ZeroTrace OSINT
Network & IP Intelligence
Eleven tools for investigating domains, IP addresses, autonomous systems, and the network identity of any internet asset.
The Network & IP discipline is the most-used category in the toolkit. Almost every investigation starts here: who owns this domain, where is this IP, what hardware is sitting at this address, what does the routing path say about the operator.
The tools in this section combine into a coherent infrastructure picture. Pivots between them are tight: a WHOIS result lands you in DNS; DNS hands you IPs; IPs hand you geolocation, ASN, reputation, and reverse-DNS context.
What's in this section
| Tool | What it does | Best when |
|---|---|---|
| WHOIS lookup | Registrar, registration dates, nameservers, abuse contact, RDAP raw view | Starting from a domain. Determining who owns / runs / abuses an asset. |
| DNS lookup | A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, plus DMARC / SPF / DKIM and DNSSEC chain | Mapping how a domain is configured. Email-deliverability checks. |
| DNS history | Historical IPs and hosts for a domain | Finding old infrastructure, abandoned subdomains, pre-migration footprints. |
| IP geolocation | Country, region, city, hosting flag, ISP, ASN, datacenter detection, map preview | Localising an asset. Distinguishing residential from datacenter. |
| Reverse DNS | PTR records for an IP — and the forward-confirmed reverse-DNS check | Discovering co-hosted domains. Finding hostname patterns. |
| ASN lookup | Autonomous-system info, prefix list, peering, abuse contact | Mapping a network's BGP footprint. Identifying the upstream provider. |
| IP reputation | Threat-feed checks across multiple public sources, Tor exit-node detection | Triage of suspicious IPs in your logs. Validating threat-intel hits. |
| Exposed services | Public services, ports, banners, CVEs, software versions | External-attack-surface mapping. Validating against asset inventory. |
| CIDR tools | Network calculator, range expander, mask preview, RFC1918/CGNAT/loopback classification | Planning scans, normalising IP lists, sanity-checking netmasks. |
| MAC vendor lookup | OUI / vendor, registry block type, locally-administered / multicast bit decoding | Identifying device vendors from packet captures or logs. |
Every tool in this section feeds the next one. A WHOIS result hands you a nameserver IP. The IP pivots into ASN. The ASN pivots into a prefix list. The prefix list pivots into reverse-DNS sweeps. Five clicks, a complete infrastructure map.
Common starting points
| You have... | Best first tool |
|---|---|
| A domain name | WHOIS lookup |
| An IP address | IP geolocation (then ASN + reverse-DNS) |
| A nameserver | DNS lookup with the type filter on NS, then resolve each |
| A CIDR block | CIDR tools to expand, then bulk-paste through reverse-DNS |
| An autonomous-system number | ASN lookup |
| A MAC address from a packet capture | MAC vendor lookup |
Working with the data
Every tool in this section:
- Surfaces source attribution — you see exactly which public registries and feeds contributed to the result.
- Supports bulk paste — most tools accept a textarea of inputs and aggregate results.
- Pins to the active profile — every result becomes a finding with full provenance.
- Exports as JSON / CSV / Markdown / clipboard — the table-shaped tools (reverse-DNS, exposed-services) flatten cleanly to CSV.
What this section does not cover
- Active scanning (port scans against a target). The toolkit's exposed-services tool surfaces publicly indexed services — it does not generate scan traffic itself. For active scanning, use the Recon Command Builders to generate Nmap commands and run them in a controlled environment.
- Packet capture / live traffic. This is a reconnaissance toolkit, not a sniffer. For wireless capture, see ZeroTrace AirLeak.
- Proxy operation. The Proxy & Anonymity section covers the toolkit's proxy validation tools. For routing your own traffic through proxies, see ZeroTrace Proxy.