General/Common
π Network
Website Analysis
Domains
- WhoXY
- Whois History
- urlscan.io
- Robtex
- Security Trails
- crt.sh
- CompleteDNS History
- DNS Trails
- Geo Data Tool
- SpyOnWeb
- subdomainfinder.c99.nl
- dnsdumpster
- MX Lookup Toolbox
- ViewDNS.info
- WhoIsHostingThis
- Whoisology
Threat
π Cryptography
π· Images
πΏ Alternate Search
βπ©βπ» Code & Reverse Engineering
Search
π Virus and Malware Research
Sandboxes
π§ Utilities
Chronology
Images
General
π£ Usernames
πΌ Reverse Image Search
π¬ Social Media
YouTube
β IMs
Telegram
π§Ύ Public Records
Geographic Specific Searches
β Air Traffic
π’ Sea/Land
This is a collection of quick cheat sheets containing search engine syntax.
Twitter π
| "search phrase" | results with the exact phrase |
| a OR b | results with either "a", "b", or both |
| -term | excludes term from results |
| #fucktrump | contains hashtag |
| from:username | sent from @username |
| to:username | sent to @username |
| @username | results with reference to @username |
| near:nyc | results with geolocation near named location (or lat/long, more) |
| within:15mi | results inside distance radius (when paired with near:) |
| since:2010-01-01 | search time earliest |
| until:2014-06-22 | search time latest |
| source:twitterfeed | tweets posted using TwitterFeed (there's others, unknown names) |
| lang:jp | tweets posted with a specific language (ISO 639-1 language code) |
| :), :(, ? | likely not strictly keywords, but might gauge question/mood results |
| filter:type | β tweets filtered by various things; see type table below |
| links | results with links |
| mentions | results with mentions |
| media | results with media (video, images, etc) |
| images | results with images |
| videos | results with videos |
| hashtags | results with any hashtag |
| verified | results from verified users |
| quote | results that quote other tweets |
Adapted from zapier.com
πΊοΈ Nmap
π¦ Wireshark
| -sL | List scan, goes through the target list ONLY doing DNS resolution | |
| -sn | Ping-only scan; show which hosts are up (formerly -sP) | |
| -sT | TCP Connect scan (default non-root scan) | |
| -sS | TCP SYN "stealth" scan* (default if priv, otherwise -sT; req. root if forced) | |
| * easily detected nowadays | ||
| -sU -p 111,222,333 | UDP scan on specific ports | |
| -Pn | Skip discovery, assume all open (will be SLOW) | nmap -Pn -F 192.168.1.1 |
| nmap 192.168.1.1 | Target single IP |
| nmap hostname.tld | Target hostname |
| nmap 192.168.1.25-50 | Target range |
| nmap 192.168.1.1.0/24 | Target subnet |
| -iL ip-list.txt | Import list of IPs as targets |
| By default, nmap scans the first 1000 ports. | |
| -p 22 | Target single port |
| -p 22-80 | Target range of ports |
| -p 22,80,443 | Target specific ports |
| -F | Scans the first 100 only ("fast") |
| -p- | Scans all 65535 ports (not "fast") |
| -T0 - -T5 | Specifies a timing template, default 3. |
| (0 = paranoid [ASBURDLY SLOW], 1 = sneaky [REAL SLOW!], 2 = polite [SLOW], 3 = default/normal, 4 = aggressive [A FAVORITE], 5 = insane) |
| -A | Enable OS detection, version detection, script scanning, and traceroute (-O -sV -sC --traceroute) |
| -sV | Version detection (--version-intensity (0-9, def: 7) adjusts aggressiveness) |
| -sC | Performs script scan with default set of scripts. Likely intrusive! |
| --script filename|category|directory | Runs a specific script |
| ssl-enum-ciphers | This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts. |
| -oN filename.txt | Output normal |
| -oX filename.xml | Output XML |
| -oG filename.gnmap | Output for grepable |
| -oA basename | Output all at once (normal, XML, greppable) |
Display Filters Capture Filters
| eq / == | Equal | ip.dest == 192.168.1.1 |
| ne / != | Not equal | ip.addr != 192.168.1.1 |
| * use this instead! -> | !(ip.addr == 192.168.1.1) | |
| gt / > | Greater than | frame.len > 10 |
| lt / < | Less than | frame.len < 10 |
| ge / >= | Greater than or equal | frame.len >= 10 |
| le / <= | Less than or equal | frame.len <= 10 |
| and / && | Match both |
| or / || | Match either |
| xor / ^^ | One of the two, not both |
| not / ! | Not equal to |
| [ n ] / [ ... ] | Substring; filter specific word or text |
| {foo, bar, baz} | Membership; includes one of these |
| ip.addr == 10.10.50.1 | Filter by IP (src and dst) |
| ip.dst == 10.10.50.1 | Filter by Destination IP |
| ip.src == 10.10.50.1 | Filter by Source IP |
| !(ip.addr == 10.10.50.1) | Filter Out by IP |
| ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 | Filter by IP Range |
| ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 | Filter by Multiple IPs |
| ip.addr == 10.10.50.1/24 | Filter by Subnet |
| tcp.port == 25 | Filter by Port |
| tcp.dstport == 25 | Filter by Destination Port |
| protocol == 25 | Filter by Destination Port |
| ip.host=="hostname" | Hostname filter |
| http.host == "hostname" | Filter by URL |
| http.request.method in {"HEAD" "GET"} | Show HEAD and GET http requests |
| frame.time >= "June 02, 2019 00:00:00" | Filter by Timestamp |
| tcp.flags.syn == 1 and tcp.flags.ack == 0 | Show only SYN packets |
| wlan.fc.type_subtype==0x08 | Show only beacon frames |
| eth.dst==de:ad:be:ee:ee:ff | MAC filter |
| eth.dst!=ff:ff:ff:ff:ff:ff | Filter out broadcast |
| (eth.dst[0] & 1) | Filter by multicast |
| tcp.flag.reset==1 | RST flag filter |
| tcp.time_delta > .250 | Displays packets with delta time > 250ms in their stream context |
| frame contains potato | Displays packets containing string 'potato' |
| tcp.analysis.flags && !tcp.analysis.window_update | Retransmissions, duplicate acks, zero windows, and more; for debugging performance issues |
| dns | http | ftp | ssh | icp | Search by protocol name (examples given) |
| frame contains "(attachment|tar|exe|zip|pdf)" | Find files by type |
| tcp contains facebook | Filter traffic by keyword |
| !(arp or icmp or stp) | Filters out stuff you might not care about |