█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/OSINT Toolkit: Shodan, Censys, VirusTotal, URLscan
50 minIntermediate

OSINT Toolkit: Shodan, Censys, VirusTotal, URLscan

After this lesson, you will be able to: Use Shodan, Censys, VirusTotal, and URLscan.io to investigate suspicious infrastructure, files, and domains during a threat intel investigation.

OSINT tools turn a single IoC into context. This lesson covers the four canonical free-tier tools every threat analyst uses daily and the workflow that ties them together.

Prerequisites:MITRE ATT&CK Navigator

The four-tool toolkit

Shodan, an internet-wide port scanner with historical data. Search by IP, service banner, JARM hash, ASN. Censys, similar to Shodan with better TLS-certificate search. Pivot from a leaked cert to every server using it. VirusTotal, file + URL + IP reputation. Upload a file or paste a URL and get scanner verdicts plus passive DNS data. URLscan.io, automated browser-based URL inspection. Shows the rendered page, DOM, network traffic, and screenshots without you visiting the URL.

Investigate a suspicious IP (Shodan)

Sign up for free at shodan.io for ~50 lookups per month.

  1. 1

    Paste a suspicious IP into Shodan search; record the open ports, service banners, and observed certificates

  2. 2

    Note any JARM hash (TLS fingerprint that identifies the server software stack); the same JARM across multiple IPs often indicates the same operator

  3. 3

    Use the 'related' tab to find other servers in the same ASN or with similar fingerprints

  4. 4

    Export findings: IP, ports, JARM, certificate CN, hosting provider

  5. 5

    Flag the IP in your IoC list with the context you found

Pivot from a TLS certificate (Censys)

Censys's strength is certificate search. This is how you find an entire C2 fleet from one leaked cert.

  1. 1

    Find a suspicious certificate (e.g., self-signed, expired, or with unusual CN field) on a known malicious host

  2. 2

    In Censys, search for hosts using that certificate's SHA-256 fingerprint

  3. 3

    Review the resulting host list, these are likely peers in the same campaign

  4. 4

    For each, capture port banners and any other certs; build a graph of the campaign infrastructure

  5. 5

    Export the host list as JSON for ingestion into your SIEM as new IoCs

Triage a file or URL (VirusTotal)

VirusTotal is the first stop for any suspicious indicator.

  1. 1

    Paste a SHA-256 hash, a URL, or a file into VirusTotal

  2. 2

    Review the scanner results, NOT just the 'detection ratio' (vendors often disagree on edge cases). Look for high-confidence vendors (Microsoft, ESET, Kaspersky, Bitdefender)

  3. 3

    Click the Details tab for sandbox behaviours: child processes, registry edits, network beacons, dropped files

  4. 4

    Review the Relations tab: passive DNS, ITW URLs, communicating files. This is where the threat-actor pivot lives.

  5. 5

    Flag the hash in your IoC list with context (sandbox-observed behaviour, related infrastructure, suspected family)

Visit a hostile URL safely (URLscan.io)

Never click a suspect URL directly. URLscan.io renders it for you in a sandbox.

  1. 1

    Paste the URL at urlscan.io and submit a scan (public or unlisted depending on sensitivity)

  2. 2

    Review the rendered screenshot, the page source, and the network requests

  3. 3

    Note any redirects, exfiltration endpoints, or credential-harvest forms

  4. 4

    Download the DOM snapshot and the HAR file for evidence preservation

  5. 5

    Flag the URL in your IoC list

ℹ️ Operational security matters

When you query an unusual IP or domain on Shodan / VirusTotal, you may tip off the adversary if they have a watcher on the same indicators. For sensitive investigations, use the 'unlisted' or 'private' submission modes (Censys, URLscan offer these on paid tiers; some VirusTotal queries are private to your account on the free tier). Treat your OSINT queries as part of the investigation footprint; they're not invisible.

Common mistakes only experienced analysts catch

Treating VirusTotal's detection ratio as truth. 5/70 from low-confidence vendors is less meaningful than 1/70 from Microsoft Defender's heuristic. Pivoting from one IoC and missing the campaign. One bad hash usually has 10+ related files in VirusTotal's Relations tab. Submitting sensitive samples to VirusTotal public. Once uploaded, the sample is searchable; if it's a customer artefact under NDA, don't upload it. Forgetting passive DNS. The relationship between domains and IPs over time often reveals the actor's hosting pattern. Using only one tool. Shodan misses some hosts Censys finds and vice versa; cross-validate.

Quick Check

What do you do with a suspicious URL someone forwarded you?

Pick the safest first step.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Hands-on: MITRE ATT&CK Navigator
Back to Threat Intelligence
Writing a Threat Intelligence Report→