lostrabbitlabs

WisQuas v1 – Manual & How To

Table of Contents
1. What is WisQuas?
2. How Does WisQuas Work?

3. How To Access WisQuas

4. Account Types & Descriptions

5. What is Currently in the WisQuas Database?

6. How to use WisQuas

     6A. Crawling - Initiating a scan against a domain

     6B. Viewing Results - Domain View vs. Subdomain View

     6C. Searching - Domain vs Global

     6D. OSINT and 'Next Pivots' - Digital Footprinting / Threat Intel

     6E. Generating a Report - Identifying issues and investigating scores & stats

7. Roadmap

8. Feedback

9. Contact us




1. What is WisQuas?

The WisQuas Engine attempts to reveal that which may be hidden, through slight fuzzing, enumeration, and fingerprinting around your entire domain and its web services. Using a handful of nominal web requests, WisQuas Engine attempts to identify areas of weakness around serious Information Disclosures, Security and Service Misconfigurations, Default Installations, and Missing Input Sanitization. Hidden web containers, granting access to Shadow VHosts and localhost data, are detected along with WAF bypassing payloads, Host Header Manipulations, successful VERB Tampering, and User Agent redirection. DNS anomalies and Domain Shadowing may also be detected across a domain. In addition, full ‘Digital Footprint Discovery and Inventory’ across a domain is performed for completeness.


2. How Does WisQuas Work?

WisQuas will perform the following functions around a provided domain name:

  • Resolve hostnames to IP addresses
  • Perform ASN lookup on IP address to provide ownership info and geo/location info
  • Perform subdomain enumeration and lookups
  • Perform WHOIS lookup on domain name
  • Reverse look-ups are performed on all WHOIS attributes
  • Reputation and classification look-ups are performed on all subdomains and IP addresses
  • Inventory and storage performed on all received headers, cookies, and meta-data (no content/request data is stored)
  • Original URL request is ‘base-lined’ to be compared to all other requests
  • Tactical fuzzing and enumeration across entire domain performed to generate unique errors and reveal layered web services
  • Inspection of robots.txt file if available
  • Enumerate through possible HTTP Verbs
  • Perform Host Header Manipulation to detect additional accessible containers
  • Enumerate through a list of User-Agents on subdomain.
  • Catalog and store all digital assets in a searchable database.


3. How To Access WisQuas

You can try WisQuas for FREE by clicking the link below: 
https://wisquas.lostrabbitlabs.com/

Number of results is limited for FREE accounts. Paid accounts include access to Admin, Reporting, and initiating crawls.

4. Account Types & Descriptions
n00b: FREE! No sign-up required. 20 results per query. No crawling.
Jr Analyst: FREE! Email sign-up required. 100 (paginated) results per query. No crawling.
Infosec Pro ($20/mo): Unlimited results per query. Limited crawling to public container.
Researcher ($99/mo): Admin & Reporting Portal, Extended Crawling, & Privately tagged crawls.
Business ($999/mo): Up to 10 user accounts, Unlimited Crawling, & Privately tagged crawls.
Enterprise ($2000/mo): Monitoring & Reporting Portal, Unlimited Crawling, & Private system.


5. What is Currently in the WisQuas Database?

Lost Rabbit Labs is crawling in-scope bug bounty domains for use by Bug Bounty and Threat Hunting analysts, in order to assist with more efficiently finding and submitting discovered issues.

Click Here for List of Ingested Domains Available for Search.

All domains scraped from the Public Bugbounty Programs Repo.



6. How to use WisQuas

  A. Crawling – Initiating a scan against a domain
  B. Viewing Results – Domain results vs. Subdomain results
  C. Searching – Domain vs. Global searching
  D. OSINT and ‘Next Pivots’ – Digital Footprinting / Threat Intel
  E. Generating a Report – Identifying issues and investigating scores & stats


6A. Crawling - Initiating a scan against a domain
Currently WisQuas is functioning in an OPEN ALPHA mode of operation and all crawling by users is disabled until a future update. If you would like something to be crawled and ingested into the public database, feel free to reach out to us at:    https://lostrabbitlabs.com/contact-us

Current WisQuas Database Contents: Click Here for List of Ingested Domains Available for Search
  


6B. Viewing Results - Domain View vs. Subdomain View
Once a domain has been crawled and indexed, you can use the WisQuas Search Bar to view results. For example, if you would like to view all subdomains in a domain use the query below:

Query Syntax
url:domain.tld

Example Usage:
url:comcast.com


Enter the query into the search bar and click the ‘View’ button. After a brief moment, your results should load.




Domain View with Discovered Subdomain Listing

  • FREE accounts are limited at max 100 results (paginated at 20 results per page)
  • Paid account includes unlimited results




Paginated Results (20 results per page).


:: Domain View with Discovered Subdomain Listing ::

Left Info Panel - Domain/IP/ASN/DNS Information
Domain & Scanned IP/Host
Nameservers (click on servers for more info)
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)
Total Discovered Subdomains/Scan Results

Middle Info Panel - Registrar Information and Address

Registrar Info
Domain Creation & Expiration Dates
Company Address / Google Maps Link (click for more info)

Right Info Panel - Digital Footprint and 'Next Pivots'


Whois Lookup Information (click on links for associated domains)
  Org Name
  Person Name
  Email
  IP Address

OSINT / Social Media / Attribution / Framework
Data Leakage Awareness / Google Dorks Links

Below the three (3) top information panels you will find the complete listing of discovered subdomains.

