Following is a list of free online resources that I have found to be indispensable in the daily network troubleshooting and information security forensic investigations. I will keep updating this list as I remember of or discover more useful tools, but certainly feel free to contribute in the comments if you have any favorites that are not listed here. Last updated on 1/20/2019.
IP/MAC
IP Address Locator
http://www.geobytes.com/ipLocator.htm
By far the best and most accurate geolocating service - will tell you where the IP address is located geographically, what time zone it is located in and whether or not it is a proxy.
Mass Country of Origin Lookup
https://www.infobyip.com/ipbulklookup.php
Great tool for checking the sources of a DDoS attack - will take a list of IP addresses, one per line and return the IP, domain, location, ISP and ASN for each.
MAC Address Lookup
http://www.coffer.com/mac_find
Utility for searching the IEEE MAC address assignment database - quick way to identify what type of device is located at the MAC address in question.
What's My IP
http://www.whatismyip.com/
As the name implies, shows you what your public IP address (and its geolocation) is.
WolframAlpha Subnet Calculator
http://www.wolframalpha.com/input/?i=address+range
Very flexible IP subnet calculator, lets you calculate IP address ranges based on number of addresses needed, subnet mask bits or numeric subnet masks.
TechZoom IP Calculator
http://www.techzoom.net/tools/network-ip-calculator.en
Another handy multi-purpose IP address calculator, has ability to calculate subnets and convert IP address masks into individual address lists. Also includes IP and domain name checkers.
DNS
Robtex DNS Lookup
https://www.robtex.com/
Extremely comprehensive "DNS Lookup" site that goes way beyond just DNS lookups. Can be used to lookup BGP routing and AS information for IP addresses, for example.
DNS Analyzer
http://www.intodns.com
Amazingly detailed DNS information reporter and status analyzer. Will show a slew of details about a specified domain name, including but not limited to NS, SOA, MX and WWW records, reverse records, duplicate records, et cetera, and warn you of any configuration that does not follow the best practices.
DNSDigger
http://www.dnsdigger.com/
Great tool for finding other hosts/servers on the subnet of the domain name in question. The only drawback is that it does not offer a reverse lookup option (enter the IP address range, get the domain names of all the servers), but this can be partially remediated by doing a reverse search in cached Google results:
http://www.google.com/#hl=en&q=site%3Adnsdigger.com+66.102.13.103
URLQuery
http://urlquery.net/
Similar to DNSDigger, another great tool for looking up domain names for the IP addresses that may show up in your IPS logs. Again, you can leverage Google's cache if needed:
http://www.google.com/search?&q=66.235.180.91+site%3Aurlquery.net Note: this site can be reported as malicious by reputation services such as WOT, perhaps due to links to malicious domain information contained within. Proceed with caution.
ViewDNS IP/DNS Toolkit
http://viewdns.info/
Handy multi-tool website that can perform a variety of tasks, such as looking up WhoIs information, DNS resolution, host traceroute, etc.
DNSStuff Toolkit
https://tools.dnsstuff.com/
Similar toolset to the one above, but with a much wider range of tools. Kind of like a Swiss-army knife of IP an DNS address tools.
Email
Email Header Analyzer
https://mxtoolbox.com/EmailHeaders.aspx
Convenient tool to quickly analyze email headers. Breaks down all the flags into a convenient, easy to read table and calculates delivery delays (with graph) for each hop. Has a link on the bottom to "forget" the header details when you're done with them.
Reputation Databases
Web Of Trust
http://www.mywot.com/
"Crowd-sourced" web reputation service which works by letting its users rank sites they visit in four categories. May contain false positives but is most likely to have ratings for more obscure sites.
McAfee TrustedSource
https://www.trustedsource.org/
Great tool for checking web reputation of a specific domain name. TrustedSource databases are used by McAfee GTI and many spam filtering vendors, so if your emails stop getting to their destination - good place to check whether your SMTP server has been blacklisted. Will also show any recent increases in outgoing email activity, so it could be handing for spotting first signs of infection.
McAfee Website Reputation Database
http://www.siteadvisor.com
Another site by McAfee, which complements the TrustedSource IP and domain name reputation database. Will show any harmful files and behaviours (such as exposed user email addresses, etc), linked websites and annoyances, along with user-contributed feedback (useful for identifying spammer or phishing websites).
Norton Safe Web
http://safeweb.norton.com/
Similar to McAfee Site Advisor but will contain specific malware names and locations.
BlueCoat WebPulse Site Checker
http://sitereview.bluecoat.com
This one isn't extremely useful as it does not provide much detail, but can be used to verify how BlueCoat categorizes a specific site in their database. This database is also used across all BlueCoat proxy and web-content filtering appliances.
VirusTotal URL Checker
https://www.virustotal.com/#url
The popular multi-antivirus online file scanner, now owned by Google, has added the ability to scan provided URLs against over 50 different URL reputation services. Has ability for users to rank the URL "maliciousness" and provide comments. Great resources for quickly gauging if an address is safe.You can also use their "Search" tab to view Passive DNS history collected in previous lookups of the domain.
ThreatStop
https://www.threatstop.com/checkip
Crowdsourced searchable database of active and historical threats for IP addresses and domain names. A bit annoying in that on the first check, it asks you to receive and click an email link.
