InfoSec: Online resources and tools for network forensics and troubleshooting

Following is a list of free online resources that I have found to be indispensable in the daily network troubleshooting and information security forensic investigations. I will keep updating this list as I remember of or discover more useful tools, but certainly feel free to contribute in the comments if you have any favorites that are not listed here. Last updated on 3/24/2017.


IP/MAC


IP Address Locator
http://www.geobytes.com/ipLocator.htm

By far the best and most accurate geolocating service - will tell you where the IP address is located geographically, what time zone it is located in and whether or not it is a proxy.

Mass Country of Origin Lookup
https://www.infobyip.com/ipbulklookup.php

Great tool for checking the sources of a DDoS attack - will take a list of IP addresses, one per line and return the IP, domain, location, ISP and ASN for each.

MAC Address Lookup
http://www.coffer.com/mac_find

Utility for searching the IEEE MAC address assignment database (http://standards.ieee.org/regauth/oui/oui.txt) - quick way to identify what type of device is located at the MAC address in question.

What's My IP
http://www.whatismyip.com/

As the name implies, shows you what your public IP address (and its geolocation) is.

WolframAlpha Subnet Calculator
http://www.wolframalpha.com/input/?i=address+range

Very flexible IP subnet calculator, lets you calculate IP address ranges based on number of addresses needed, subnet mask bits or numeric subnet masks.

TechZoom IP Calculator
http://www.techzoom.net/tools/network-ip-calculator.en


Another handy multi-purpose IP address calculator, has ability to calculate subnets and convert IP address masks into individual address lists. Also includes IP and domain name checkers.


DNS

Robtex DNS Lookup
https://www.robtex.com/

Extremely comprehensive "DNS Lookup" site that goes way beyond just DNS lookups. Can be used to lookup BGP routing and AS information for IP addresses, for example.

DNS Analyzer
http://www.intodns.com

Amazingly detailed DNS information reporter and status analyzer. Will show a slew of details about a specified domain name, including but not limited to NS, SOA, MX and WWW records, reverse records, duplicate records, et cetera, and warn you of any configuration that does not follow the best practices.

DNSDigger
http://www.dnsdigger.com/

Great tool for finding other hosts/servers on the subnet of the domain name in question. The only drawback is that it does not offer a reverse lookup option (enter the IP address range, get the domain names of all the servers), but this can be partially remediated by doing a reverse search in cached Google results: http://www.google.com/#hl=en&q=site%3Adnsdigger.com+66.102.13.103

URLQuery
http://urlquery.net/

Similar to DNSDigger, another great tool for looking up domain names for the IP addresses that may show up in your IPS logs. Again, you can leverage Google's cache if needed: http://www.google.com/search?&q=66.235.180.91+site%3Aurlquery.net Note: this site can be reported as malicious by reputation services such as WOT, perhaps due to links to malicious domain information contained within. Proceed with caution.

DNS Logger
http://www.bfk.de/bfk_dnslogger.html

Server containing a copy of historic DNS records, searchable by hostname or IP address, useful for after-the-fact forensics on DNS hijacking events.

ViewDNS IP/DNS Toolkit
http://viewdns.info/


Handy multi-tool website that can perform a variety of tasks, such as looking up WhoIs information, DNS resolution, host traceroute, etc.

DNSStuff Toolkit
http://www.dnsstuff.com/tools

Similar toolset to the one above, but with a much wider range of tools. Kind of like a Swiss-army knife of IP an DNS address tools.

Email


Email Header Analyzer
https://mxtoolbox.com/EmailHeaders.aspx

Convenient tool to quickly analyze email headers. Breaks down all the flags into a convenient, easy to read table and calculates delivery delays (with graph) for each hop. Has a link on the bottom to "forget" the header details when you're done with them.

Reputation Databases


Web Of Trust
http://www.mywot.com/

"Crowd-sourced" web reputation service which works by letting its users rank sites they visit in four categories. May contain false positives but is most likely to have ratings for more obscure sites.

McAfee TrustedSource
https://www.trustedsource.org/

Great tool for checking web reputation of a specific domain name. TrustedSource databases are used by McAfee GTI and many spam filtering vendors, so if your emails stop getting to their destination - good place to check whether your SMTP server has been blacklisted. Will also show any recent increases in outgoing email activity, so it could be handing for spotting first signs of infection.

McAfee Website Reputation Database
http://www.siteadvisor.com

Another site by McAfee, which complements the TrustedSource IP and domain name reputation database. Will show any harmful files and behaviours (such as exposed user email addresses, etc), linked websites and annoyances, along with user-contributed feedback (useful for identifying spammer or phishing websites).

Norton Safe Web
http://safeweb.norton.com/

Similar to McAfee Site Advisor but will contain specific malware names and locations.

BlueCoat WebPulse Site Checker
http://sitereview.bluecoat.com/sitereview.jsp

This one isn't extremely useful as it does not provide much detail, but can be used to verify how BlueCoat categorizes a specific site in their database. This database is also used across all BlueCoat proxy and web-content filtering appliances.

