XRay: a great network <a href="https://www.andreafortuna.org/tagged/osint" target="_blank">OSINT</a> gathering tool

Jul 19, 2017 by Andrea Fortuna

Really useful in the first phases of a penetration test

XRay is a tool for network OSINT gathering developed by Simone Margaritelli, useful to make initial tasks of information gathering and network mapping.

It make a bruteforce of subdomains using a wordlist and DNS requests, and for every subdomain/ip found retrieves from Shodan the open ports and from ViewDNS some historical data. Finally, for every unique ip address, and for every open port, it launch specific banner grabbers and info collectors.

Grabbers and Collectors

HTTP Server, X-Powered-By and Location headers.
HTTP and HTTPS robots.txt disallowed entries.
HTTPS certificates chain.
HTML title tag.
DNS version.bind. and hostname.bind. records.
MySQL, SMTP, FTP, SSH, POP and IRC banners.

Anonymity and Legal Issues

The software will rely on your main DNS resolver in order to enumerate subdomains, also, several connections might be directly established from your host to the computers of the network you’re scanning in order to grab banners from open ports. Technically, you’re just connecting to public addresses with open ports (and there’s no port scanning involved, as such information is grabbed indirectly using Shodan API), but you know, someone might not like such behaviour.

If I were you, I’d find a way to proxify the whole process … #justsaying

Usage

`Usage: xray -shodan-key YOUR_SHODAN_API_KEY -domain TARGET_DOMAIN
Options:
  -address string
        IP address to bind the web ui server to. (default "127.0.0.1")
  -consumers int
        Number of concurrent consumers to use for subdomain enumeration. (default 16)
  -domain string
        Base domain to start enumeration from.
  -port int
        TCP port to bind the web ui server to. (default 8080)
  -preserve-domain
        Do not remove subdomain from the provided domain name.
  -session string
        Session file name. (default "<domain-name>-xray-session.json")
  -shodan-key string
        Shodan API key.
  -viewdns-key string
        ViewDNS API key.
  -wordlist string
        Wordlist file to use for enumeration. (default "wordlists/default.lst")`

More information and downloads

« How to extract data and timeline from Master File Table on NTFS filesystem How to recover event logs from a Windows memory image »