OSINT Tools
OSINT Tools is a suite of open-source intelligence utilities built directly into Hawkra. Rather than switching between external services during reconnaissance, you can run domain lookups, data breach searches, IP geolocation, and infrastructure scans from a single interface. The tools are organized across three tabs -- Domain Information, User Information, and Host Information -- each focused on a different category of intelligence gathering.
Data Breach Search, GeoIP Lookup, and Shodan Search require a Premium or Self-Hosted subscription. WHOIS and DNS lookups are available to all users.
How It Works
OSINT Tools is accessible from the top navigation bar and operates at the account level, independent of any workspace. When you submit a query, Hawkra sends it to the corresponding backend service, which performs the lookup and returns structured results. Each tool has its own input form and results display optimized for the type of data returned.
Premium-only tools are gated behind a lock overlay. If your account tier does not include premium features, you will see a prompt to upgrade when navigating to the User Information or Host Information tabs.
Domain Information
The Domain Information tab is available to all authenticated users and contains two tools for investigating domain names.
WHOIS Lookup
WHOIS Lookup retrieves registration information for a domain name. Enter a domain (e.g., example.com) and Hawkra returns the parsed registration details along with the raw WHOIS text.
Returned data:
| Field | Description |
|---|---|
| Registrar | The domain registrar that manages the registration |
| Created Date | When the domain was first registered |
| Expiry Date | When the domain registration expires |
| Name Servers | The authoritative DNS servers for the domain |
| Raw WHOIS Text | The complete, unprocessed WHOIS response for manual analysis |
The raw WHOIS text is displayed in a scrollable code block, which is useful when the parsed fields do not capture all the details you need -- for example, registrant contact information or DNSSEC status.
DNS Lookup
DNS Lookup resolves DNS records for a domain. Select a record type from the dropdown and enter a domain to query.
Supported record types:
- A -- IPv4 address records
- AAAA -- IPv6 address records
- MX -- Mail exchange records (includes priority values)
- TXT -- Text records (SPF, DKIM, DMARC, verification tokens)
- NS -- Name server records
- CNAME -- Canonical name (alias) records
Results are displayed in a table showing each resolved value. For MX records, a priority column is included. A record count badge shows the total number of records returned, and the TTL (time to live) is displayed when available.
User Information
The User Information tab contains tools for investigating email address exposure in data breaches. This tab requires a Premium or Self-Hosted subscription.
Data Breach Search
Data Breach Search uses the HaveIBeenPwned API to check whether an email address has appeared in known data breaches or public pastes. Enter an email address and Hawkra searches for both breach records and paste records sequentially.
Breach Results
When breaches are found, they are displayed in a sortable table with the following columns:
| Column | Description |
|---|---|
| Breach | The name/title of the breached service |
| Domain | The domain associated with the breach |
| Breach Date | When the breach occurred |
| Accounts | The total number of accounts compromised in the breach |
| Status | Whether the breach has been verified or is unverified |
Each breach row is expandable. Click a row to reveal additional details:
- Description -- A narrative summary of the breach event
- Exposed Data -- The types of data compromised (e.g., email addresses, passwords, IP addresses, phone numbers), displayed as individual tags
- Added Date -- When the breach was added to the HaveIBeenPwned database
- Sensitive Flag -- Whether the breach is marked as sensitive (e.g., adult sites)
Breaches are sorted by date with the most recent first.
Paste Results
Paste results are displayed in a separate collapsible section below the breaches. Each paste entry shows:
| Column | Description |
|---|---|
| Title | The title of the paste, if available |
| Source | Where the paste was found (e.g., Pastebin) |
| Date | When the paste was created |
| Emails | The number of email addresses found in the paste |
| ID | The unique identifier of the paste |
Both sections display a count badge (e.g., "12 breaches", "3 pastes") and can be collapsed independently. If no breaches or pastes are found, a green confirmation message is displayed.
Breach searches are rate-limited by the HaveIBeenPwned API. The paste search runs automatically after the breach search completes, with a brief delay to respect rate limits.
Host Information
The Host Information tab contains tools for investigating IP addresses and network infrastructure. Both tools require a Premium or Self-Hosted subscription.
GeoIP Lookup
GeoIP Lookup determines the geographic location and network information for an IP address. Enter an IP address (e.g., 8.8.8.8) to retrieve location data.
Returned data:
| Field | Description |
|---|---|
| Country | The country where the IP is located, with country code |
| City | The city-level geolocation |
| ISP | The internet service provider operating the IP |
| Timezone | The timezone associated with the IP's location |
| Coordinates | GPS latitude and longitude (displayed to 4 decimal places) |
Shodan Search
Shodan Search queries the Shodan database for information about internet-connected devices. Enter an IP address or domain name to retrieve infrastructure details.
Returned data:
| Field | Description |
|---|---|
| Organization | The organization that owns the IP range |
| ISP | The internet service provider |
| Hostnames | Resolved hostnames associated with the target, displayed as tags |
| Vulnerabilities | CVE identifiers for known vulnerabilities detected on the target, highlighted in red |
| Open Ports | A table listing each discovered port with its protocol and detected service name |
A port count badge is displayed next to the results header showing the total number of open ports found. The vulnerabilities section uses a red highlight to draw attention to security issues. If no data is found for a target, a "No data found" message is displayed.
Combine Shodan Search with the Threat Dashboard to cross-reference CVEs found on your targets with active exploitation data and EPSS scores.
Key Actions
| Action | How |
|---|---|
| Look up domain registration | Go to Domain Information tab, enter a domain in the WHOIS tool, click Lookup WHOIS |
| Query DNS records | Go to Domain Information tab, select a record type, enter a domain, click Query DNS |
| Search for data breaches | Go to User Information tab, enter an email address, click Search |
| Expand breach details | Click on a breach row to reveal description, exposed data types, and metadata |
| Look up IP geolocation | Go to Host Information tab, enter an IP address in the GeoIP tool, click Lookup Location |
| Search Shodan | Go to Host Information tab, enter an IP or domain in the Shodan tool, click Search Shodan |
Tips and Notes
- No workspace required: OSINT Tools operate at the account level. You do not need to be inside a workspace to use them.
- Rate limits: External APIs (HaveIBeenPwned, Shodan) have rate limits. If you receive an error, wait a moment and try again.
- Self-hosted API keys: Self-hosted deployments need to configure API keys for HaveIBeenPwned and Shodan in the Admin Settings or environment variables for premium OSINT tools to function.
- Combine with workspace data: Use OSINT findings to enrich your workspace assets. For example, run a Shodan search on a target IP, then cross-reference the discovered ports and vulnerabilities with assets already tracked in your workspace.
- DNS for enumeration: Query TXT records to discover SPF, DKIM, and DMARC configurations. Query NS and CNAME records to map out a domain's infrastructure during reconnaissance.
- WHOIS for attribution: WHOIS data can reveal registrant organizations, registration timelines, and name server configurations that help attribute domains to threat actors during investigations.