VirusTotal URL Checker
https://www.virustotal.com/#url

The popular multi-antivirus online file scanner, now owned by Google, has added the ability to scan provided URLs against over 50 different URL reputation services. Has ability for users to rank the URL "maliciousness" and provide comments. Great resources for quickly gauging if an address is safe.You can also use their "Search" tab to view Passive DNS history collected in previous lookups of the domain.

Network Forensics


Port Information Lookup
https://isc.sans.edu/port.html?port=

Invaluable tool for port information lookup, powered by the voluntary contributions to the SANS ISC log database. Will show both legitimate and malicious services (backdoors, trojans) that most often use the port, any CVEs associated with it, as well as any recent statistical increase in port activity worldwide. A must have in the arsenal of any network forensic investigator.

SpeedGuide Port Information Lookup
http://www.speedguide.net/port.php

Another excellent port information look-up tool. Does not have the same trending details as the one above, but often has a lot more details about the possible applications utilizing the port, including user-contributed comments.

Open Port Check Tool
http://canyouseeme.org/

Quick and easy utility for checking whether a port is open on the public IP address you're coming from. Will also show you your public IP address, so it can be used instead of the above tool.

Reverse Adsense/Analytics/Clickbank/IP/Domain Lookup
http://www.reverseinternet.com/

A very powerful (and very disturbing, from a privacy point of view) website which allows you to perform a reverse search on a number of parameters, for example - someone's Google Analytics ID or server hosting address to find any websites associated with it. Can be useful for reputation checking on questionable sites.


Log Analysis

SNMP Search and Translate
http://jaguar.ir.miami.edu/~marcus/snmptrans.html

Utility for translating SNMP OID values. Offers two-way translation with multiple verbosity levels (simple, detailed and "tree" view). Has detailed online documentation.

Windows Security Log Events
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia

A very extensive repository of Windows security log event IDs, failure codes and fields.

Event ID Information
http://www.eventid.net

A searchable event ID database, containing event ID descriptions from various sources and applications.

Avaya/Nortel Trace Analyzer
http://sharontools.com/tools/NortelDiagnostic/NortelDiagnostic.php

Shows the Nortel Passport (Avaya ERS) 8600/8800 trace file as a sortable table, helps to determine what is causing high CPU load and allows you to see a sortable table of MAC addresses, IP addresses and Ports.

Malware Analysis

VirusTotal
https://www.virustotal.com

Perhaps the most well-known multi-antivirus online scanning tool, now owned by Google and offering even a desktop-client for right-click uploading of suspicious files. Scans the files with dozens of various antivirus clients and has a user-contributed rating and comments system.

MetaScan
https://www.metadefender.com/#!/scan-file

Very similar to VirusTotal, with fewer antivirus engines but allows for a larger file size. Does not have the same community feedback mechanisms, but handy for double-checking VirusTotal or those cases where you need to scan a file just bigger than its 64Mb limit.

Payload Security Hybrid Analysis
https://www.hybrid-analysis.com/

Free malware analysis service powered by the VxStream Sandbox, which can be used to detonate executables, Office, PDF and APK files up to 180 Mb in size in a sandbox environment.

Malwr Analysis
https://malwr.com/submission/

Free malware analysis service powered by the Cuckoo Sandbox, which can be used to detonate a variety of file types in a sandbox environment.

Browser Sandbox
https://www.browserling.com/

This isn't exactly a malware analysis sandbox, but it does offer the capability to open a website in a virtual browser. Very handy when a lab environment isn't available and you need to check what a suspicious URL looks like when opened.

Sucuri Site Check
https://sitecheck.sucuri.net/

Quick scanner for known website vulnerabilities and embedded malware. Will try to sell you the Sucuri WAF every time you run it, but can be handy in identifying/confirming site compromises and seeing exactly where the injected code is.


JavaScript Deobfuscator
http://deobfuscatejavascript.com/

Very effective JavaScript deobfuscator - saves you time figuring out what the final code looks like in obfuscated JavaScript payloads.

Malware Domain List
https://www.malwaredomainlist.com/mdl.php

Searchable database of known malware/C&C domains and IP addresses.


Miscellaneous

Website Status Checker
http://downforeveryoneorjustme.com/


If you run into a website that will not load from your network, and you're wondering if it's something to be concerned about or the website is really down for everyone - the above site is a very quick and easy way to verify that.

Website Redirect Tracer
http://www.wheregoes.com/retracer.php

Most malicious spam/phishing campaigns nowadays use multiple redirects between the link included in the email, and the final payload page. This will trace and show you all the redirect URLs, without opening the final malicious destination.

Hex to ASCII to HEX Converter
http://www.dolcevie.com/js/converter.html

Very simple and easy to use HEX to ASCII and ASCII to HEX converter.

RegEx Composers
http://www.regexr.com/
https://regex101.com/#javascript


Great tools for composing and testing Regular Expressions (RegEx).