Welcome back, my open source intelligence (OSINT) investigators.
In previous tutorials, we have examined numerous web services that compile key information that is useful to pentesters, hackers and bug hunters. These include;
BuiltWith
Netcraft
These are all great tools but I'm going to show you a new kid on the block who might be the best! Not only can you use it to find all the information available in those services in one place and it has an easy-to-use, intuitive interface, but the data is maintained to always give you the most current information.
What is Spyse
Spyse is an internet asset registry with over 25GB of data on targets from around the world. It was specifically designed to help bug bounty hunters, pentesters, open source investigators and cybersecurity engineers to:
Find targets for bug bounty hunting
Analyze your own infrastructure and your vendors for potential risks to your company
Investigations
Research of very large datasets
Spyse Data Collection
One of the features that makes Spyse so unique is its data gathering. Spyse uses 60 servers around the world to gather data. By placing these servers in geographically distinct area, it avoids rate, geolocation and ISP blockage. Spyse uses qualitative data gathering with 38 self-developing scanners that unite their data into a single scanning pipeline. This means that Spyse's data avoids the issue of old and outdated data that plague the other global scanners. By scanning the globe continuously, Spyse can update;
IPv4 ranges in less than 4 weeks
Domains in less than 2 months
All other data updates daily
Spyse also has a number of powerful features for finding security vulnerabilities.
Part #1: Using Spyse to Research a Domain
To begin using Spyse, go to the home page Spyse.com. From there, I suggest you open a trial account. This is free and gives you all of the privileges of a standard account for a limited number of days.
From the Spyse home page, you can conduct research on your target from 8 different angles;
Domain
IP Address
AS
CIDR
Certificate
Technology
CVE
Organization
In this tutorial, let's begin with a generic search of a domain, specifically sans.org. Click on the pull down menu and select Domain. Next, enter the name of the domain.
Once you click on ENTER, Spyse takes a few seconds to retrieve all the data it has accumulated on that domain. It begins by providing general information about the domain such as title, description and Alexa rank, followed by the DNS records (similar to those you would receive using the dig command in Linux).
In the next window, Spyse summarizes the security of the site with a comprehensive score in the upper left corner of this screenshot (100 for sans.org) and the technologies employed in the site (similar to Netcraft and BuiltWith).
If we scroll down the page, we can see the Certificates, Subdomains and WhoIs listing.
Finally, near the bottom of the page you will find information about the Organization and any scraped emails from the site (similar to the results available using theHarvester).
Part 2: Finding Vulnerable Targets
Spyse enables you to do advanced searches where you can do searches for detailed information about sites. For instance, we can search for Microsoft SharePoint servers (CVE-2019-0604) that were actively used in past weeks by ransomware group WickrMe/Hello. This search reveals that nearly 24,000 servers are being actively used by this ransomware group!
We can construct the advanced search like that below...
...and Spyse returns a list of 23.7K sites meeting this criteria with key information .
Summary
Spyse is a new internet data collector, aggregator and analysis web site that incorporates the functionality of multiple similar sites into single interface. In addition, the data is always up-to-date, making it especially useful in your security assessments and research. In future Spyse tutorials, I will show you how to use Spyse to find particular vulnerabilities, technologies and advanced searches crucial to your security assessments.