Netlas.io — Best OSINT Tool in Cybersecurity Industry

Discover, research and monitor any assets available online!

Published in

ILLUMINATION

10 min readDec 14, 2023

In today’s interconnected world, the need for robust cybersecurity measures cannot be overstated. As Cyber Threats continue to evolve and grow in sophistication, organizations and individuals alike must adapt their defense strategies to stay one step ahead. One powerful tool that has emerged in recent years is Open Source Intelligence (OSINT). OSINT, when properly utilized, can provide valuable insights into potential threats and vulnerabilities, enhancing the effectiveness of cybersecurity efforts.

Using the right OSINT tool for your organization can improve cybersecurity by helping to discover information about your company, employees, IT assets and other confidential or sensitive data that could be exploited by an attacker. Discovering that information first and then hiding or removing it could reduce major cyber attacks. Often Professionals who regularly perform OSINT operations use a suite of tools depending on their environment. In this blog, I am going to reveal one such game changing OSINT tool which I recently came across while doing some Research Work.

WHAT IS NETLAS.io?

Website — https://netlas.io/

Netlas.io an internet scanner and a search engine. It scans every IPv4 address and every known domain name utilizing such protocols as HTTP, FTP, SMTP, POP3, IMAP, SMB/CIFS, SSH, Telnet, SQL and others. Collected data is enriched with additional info and available in it’s search engine. It also offers data collections for DNS registry, IP Whois, Domain Whois, and SSL certificates. The tool has a dedicated team working behind it and is used by some well known companies in the Industry.

For an updated list of IT Security Companies & Clients using Netlas, refer to the official website — netlas.io

WHAT CAN IT DO?

There are tons of things Netlas can do. Here are some general use-cases:

IP/Domain information gathering
Attack surface management
Investigate websites and web applications, IoT devices and online assets
Penetration tests and bug bounty jobs (for reconnaissance)
Detect shadow IT and phishing domains

For this blog, I will be giving a glance of some of its features and then focusing mainly on Bug Bounty Reconnaissance including Subdomain Enumeration and also show how you can find all types of online cameras.

(+) To Use Netlas, all you have to do is Visit- https://netlas.io/ and click on Try It and then you can sign up which hardly takes a minute and is Free.

Using search bar to find info of a random IP Address

I did the same and Initially after logging in, we are able to see our ip address, location and Whois information. In the very same search bar, we can search for any IP address or Domain and Netlas gives us all information about it. For this example I am using tetrapak.com which belongs to one of my friends who is into transportation & packaging business.

search tetrapak.com

We are able to find a lot of information such as IP address, Whois information, location, emails, numbers, Related domains, Name Server Records & MX(Mail Exchange Records). We can also see all available ports and services it is running, mainly https. There is a Tag filter which shows Pulse Secure. If we google search this we find that Pulse Secure is a software which provides secure, authenticated access for remote and mobile users from any web-enabled device to corporate resources.

Scrolling through the results, I was also able to find that it is using Microsoft iis server and has a vulnerable CVE which is an alarming find as any Attacker can exploit it as long as it is not a false positive. From the perspective of a Security Researcher I can already see how much time Netlas saved me from manual enumeration.

USAGE

[+] BUG BOUNTY RECON — SUBDOMAIN ENUMERATION

The DNS Search is the third option on the left side. We can see that Netlas already provides us with a list of helpful examples for finding the information we need about a domain. Lets search for subdomains with this query.

search domain:*.tetrapak.com

This is going to match all subdomains for tetrapak.com. We can see that we have found a total of 693 subdomains. In the results above, we can look at more details like list of subdomains, Ip Addresses for the subdomains, Name Server(NS), Mail Server Exchange(MX) and TXT.

In the right side we can also see that we have filters such as Zones & Levels which we can use to narrow down our results. In our case we have the option to choose 3rd level or 4th level subdomains.

Lets try to find all 4th level Subdomains in tetrapak.com

search domain:*.tetrapak.com AND level:4

As we can see, we have found 269 level 4 Subdomains

To Find Top Level Domains(TLD) we can use this query

search domain:*.tetrapak.*

Now we find some interesting results. We get 916 subdomains and on the right side of filters we can see that there are 716 records in com TLD, 17 records in net TLD, 7 records in mx TLD and so on. We can even sort by levels.

