Welcome back, warriors of the web! Today we continue our journey with URLscan.io, delving into how to search for filenames and make use of hashes. So, let’s get started.
|Hunting With URLscan: Part 1||Get to know the basics|
|Hunting With URLscan: Part 2||Filenames and Hashes|
|Hunting With URLscan: Part 3||Search Operators|
|Hunting with URLscan: Part 4||Query Builder|
Searching for Filenames:
In some cases, a specific file could be the culprit behind a phishing attack. URLscan.io allows you to search for these filenames to help identify threats.
To do this, use the ‘
filename:‘ search parameter. Suppose you want to look for all scans containing a file named ‘
login.html.‘ In the search bar, you would enter ‘
filename:login.html‘ and URLscan.io will show all URLs containing that filename.
Making Use of Hashes:
URLscan.io can also identify and search for hashes. A hash is a unique string of characters representing a piece of data. Cybersecurity professionals often use hashes to identify malicious files or URLs.
Two types of hashes are often used in URLscan.io: SHA256 and MD5.
SHA256 is a popular hashing algorithm that produces a unique 64-character string. If you have a SHA256 hash of a suspicious file or URL, you can search for it directly in URLscan.io. Just type ‘
hash:<SHA256 hash>‘ into the search bar.
For example, ‘
hash:123abc...‘ will return all the URLs associated with that hash.
MD5 is an older, but still widely used, hashing algorithm that generates a 32-character string. You can search for MD5 hashes just like SHA256 hashes. Type ‘
hash:<MD5 hash>‘ into the search bar to find associated URLs.
Where to get hashes
When you run a scan on URLscan.io, the generated report provides an array of valuable details, including ‘Resource Hashes’. These hashes are invaluable identifiers for hunting potential phishing attempts or other cybersecurity threats. Here’s how you can find them:
Step 1: Open the HTTP tab
In your URLscan.io report, navigate to the HTTP tab. This tab details the
HTTP response made while loading the scanned website. Each listed request comes with a ‘
+‘ button next to it. Click on this button to expand the request, revealing more information.
So, what gets hashed is the response to the request. If /something.jpeg is the request, when you get the hash, you are getting the hash of what was returned when you made the request to that resource. If you get a 404 you would be hashing the Not Found message.
Step 2: Find the ‘Resource Hash’
Once you’ve expanded a request, look for a field labeled “
Resource Hash“. This field contains the unique hash values for that specific HTTP request. There will be hashes in both SHA256 and MD5 formats, providing a strong identifier for the resource associated with that request.
Remember to note that each HTTP request possesses a unique ‘Resource Hash’. So if you suspect multiple requests might be part of a phishing scheme, ensure you extract the ‘Resource Hashes’ for each of those requests.