We all heard about the new reconnaissance tool called Spyse but what’s so interesting about it and how could we benefit from using it. This article will explain a few features within the service provided by Spyse for performing recon effectively and finding as much information as possible for an asset.
For this article, we are going to take an example of the Spyse organization itself to perform recon and find as many details as possible.
When you first visit spyse.com, you would be finding yourself having the following interface. We select to perform recon based on organization, so from the dropdown, choose Organization and type in “Spyse”.
We would then be presented with another screen showing the results of all the organizations having the “Spyse” word in their name. We could then click on the organization name then click on the “View Details” link to get the details of that organization.
It uses the data from Crunchbase to provide us with the details about the organizations we are trying to perform recon on. This page shows the details like AS numbers having a similar name, CIDRs with similar ISP name, SSL Certificates having similar issuer organization name, and many more.
From the top left pane, we could narrow down our pathway and start performing recon on their domain. Clicking on “Organization’s website details” will take us to a different page with most of the information we require for their domain from whois details, emails, current and historical DNS records, certificates, technologies being used, and subdomains, and many more.
We are more concerned about finding subdomains and similar domains for our assessment. So, clicking on “Subdomains” from the left-hand pane will give us the list of Subdomains identified by Spyse’s tool and give us details such as DNS A records CNAME, TLS/SSL Version being used, Title of the website, etc.
Clicking on one of the available subdomains will give us options to find related IPs, SSL/TLS certificates, and view details of that subdomain in order to dive deeper into that specific asset.
Clicking on “View Details” again will redirect us to the detailed page for that asset. We would be able to find out the number of CVEs associated with the subdomain found by the scanners of Spyse. In our case, accounts.spyse.com does not have many details.
Moving one step backward where we identified the number of subdomains, we could also filter out the result to find the SSL certificates being used and then find more subdomains/domains associated withthat certificate. Clicking on “Find SSL/TLS Certificates” will take us to another page that has the number of certificates that Spyse finds that have the subdomain associated.
Now we can click on one of the certificates and click on “Find Related Domains” to find more domains associated with that certificate. Many hackers perform this action to find as many assets as possible to find vulnerabilities for their bug bounty submissions. We would be redirected to another page that has more number of domains and subdomains using the certificate.
Suppose the organization is big and the scope is broad enough that it includes all needed assets. In that case, we manually go over each subdomain, find their certificates, and find more domains associated with those certificates repeatedly for us to have a useful data set of subdomains and assets for the organization. We then can move towards another phase and find the least test asset to start testing and finding vulnerabilities.
If one does not want to perform all this and directly get the list of subdomains identified by Spyse, then there is another subdomain finder feature which can be accessed by clicking on Tools from Menu and then clicking on “Subdomain Finder”.
That will take us to a different interface that lets you input domain names and results in the subdomain lists.
Once we have the list of subdomains, Spyse subscribers will have the option to download the result in either CSV or ND JSON format. We could then download it and parse and pipe it with any other tools we use for performing further tests making it easier. One good part about it is that it will be stored for 3 months and can be accessed even if we no longer have a subscription. That is how one can use Spyse to find subdomains and domains.