Website OSINT

In this article, I learn how to use Open Source Intelligence (OSINT) techniques and tools to gather information about several websites and understand what can be uncovered about a website just by looking at publicly available information. This challenge is available on the TryHackMe platform and is titled “WebOSINT”, created by the user “OSINTStan”.

WHOIS Registration

Challenge Description

Find as much information as you can about the website RepublicofKoffee.com

Challenge Questions & Answers

1. What is the name of the company the domain was registered with?

The challenge recommends going directly to lookup.icann.org for WHOIS information related to “RepublicOfKoffee.com”. Search results from this site shows the company name that the domain was registered with is “Namecheap Inc”

WHOIS Registrar Information.

2. What phone number is listed for the registration company? (do not include country code or special characters/spaces)?

Referring to the raw registry RDAP response provided as part of the search results, I can see the telephone number listed for the registration company.

Telephone number listed in the raw registry RDAP response.

3. What is the first nameserver listed for the site?

Looking at the information for the domain, I can see two nameservers listed, the first of which is called “NS1.BRAINYDNS.COM”.

WHOIS Domain Information.

Unfortunately, this is not the answer to the challenge. The nameservers must have changed since the challenge was created. To find the correct answer we can search for the DNS History of “RepublicOfKoffee.com” and identify the previous nameservers.

Previous Nameservers.

Looking at the image above, I can see that the first nameserver listed for the site previously was “DNS1.REGISTRAR-SERVERS.COM”.

4. What is listed for the name of the registrant?

Going back to our previous WHOIS lookup results, I can see that “Redacted for Privacy” is listed as the name of the registrant.

WHOIS Registrant Name.

5. What country is listed for the registrant?

Looking at the WHOIS results, I can see that the country listed for the registrant is “Iceland”.

WHOIS Registrant Country.

Unfortunately, this information also appears to have been changed since the challenge was created. I was able to view who previously owned the domain “RepublicOfKoffee.com” using the website whoxy. This website had 7 records of who previously owned this domain in the past. Looking through the list, I found the country listed for the registrant before Iceland was “Panama”.

Registrant Country Panama Record.

Ghosts of Website Past

Challenge Description

Look at the historical information available for RepublicOfKoffee.com and answer the following questions.

Challenge Questions & Answers

1. What is the first name of the blog’s author?

Using the WayBack machine, I can see web caches of “RepublicOfKoffee.com” dating as far back as 2015.

WayBack Machine Archive.

I started by looking at the oldest web archive, a snapshot taken on the 31st December 2015. Looking at the first article published on the website provides the name of the author.

First Name of Blog’s Author.

2. What city and country was the author writing from?

Reading through Steve’s blog posts, I can see that he has setup meetings near “Mudeungsan national park”.

Mudeungsan national park referenced in blog post.

The “Mudeungsan national park” is located in Gwangju, South Korea.

3. [Research] What is the name (in English) of the temple inside the National Park the author frequently visits?

According to koreatriptips website, there is a temple called Jeungsimsa, located on the western foothills of Mudeungsan Mountain.

Jeungsimsa Temple.

Digging into DNS

Challenge Description

Use websites like ViewDNS.info to identify technical details about RepublicOfKoffee.com

Challenge Questions & Answers

1. What was RepublicOfKoffee.com’s IP address as of October 2016?

Using ViewDNS.info, I can perform a IP History search for the domain “RepublicOfKoffee.com”. Looking at the results, I can see the IP address for October 2016 was “173.248.188.152”.

IP address for “RepublicOfKoffee.com” as of October 2016.

2. Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses?

Since there are other domains hosted on the same IP address, we can safely assume our target uses shared hosting.

3. How many times has the IP address changed in the history of the domain?

The IP history for this domain has changed multiple times since this challenge was created, with most occurring in 2022. Working from the bottom up, I can see that the IP address changed four times, up to and including the IP address owner “Namecheap”.

IP Address Changes Four Times.

