Spyse is a search engine which can be used to identify internet assets and perform external reconnaissance easily. Results are delivered fast. Pentestlab has recently performed a review of the product and the results are presented in this article.

Subdomains of a particular domain can be easily discovered to aid in the process of asset discovery. Penetration testers and red teamers should be able to use it during Open Source Intelligence Assessments or while examining the external attack surface of their client. A records, DNS CNAME and version of TLS/SSL are also returned into the results. Since TLS and SSL are affected by a number of vulnerabilities it could be used as an initial step prior to any other tool.

Spyse also performs web spidering on the target domain therefore information such as the links, robots.txt files and HTTP headers can also retrieved. This can aid towards fingerprinting of the existing technologies in use by the website in scope, identification of sensitive URL’s and mapping the application.

Spyse has also the ability to discover other domains that exist on the same IP address. This is a common finding in penetration test reports since multiple domains on the same host increase the attack surface.

All the output can be downloaded in two formats:

1. CSV (Comma-Separated Values)
2. ND JSON (Newline Delimited JSON)

Vulnerabilities

Spyse can also perform vulnerability discovery by identifying open ports and matching the port discovery with a CVE (Common Vulnerabilities & Exposures) number. The search functionality also allows users of the service to search by CVE number:

During the port discovery banners and versions are also retrieved which could help to retrieve further information for reporting purposes and for correlations of versions with any existing vulnerabilities.

Conclusion

Passive reconnaissance it is the first step on every red team engagement or external security assessment. Spyse has the ability to return data back to the user very fast and with efficiency by performing a semi-automatic information gathering. Internal cyber security teams and penetration testers could benefit from the service especially if they have to perform recon in companies that have big external presence with multiple assets as Spyse can accelerate this kind of activities. Still not convinced? Give it a try!