Suppose I just want to find the .net subdomains, I can just click on the filter on right and run the search action. The best part is that Netlas will not only give me the results but also form and show the query in the search bar, as you can see below —

(domain:*.tetrapak.*) AND zone:(“net”)

Now you may think that there are a lot of subdomains and we need to download the data for further research work as a Pentester or Bug Hunter. Netlas Team was smart about it and have a built in download button as well (for all types scans).

In my case I am downloading the results in a Json file and naming it as tetrapak_SUBDOM .You can also specify the exact information you want to download and the number of results but in my case I want to download all the 611 results.

downloading all the results as a Json file

After downloading the file, we can parse it with tools like JQ in Kali Linux or in my case I used a online Json viewer website to open the file — https://jsonformatter.org/json-viewer

As you can see, I am able to see all domain names in it. We can see all the Json objects in the code within which we have the “domain” fields as have highlighted below.

To grab the “domain” field from the results I can cat the file in Kali and use the grep command on it to only get the data I am interested in, which is subdomains. I transferred the Json file from my windows to Kali Linux.

And then ran the grep command to filter the results. As you can see below I was able to find all subdomains which I can scan or do further research on thus greatly increasing my attack vector.

[+] FINDING CAMERAS ONLINE

We can do a Response Search to find online cameras, so basically Netlas.io scans every domain and host currently available on the Internet and saves responses with some additional information like — whois, geolocation, FQDN, CVE, tags and other information. We can use this search tool to find a specific group of services or devices, such as IP cameras, IoT devices, databases, web servers and so on.

For example lets search for online cameras using this query.

search (http.title:”Web camera”) AND geo.country:AU

In this query i am searching for all websites having the word “web camera” in their http title and i am also using another tag — geo.country to specifically filter my results based on the country Australia(AU)

In the response, I can see the full body of the response and also the IPaddress of the camera which is 180.150.73.252. I visited the IP in my browser and it lead me to a website which was showing live Beach Cameras of Australia.

This camera was publicly hosted for beach surfers to see the live weather of the beach and know in case of health hazards like high tide.

This time I searched for webcams using the same query as above

search (http.title:”webcam”) AND geo.country:AU

I found a webcam but was unable to access it.

In this Next example, I searched for the webcam of a particular manufacturer called dlink.

search tag.dlink_webcam:*

I tried accessing the camera but it was password protected, however an attacker can easily bruteforce or try default credentials for the particular model and it may work for many such cameras.

Thus we can see how useful Netlas is to find online cameras. You can also form specific queries and search for cameras by specific manufacturers who have a firmware vulnerability or come with default passwords. I have just scratched the tip of the iceberg.

FEATURES & INTEGRATIONS

Netlas has tons of stored data and some of its features which I found useful are that it has wildcards and asterisks to search any section of host response unlike other search engines. You can can search for Certificates, find CVEs and has multiple scripts and a well maintained documentation.

Netlas has support for massive integrations. It can be integrated with tines, Subfinder, Maltego, Amass, Uncover. It can be automated with Nuclei and also has a dedicated Chrome Extension.

PRICING

The best part is that Netlas is completely Free to use and offers multiple premium plans which is reasonably priced which you can use as per your work requirement and usage frequency. The plans are differentiated by request, download & result limits. The free Community version allows you to make 50 requests to the platform per day for free. I am currently using a Premium Demo Plan having access to all it’s powerful features.

Netlas also has an Enterprise version for organizations that require unlimited access to all Netlas.io features and data which has best-in-class solution for cybersecurity teams.

For Comparison of All plans refer- https://app.netlas.io/plans

CONTACT

[+] Twitter— https://twitter.com/Netlas_io

[+] Medium — https://netlas.medium.com/

[+] LinkedIn — https://www.linkedin.com/company/netlas-io/

[+] GitHub — https://github.com/netlas-io

[+] Netlas Cookbook — https://github.com/netlas-io/netlas-cookbook

MY SUGGESTIONS & Why Netlas is A Better Choice!

I think that Netlas is a Game Changer in the Cybersecurity Industry when it comes to OSINT Tools. The platform has tons of saved data and lots of queries and it is upon the user how much they want to find out using the tool. It can be a great choice for Pentesters and Bug Bounty Hunters for Information Gathering. Corporate companies can also use it as a Security toolset. Netlas definitely gets my approval !

When compared to Shodan, Netlas shines with it’s extra features such as it’s user friendly, has a simple Interface, easy navigation & well maintained documentation. It also offers a range of advanced search filters, allowing users to refine their searches and find the exact information they need, in order to make informed security decisions. Netlas has been made by keeping security in mind and is a very powerful tool for security professionals & Companies looking to identify and mitigate cyber threats.