Taking Off The Training Wheels

Challenge Description

Use the tools and techniques seen so far to gather information about heat[dot]net and answer the questions.

Challenge Questions & Answers

1. What is the second nameserver listed for the domain?

I started by using lookup.icann.org to find WHOIS information for “heat.net”. I can see that the second nameserver is “NS2.HEAT.NET”.

WHOIS Nameservers for “heat.net”.

2. What IP address was the domain listed on as of December 2011?

Using viewdns.info website and searching for the IP history of the domain, I can see that the IP address listed in December 2011 was “72.52.192.240”.

IP address listed in December 2011.

3. Based on domains that share the same IP, what kind of hosting service is the domain owner using?

Since there are other domains hosted on the same IP address, we can safely assume our target uses shared hosting.

4. On what date was the site first captured by the internet archive? (MM/DD/YY format)

Using web.archive.org, I can see that the site was first captured by the internet archive on 1st June 1997.

Date the site was first captured by the internet archive.

5. What is the first sentence of the first body paragraph from the final capture of 2001?

Looking at the final capture of the website in 2001 on June 28, I can see the first sentence of the first body paragraph.

First sentence of the first body paragraph from the final capture of 2001.

6. Using your search engine skills, what was the name of the company that was responsible for the original version of the site?

I can use Google dorks to find supplemental information Google may have on this page (useful for finding cached pages).

info:heat.net

Looking at the output from this search, I can see it returns the name of a PC game company called “SegaSoft”.

Google Dork returns name of company.

Further down in the search results, I can also see multiple articles confirming “SegaSoft” was the name of the company that was responsible for the original version of the site.

Google Dork search results.

7. What does the first header on the site on the last capture of 2010 say?

Using web.archive.org, I can see that the last capture of the website in 2010 was on the 30th of December. Looking at the webpage, I can see the first header.

First header on the site on the last capture of 2010.

Taking a Peak under the Hood of a Website

Challenge Description

Refer to heat[dot]net/36/need-to-hire-a-commercial-heating-contractor/ and answer the following questions.

Challenge Questions & Answers

1. How many internal links are in the text of the article?

I started by navigating to the target URL “heat[dot]net/36/need-to-hire-a-commercial-heating-contractor/” and identified five internal links in the text of the article.

Internal links found in the text of the article.

2. How many external links are in the text of the article?

3. Website in the article’s only external link (that isn’t an ad)

I identified one external link in the text of the article, which goes to “www.purchase.org”.

External link.

4. Try to find the Google Analytics code linked to the site

I started by viewing the source code of the webpage and searched for keyword “analytic”, which identified the Google Analytics code linked to the site.

Google Analytics Code.

5. Is the the Google Analytics code in use on another website? Yay or nay

The hint for this challenge suggest using the website nerdydata. Search results show that no other website is using this code (i.e. nay).

Nerdydata search results.

6. Does the link to this website have any obvious affiliate codes embedded with it? Yay or Nay

Reviewing the link to this website, there were no extraneous information within the href code (e.g. affiliate’s ID or username).

Final Exam: Connect the Dots

Challenge Description

This is your final exam, and there is exactly one question.

Challenge Question & Answer

1. Use the tools in Task 4 to confirm the link between the sites “heat.net” and “purchase.org”.

The tools used in task 4 were related to DNS and the external website identified was “purchase.org”. Using viewdns.info, I discovered that both “heat.net” and “purchase.org” had the same IP address owner called “Liquid Web”.

“heat.net” IP Address Owner

“purchase.org” IP Address Owner.

The answer solution requires an additional three characters. Performing a google search for “Liquid Web” shows the name of the company followed by “LLC”. Submitting “Liquid Web, l.l.c” completes the challenge.

Final Thoughts

I really enjoyed working through this room and getting the opportunity to learn more about Web OSINT. The challenge had a nice progression and I learned a lot about gathering open source information on websites. Thank you for reading till the end and keep hacking 😄!