Endpoint Forensics
Windows Registry Cheat Sheet
https://www.dfir.training/resources/downloads/windows-registry
Massive crowd-sourced cheat sheet of key Windows Registry locations.
Network Forensics
RiskIQ Community (formerly PassiveTotal)
https://community.riskiq.com
Not to be confused with VirusTotal, PassiveTotal (which has now been acquired by RiskIQ) is a fantastic tool for searching current and historical information on IP addresses and domain names. The free community tier does give you a limited number of lookups per day, but this tool is fantastic for looking up historical WhoIs records, passive DNS records, current DNS records, and other available information.
Mnemonic PassiveDNS
https://passivedns.mnemonic.no/
Another great open PassiveDNS repository. No registration required.
hpHosts
http://hosts-file.net/
Crowdsourced "host file" - community built database of IP address and domain name resolutions and reputations. Can be really, really slow to load for the first time, don't give up.
Port Information Lookup
https://isc.sans.edu/port.html?port=
Invaluable
tool for port information lookup, powered by the voluntary
contributions to the SANS ISC log database. Will show both legitimate
and malicious services (backdoors, trojans) that most often use the
port, any CVEs associated with it, as well as any recent statistical
increase in port activity worldwide. A must have in the arsenal of any
network forensic investigator.
SpeedGuide Port Information Lookup
http://www.speedguide.net/port.php
Another excellent port information look-up tool. Does not have the same trending details as the one above, but often has a lot more details about the possible applications utilizing the port, including user-contributed comments.
Open Port Check Tool
http://canyouseeme.org/
Quick
and easy utility for checking whether a port is open on the public IP
address you're coming from. Will also show you your public IP address,
so it can be used instead of the above tool.
Shodan
https://www.shodan.io/
"Search engine for the internet of things". Basically a huge online database of worldwide Nmap scan results. Lets you search for IP address, ranges, organizations, ports or keywords and returns anything that matches and could be seen connected to the public internet in the past few weeks.
Censys
https://censys.io/
Basically the same thing as Shodan, but also shows a pretty map. In my experience the results are not nearly as complete as Shodan.
ZoomEye
https://www.zoomeye.org/
Another Shodan alternative.
Log Analysis
Windows Security Log Events
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia
A very extensive repository of Windows security log event IDs, failure codes and fields.
Event ID Information
http://www.eventid.net
A searchable event ID database, containing event ID descriptions from various sources and applications.
Avaya/Nortel Trace Analyzer
http://sharontools.com/tools/NortelDiagnostic/NortelDiagnostic.php
Shows the Nortel Passport (Avaya ERS) 8600/8800 trace file as a sortable table, helps to determine what is causing high CPU load and allows you to see a sortable table of MAC addresses, IP addresses and Ports.
Malware Analysis
VirusTotal
https://www.virustotal.com
Perhaps the most well-known multi-antivirus online scanning tool, now owned by Google and offering even a desktop-client for right-click uploading of suspicious files. Scans the files with dozens of various antivirus clients and has a user-contributed rating and comments system.
MetaScan
https://www.metadefender.com/#!/scan-file
Very similar to VirusTotal, with fewer antivirus engines but allows for a larger file size. Does not have the same community feedback mechanisms, but handy for double-checking VirusTotal or those cases where you need to scan a file just bigger than its 64Mb limit.
Payload Security Hybrid Analysis
https://www.hybrid-analysis.com/
Free malware analysis service powered by the VxStream Sandbox, which can be used to detonate executables, Office, PDF and APK files up to 180 Mb in size in a sandbox environment.
Browser Sandbox
https://www.browserling.com/
This isn't exactly a malware analysis sandbox, but it does offer the capability to open a website in a virtual browser. Very handy when a lab environment isn't available and you need to check what a suspicious URL looks like when opened.
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/
Online encyclopedia of malware families.
Sucuri Site Check
https://sitecheck.sucuri.net/
Quick
scanner for known website vulnerabilities and embedded malware. Will
try to sell you the Sucuri WAF every time you run it, but can be handy
in identifying/confirming site compromises and seeing exactly where the
injected code is.
JavaScript Deobfuscator
http://deobfuscatejavascript.com/
Very
effective JavaScript deobfuscator - saves you time figuring out what
the final code looks like in obfuscated JavaScript payloads.
Malware Domain List
https://www.malwaredomainlist.com/mdl.php
Searchable database of known malware/C&C domains and IP addresses.
Cyber Chef
https://gchq.github.io/CyberChef/
A proverbial swiss army knife of parsing, decoding and converting just about anything you can think of.
Miscellaneous
Website Status Checker
http://downforeveryoneorjustme.com/
If you run into a website that will not load from your network, and you're wondering if it's something to be concerned about or the website is really down for everyone - the above site is a very quick and easy way to verify that.
Website Redirect Tracer
http://www.wheregoes.com/retracer.php
Most malicious spam/phishing campaigns nowadays use multiple redirects between the link included in the email, and the final payload page. This will trace and show you all the redirect URLs, without opening the final malicious destination.
Hex to ASCII to HEX Converter
http://www.dolcevie.com/js/converter.html
Very simple and easy to use HEX to ASCII and ASCII to HEX converter.
RegEx Composers
http://www.regexr.com/
https://regex101.com/#javascript
Great tools for composing and testing Regular Expressions (RegEx).
