Hunting With URLscan: Part 2

Welcome back, warriors of the web! Today we continue our journey with, delving into how to search for filenames and make use of hashes. So, let’s get started.

Hunting With URLscan: Part 1Get to know the basics
Hunting With URLscan: Part 2Filenames and Hashes
Hunting With URLscan: Part 3Search Operators
Hunting with URLscan: Part 4Query Builder

Searching for Filenames:

In some cases, a specific file could be the culprit behind a phishing attack. allows you to search for these filenames to help identify threats.

To do this, use the ‘filename:‘ search parameter. Suppose you want to look for all scans containing a file named ‘login.html.‘ In the search bar, you would enter ‘filename:login.html‘ and will show all URLs containing that filename.

Making Use of Hashes: can also identify and search for hashes. A hash is a unique string of characters representing a piece of data. Cybersecurity professionals often use hashes to identify malicious files or URLs.

Two types of hashes are often used in SHA256 and MD5.

1. SHA256:

SHA256 is a popular hashing algorithm that produces a unique 64-character string. If you have a SHA256 hash of a suspicious file or URL, you can search for it directly in Just type ‘hash:<SHA256 hash>‘ into the search bar.

For example, ‘hash:123abc...‘ will return all the URLs associated with that hash.

2. MD5:

MD5 is an older, but still widely used, hashing algorithm that generates a 32-character string. You can search for MD5 hashes just like SHA256 hashes. Type ‘hash:<MD5 hash>‘ into the search bar to find associated URLs.

Where to get hashes

Where to get hashes on
Where to get hashes on

When you run a scan on, the generated report provides an array of valuable details, including ‘Resource Hashes’. These hashes are invaluable identifiers for hunting potential phishing attempts or other cybersecurity threats. Here’s how you can find them:

Step 1: Open the HTTP tab

In your report, navigate to the HTTP tab. This tab details the HTTP response made while loading the scanned website. Each listed request comes with a ‘+‘ button next to it. Click on this button to expand the request, revealing more information.

So, what gets hashed is the response to the request. If /something.jpeg is the request, when you get the hash, you are getting the hash of what was returned when you made the request to that resource. If you get a 404 you would be hashing the Not Found message. 

Step 2: Find the ‘Resource Hash’

Once you’ve expanded a request, look for a field labeled “Resource Hash“. This field contains the unique hash values for that specific HTTP request. There will be hashes in both SHA256 and MD5 formats, providing a strong identifier for the resource associated with that request.

Remember to note that each HTTP request possesses a unique ‘Resource Hash’. So if you suspect multiple requests might be part of a phishing scheme, ensure you extract the ‘Resource Hashes’ for each of those requests.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.