ZeroTrace OSINT
Web Intelligence
Eleven tools for fingerprinting websites, mapping certificates, discovering subdomains, and reading the public history of any site.
The Web Intelligence discipline takes a domain or URL and answers everything publicly knowable about the website behind it: what tech stack it runs, which subdomains exist, which certificates have ever been issued, what its archive history looks like, what redirects fire, what its robots.txt and security.txt say, and what its favicon looks like.
These tools combine into a complete picture of a web property — the public-facing equivalent of a building's exterior survey.
What's in this section
| Tool | What it does | Best when |
|---|---|---|
| Site analysis | Tech stack, frameworks, CMS, web server, security headers, cookies, third-party hosts | Profiling a website's stack and exposure |
| Subdomain discovery | Enumerate subdomains via wordlist, certificate transparency, and live HTTP probing | External-attack-surface mapping |
| TLS inspector | Certificate chain, ciphers, TLS version, OCSP, CRL, JA3S/JA4S, sibling-hostname lookup | Verifying TLS posture, finding shared certs across infra |
| Wayback archive | Snapshot history, content diffs across captures, capture density chart | Time-travel against a website, finding deleted content |
| Redirect analyzer | Per-hop status, location, timing, final URL TLS info, cookie summary | Tracing tracking links, phishing chains, cloaked URLs |
| Robots & sitemap | Crawl rules, disallowed paths, sitemap index recursion, lastmod histogram | Finding interesting paths the site does not advertise |
| security.txt | RFC 9116 parsing, PGP key fetch, expiry status | Confirming an authorised security contact for the site |
| Favicon hash | mmh3 / sha256 hash + Shodan / Censys facet links | Pivoting from a favicon to other sites that share it |
| Web crawler | Multi-page crawl with email / phone / external-domain extraction | Initial reconnaissance over a small site |
| WebSocket inspector | Handshake status, accepted protocols, extensions, single-frame echo test | Probing real-time endpoints |
The Web Intelligence tools chain naturally. Subdomain discovery hands you hosts; site analysis hands you a tech stack per host; TLS inspector hands you a certificate per host; certificate transparency hands you sibling subdomains. One target domain becomes a complete site graph in five tools and a dozen pivots.
Common starting points
| You have... | Best first tool |
|---|---|
| A target domain you know nothing about | Site analysis (tech stack overview) |
| A target domain you want to inventory | Subdomain discovery |
| A suspicious link from a phishing report | Redirect analyzer |
| A site that recently changed | Wayback archive (compare snapshots) |
| A login portal you suspect is fake | TLS inspector + favicon hash |
| A vendor you are doing due diligence on | Site analysis + robots/sitemap + security.txt |
Working with the data
Every tool in this section:
- Surfaces the HTTP method used and the headers received.
- Surfaces the status code and any redirects observed.
- Pins to the active profile.
- Exports to JSON / CSV / Markdown.
- Auto-composes adjacent results where it makes sense (TLS inspector pulls sibling-hostnames from CT, site analysis pulls security.txt and robots.txt automatically).
What this section does not cover
- Active web exploitation. No SQL injection testing, no XSS payload firing. For preparing legitimate authorised tests, use the SQLMap command builder to construct commands and run them in a controlled environment.
- Logged-in / authenticated reconnaissance. Every tool here works against publicly-accessible URLs. To inspect anything behind a login wall, you need that login wall's permission and a different category of tool.
- JavaScript execution. The tools fetch and parse HTML; they do not run a headless browser. Site analysis catches stack signals from HTML, headers, and obvious patterns — for a single-page-app that hides everything until JS runs, the signals are correspondingly thinner.