/scripts for your domains or other online sites you use, to do the same in the posts below if you have any you use yourself. I'm curious as to what others use and looking to add more to my own list of tools. Most of these are probably well known, but still, it gets the ball rolling..

First tool is easy enough. LMGTFY. No seriously, Google it. Example:

http://www.google.com/safebrowsing/diagnostic?site=google.com

Just replace the url for "site=google.com" with whatever you want to inspect. If google has crawled it, it will give you some basic info it knows, if it deems it safe, and what it has seen over the last 90 days. You can then drill down to the AS and see if the antonymous system it sits on is known for serving malware on other shared domains from the same system, but not a direct indicator for the domain itself as being bad, which the first link should tell you about if it's not blocked by the site's robots.txt file or other methods. This is hit or miss, but still a useful inspector for quick checks.

Next, what if you get a shortened URL, and want to know where it's going. TinyURL has a feature to de-cloak their shortened URL's but others like bitly and such do not. You can use wget with debug logging on to crawl it, and never download anything, but in doing so, you're going to be giving the site your IP address. If from your hosted domain, then no biggy, but from home, probably not a good idea to poke from.

Without having to visit a site, you can use the W3 validator to not only view the source code of the site and parse it yourself, but also see what it loads before it redirects, since it usually will not follow redirects other than server side pushes. It will not execute javascript or any code, and lets you see what the shortened URL is going to send you to.

ex:

 http://validator.w3.org/check?uri=google.com&charset=(detect+automatically)&fbc=1&doctype=Inline&fbd=1&group=0&ss=1&outline=1

Just change google to any URL you want. (Visiting the site you can paste in any URL with settings of your choice).

I have shortcuts in Opera, that let me type "vs site.com" (vs to view source) and it automatically submits it for me, which I also do for other links above and following...(to use the shortcut feature via "vs site.com", enter a new search engine in Opera, give it a prefix, and add the site you want to use and the %s query at the end for what you want to submit. If the site uses a POST vs a GET, inspect the form for the URL and POST data names to create a URL manually, then check the box for POST to send the data over)

OpenDNS. Who doesn't love OpenDNS? They have a feature not many people know about, but you can check a URL for user submitted and their own crawler checks against domains for spam, etc. EX:

https://domain.opendns.com/google.com

Again, just change google with the URL of your choosing.

TCP Utils - ex:

http://www.tcpiputils.com/browse/domain/google.com

Adsense and Google Analytic tracking, Microsstat (ie: "UA-15589237-1" or a domain name) - ex:

http://www.mustat.com/google.com

Multi scanners with various info from Whois, to email blacklist checkers:

http://smart-ip.net/check-email
http://www.urlvoid.com/scan/google.com
http://www.dnscook.net/
http://mxtoolbox.com/SuperTool.aspx

Google's own VirustTotal can scan URL's as well - ex:

https://www.virustotal.com/en/domain/google.com/information/'>https://www.virustotal.com/en/domain/google.com/information/

Web of Trust (WOT) which has add-ons for the browser, but not needed - ex:

https://www.mywot.com/en/scorecard/google.com

Phishing and scamming sites often posting things like the one today, looking for jobs and similar postings, can sometimes be found on other forums by people who post their own findings. One such site is

https://www.scamwarners.com/forum/search.php

which if you paste a URL in quotes, you might find results containing the URL, such as email addresses associated with the domain, warnings and other info people have discovered and posted about the domain. User driven, not 100% accurate, but even today's spam URL was found on their forums as being malicious with a list of emails found for it.

Malware/virii/executable scanners:

http://virusscan.jotti.org/en
https://www.virustotal.com/
http://anubis.iseclab.org/

Those are just a few and I'd have to search my bookmarks for more, but you get the general idea. You can always go with a VPS, and install or write your own tools to do the lookups above, but it's a nice comparison between sites to get a bit of an idea what the rest of the web says about a domain, email address, and real people reviews. There are a lot more tools out there with everything from Spokeo to social networking ranks, but I'm interested in what others use for similar recon on tracking malware, phishing sites and spam email addresses. I didn't mention any tools for tracking or looking up people but that in itself could be its own topic and not really what I am looking for in this thread.

Disclaimer: None of the above is meant to verify the safety of a site or mean a URL is safe to visit after scanning. Use your own judgment before actually visiting the live site if you wish to look further. As Boris Sverdlik says "don't click shit.."

[cooper]

Some pretty good insights there. Thanks for sharing.

As Boris Sverdlik says "don't click shit.."

Hehehe. That reminded me of this episode of "The Website Is Down".

[digip]

I have he first episode of that one downloaded somewhere on my pc.love when he took a screenshot of hia desktop and when he guy callimg tot pissed he moved all the icons he set it as a wallpaper as the fix.

"..desktop arranged by penis.."

Edited March 11, 2015 by digip

[digip]

Another site I just found useful, scanning parts of a pages source code via the indexer, you can lookup things like google analytics and such, but also advertisements and what sites they are seen on, ie:

http://www.matchagainst.com/search?query="9043996592502243"

which is a partial "ca-pub" ad serial number. Useful also if hunting for shells and you know part of the existing code to match against. The above was from some spam on the forums this morning after looking into the post.

Another similar analytic site lookup tool:

http://www.namesense.com/9043996592502243

Edited March 22, 2015 by digip

[digip]

Adding an IPv6 whois lookup tool, https://www.ultratools.com/tools/ipv6InfoResult

example:

https://www.ultratools.com/tools/ipv6InfoResult?ipAddress=2607%3Af8b0%3A400d%3Ac09%3A%3A246