System Manual

Technical Mechanism

Aggregates data from over 50 public sources including search engine caches, rapid7 sonar, and Certificate Transparency (CT) logs via crt.sh.

Architectural Logic

It avoids direct interaction with the target's DNS servers to remain undetected. The module filters out duplicate entries and validates resolution status before presentation.

Core Capabilities

• Searches through 50+ public databases simultaneously
• Identifies wildcard DNS configurations automatically
• Historical subdomain tracking across time periods
• Integration with Certificate Transparency logs
• Detects expired subdomains with active DNS records

Data Points Extracted

• Total subdomains discovered
• Active vs inactive ratio
• SSL certificate coverage
• Response time metrics
• Geographic distribution of servers

Technical Mechanism

Queries the global WHOIS database protocol (Port 43) to extract registrar details, creation/expiration timestamps, and contact information.

Architectural Logic

The system parses raw WHOIS text into a structured JSON format, highlighting critical data points like domain age and privacy protection status.

Core Capabilities

• Extracts registrar and registrant information
• Identifies domain creation and expiration dates
• Maps administrative and technical contacts
• Detects privacy protection services
• Historical WHOIS data comparison

Data Points Extracted

• Domain age calculation
• Nameserver configurations
• Email patterns of contacts
• Registration country and jurisdiction
• Update history timestamps

Technical Mechanism

Recursively follows internal links (HREF/SRC) to build a tree-like architecture of the target domain.

Architectural Logic

It identifies hidden files such as .env, .git, and backup archives. It utilizes custom user-agents to simulate various browser environments and bypass basic crawler traps.

Core Capabilities

• Recursive link following with depth control
• JavaScript-rendered content extraction
• Identifies exposed configuration files
• Detects backup and temporary files
• Maps API endpoints and parameters

Data Points Extracted

• Total pages discovered
• Directory depth analysis
• File type distribution
• Response code statistics
• Potential sensitive data exposure

Technical Mechanism

Executes asynchronous HTTP requests to check for specific username existences across 2,000+ social media, coding, and forum platforms.

Architectural Logic

It analyzes response status codes and page content patterns to distinguish between 'Page Not Found' and 'Active Profile' states, minimizing false positives.

Core Capabilities

• Searches 2000+ platforms simultaneously
• Machine learning for false positive reduction
• Profile metadata extraction
• Activity timeline reconstruction
• Cross-platform username correlation

Data Points Extracted

• Number of active profiles found
• Platform category distribution
• Account creation dates
• Public engagement metrics
• Linked accounts detection

Technical Mechanism

Directly queries nameservers for A, AAAA, MX, TXT, CNAME, and NS records to identify underlying infrastructure.

Architectural Logic

It specifically looks for misconfigured SPF/DMARC records that could lead to email spoofing and checks for CNAME entries pointing to expired external services (Subdomain Takeover).

Core Capabilities

• Complete DNS record type enumeration
• Zone transfer attempt detection
• DNS security extension (DNSSEC) validation
• Mail server configuration analysis
• Reverse DNS lookup verification

Data Points Extracted

• All record types and values
• TTL configurations
• SPF/DKIM/DMARC policy strength
• Nameserver response times
• Geographic IP distribution

Technical Mechanism

Injects benign payloads into HTTP requests and analyzes the response headers and body for specific firewall signatures.

Architectural Logic

Can identify over 100 WAF solutions including Cloudflare, AWS WAF, and ModSecurity by correlating unique server-side rejection patterns.

Core Capabilities

• Identifies 100+ WAF vendors and versions
• Tests rule effectiveness with safe payloads
• Detects rate limiting configurations
• Maps blocking patterns and triggers
• Identifies bypass opportunities

Data Points Extracted

• WAF vendor and version
• Protection level assessment
• Response delay patterns
• Custom rule indicators
• CDN integration status

Technical Mechanism

Performs IP-to-ASN mapping and cross-references results with known IP ranges belonging to major cloud vendors.

Architectural Logic

Identifies if the target is behind a CDN/Proxy or hosted on Virtual Private Servers (VPS) within AWS, GCP, Azure, or DigitalOcean.

Core Capabilities

• Detects major cloud platforms automatically
• Identifies CDN and proxy layers
• Maps regional data center locations
• Determines hosting architecture type
• Discovers multi-cloud configurations

Data Points Extracted

• Cloud provider name and region
• ASN and IP range details
• CDN presence and vendor
• Server instance types
• Network topology insights

Technical Mechanism

Initiates a full TLS handshake to extract certificate chain details, supported cipher suites, and protocol versions.

Architectural Logic

Checks for vulnerabilities such as Heartbleed, expired certificates, weak DH keys, and lack of HSTS headers. It validates the trust chain against global Root CAs.

Core Capabilities

• Full certificate chain validation
• Tests for 50+ known TLS vulnerabilities
• Cipher suite strength assessment
• Protocol version compatibility check
• HSTS and security header analysis

Data Points Extracted

• Certificate validity and issuer
• Supported protocol versions
• Cipher suite rankings
• Vulnerability scores
• Security header presence

Technical Mechanism

Analyzes HTTP response differentials and 'Date' header fluctuations across multiple concurrent sessions.

Architectural Logic

Detects DNS Round Robin, Hardware Load Balancers, and Application Delivery Controllers by identifying micro-variations in server fingerprints.

Core Capabilities

• Identifies load balancing algorithms
• Maps backend server pool size
• Detects session persistence methods
• Health check endpoint discovery
• Failover configuration analysis

Data Points Extracted

• Number of backend servers
• Load balancing method type
• Response time variance
• Server affinity patterns
• Infrastructure redundancy level

Technical Mechanism

Utilizes high-speed SYN scanning to probe common ports (Top 1000) and identify active services.

Architectural Logic

Attempts service version detection by analyzing banners returned by the port. It provides a map of the attack surface beyond standard web ports (80/443).

Core Capabilities

• Scans top 1000 common ports rapidly
• Service version fingerprinting
• Operating system detection
• Banner grabbing and analysis
• Vulnerability correlation by service

Data Points Extracted

• Open ports and services list
• Service versions detected
• Operating system estimation
• Non-standard port services
• Potential security exposures