Netcraft Cheatsheet
Purpose: Passive reconnaissance — hosting history, OS / web server history, SSL certificate history, site report, and subdomain discovery for a target domain. Uses Netcraft’s long-running internet survey, so no traffic touches the target.
Format: Web service. Free site-report lookups; subdomain search; commercial APIs for bulk.
Access Points
| Surface | URL |
|---|---|
| Site Report (single site) | https://sitereport.netcraft.com/?url= |
| Subdomain / Domain search | https://searchdns.netcraft.com/ |
| What’s that site running? (legacy) | https://toolbar.netcraft.com/site_report?url= |
| Phishing / takedown reporting | https://report.netcraft.com/ |
| Anti-phishing browser extension | https://www.netcraft.com/apps/ |
Quick Lookups (URL-style)
# Site Report
xdg-open "https://sitereport.netcraft.com/?url=https://target.tld"
# Subdomain search (DNS knowledge, not zone transfer)
xdg-open "https://searchdns.netcraft.com/?host=*.target.tld"
# Scrape subdomain list (HTML — fragile, format may change)
curl -s -A "Mozilla/5.0" \
"https://searchdns.netcraft.com/?restriction=site+ends+with&host=target.tld" \
| grep -oE '[a-zA-Z0-9.-]+\.target\.tld' | sort -u
What the Site Report Reveals
- Background: site title, description, language, first-seen date
- Network: IPv4/IPv6, ASN, netblock owner, hosting country, nameservers, reverse DNS
- Hosting history: OS, web server, hosting provider, IP changes over time (often years)
- SSL/TLS: certificate issuer, valid-from / valid-to, signature alg, key size, full chain
- Web trackers: analytics, ad networks, tag managers
- Site technologies: server-side language, CMS, JS frameworks (similar surface to Wappalyzer/WhatWeb but historical)
- Risk rating: Netcraft’s own risk scoring (popularity, reputation, phishing flags)
OSINT Pivots
- Hosting history → identify legacy IPs that may still serve content (origin behind CDN, forgotten staging).
- SSL history → past CN / SAN entries leak retired subdomains and internal hostnames.
- Same nameservers + hosting across multiple sites → infrastructure attribution.
- First-seen date → useful for triaging suspicious / typosquat domains.
Subdomain Discovery
https://searchdns.netcraft.com/?host=*.target.tld
- Returns publicly known hosts under a domain.
- Complement, do not replace, [[crt.sh]] /
amass/subfinder— Netcraft sees long-tail hosts those miss, and vice versa. - Free tier paginates and rate-limits aggressively; expect a CAPTCHA on bulk.
Workflow Example
DOMAIN=target.tld
# 1. Open Site Report
xdg-open "https://sitereport.netcraft.com/?url=https://$DOMAIN"
# 2. Pull subdomain list (best-effort scrape)
curl -s -A "Mozilla/5.0" \
"https://searchdns.netcraft.com/?restriction=site+ends+with&host=$DOMAIN" \
| grep -oE "[a-zA-Z0-9.-]+\.$DOMAIN" | sort -u > netcraft-subs.txt
# 3. Cross-check with crt.sh
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" \
| jq -r '.[].name_value' | tr ',' '
' | sort -u > crtsh-subs.txt
# 4. Merge
sort -u netcraft-subs.txt crtsh-subs.txt > all-subs.txt
Browser Extension
Netcraft’s anti-phishing extension shows live Site Report data inline:
- Site rank, hosting country, ASN owner
- Risk rating + phishing flag status
- One-click jump to full Site Report
Useful during engagement scoping to confirm asset ownership without sending packets.
Tips
- Fully passive — target sees nothing.
- Hosting/OS history is Netcraft’s killer feature; nothing else has the same time depth.
- Site Report’s “Hosting history” can date origin migrations — handy for finding pre-CDN IPs.
- Subdomain search is incomplete on its own; pair with CT logs and bruteforce.
- Free use is rate-limited; for bulk/automation, look at Netcraft’s commercial Threat Intelligence APIs.
Related
- [[builtwith]] — historical tech stack overlap (less infra, more app-layer).
- [[wappalyzer]] — current tech only, browser-side.
- [[whatweb]] — active CLI fingerprinting if you need ground truth.
- [[wafw00f]] — pair Site Report (hosting) with WAF fingerprint for full edge picture.