:: Subdomain Listing with Host Information ::




This view is similar to normal spreadsheet (.csv) output, with columns and rows of result data (with each discovered subdomain/host on a new line or row). Detailed descriptions of column data below:




From this view you can click on the desired Host (http://domain.tld) to drill into the Subdomain View.

Subdomain View with Payload, Verb, Host, and UA Result Listings

  • Header, Cookie, and robots.txt displayed for baseline host request
  • ScoreTabs for grouping alike and unique responses


:: Subdomain View Explained ::
Left Info Panel - Domain/IP/ASN/DNS Information

Subdomain & Scanned IP/Host
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)
OSINT / Social Media / Attribution / Framework
Data Leakage Awareness / Google Dorks Links

Middle Info Panel - Response Headers and Cookies

HTTP Response Headers
HTTP Response Cookies

Right Info Panel - ScoreTabs and Enumeration Groups

ScoreTabs for Enumeration Grouping (status code/length)
Payloads – 80+ payload results
Verbs – HTTP Verb enumeration results
Hosts – Host header results
User-Agents  – All unique User-Agent header values
Titles – All unique Title header values
Servers – All unique Server header values

Clicking on the desired ScoreTab will display results for all unique groups observed.


Payload Results Listing with Request Information


This view is similar to normal spreadsheet (csv) output, with columns and rows of result data (with each payload result on a new line or row). Detailed descriptions of column data below:



Clicking on Payload name (ie: index.html) will open a browser request to that specific URL.
Clicking on ‘Server’ will result in a lookup on https://cve.mitre.org/ for web server vulnerabilities.

414 Flood Response Output


Any content received when generating a 414 Flood web response is displayed here. This may contain an unintended Information Disclosure around hidden web containers and their associated hostname or IP address (including RFC1918 and IPv6).

Robots.txt Output


If the subdomain has a “robots.txt” file in the web container, it will be displayed underneath the 414 Flood Response Output area.

Verb Enumeration Output



You can validate results by clicking on the desired Verb name to copy a custom curl command. For example, clicking on the HTTP Verb “TRACK” will copy the following command into your clipboard:

curl -X TRACK http://aptrepo-thunderbolt.comcast.com -vv -k

Host Header Enumeration Output



You can validate results by clicking on the desired HOST name to copy a custom curl command. For example, clicking on the HOST name ‘localhost’ will copy the following command into your clipboard:

curl -H “Host: localhost” http://aptrepo-thunderbolt.comcast.com -vv -k

User-Agent Enumeration Output



You can validate results by clicking on the desired USER-AGENT name to copy a custom curl command. For example, clicking on the HOST name ‘localhost’ will copy the following command into your clipboard:

curl -H “User-Agent: Wget/1.15 (linux-gnu)” http://aptrepo-thunderbolt.comcast.com -vv -k

6C. Searching - Domain vs. Global

Through crawling efforts and storing some results with WisQuas, Lost Rabbit Labs is building a haystack of digital inventory for further analysis. Once all crawls have completed you can search all saved data using our custom Rabbit Query Language (RQL)RQL is Lucene based, with some additional custom search parameters and scoring methods (more info below) to increase likelihood of retrieving legitimate findings versus false positive findings. Our goal is to decrease noise-to-signal ratio, and increase the amount of actionable intelligence provided by WisQuas.

RQL Parameters Defined



Example WisQuas Searches Using RQL

NOTE: You must start your query with one (1) of the following before using other parameters:

                                                              url,  payload,  verb,  host


Find all subdomains for a domain:
url:domain.tld

Find a unique host:
url:www.domain.tld

Find results in entire database where title matches “Index of /” :
url:. title:”Index of /”

Find all instances of ‘phpMyAdmin’ in entire database:
url:. payload:phpMyAdmin/ title:”phpMyAdmin”

Find successful hidden container or Shadow VHOST access:
host:. status:200 baseline.status:!200

Some Lucene is supported including wildcard (.) and fuzzy matching ($).
payload:server-status url:. title:$”Apache Stat” status:200 length:55,9999999

6D. OSINT AND 'Next Pivots' - Digital Footprinting / Threat Intel

On some views you will be presented with Whois Information, Digital Footprint & Next Pivots, along with OSINT & informational links to external sites. Click on the ‘Next Pivots’, which include the Whois attributes (orgname, person, emails, IP address) and you will be shown a list of domains associated with that attribute.

      


Paid accounts can click on each newly discovered domain and send back into WisQuas to perform a scan of that domain and its subdomains.


6E. Generating a Report - Identifying issues and investigating scores & stats

The Researcher and Enterprise paid accounts come with the ability to generate a domain-wide report that shows all unique titles, servers, cookies, redirect locations, IP addresses, and more. Simply type the desired name into the Generate Report input bar and click the ‘Generate’ button. After a brief moment your results should load:




Below the report view you will find 'URLs of Interest'. These URLs are all results across the domain that reply with successful '200' response code, and are not the default index.* page, sitemap.xml, or robots.txt files.


7. Roadmap

New Features and Planned Updates

  • API Query Endpoints
  • JSON/CSV Exporting
  • Maltego Transforms
  • Custom payload list (user-defined)
  • Choose Passive (Stealth Mode) vs. Active WisQuas Scan
  • Selectable Pre-defined payload lists (can be shared with other users across platform)
  • Identify Missing Security Cookie Headers
  • New UI design
  • Front-end driven UI (React)
  • Additional error handling (Cloudflare bypasses, Fatal Exceptions, etc.)
  • Distributed crawling infrastructure


8. Feedback

We appreciate your interest in WisQuas and would love to hear your feedback or new feature requests. You can submit feedback here: Feedback Form


9. Contact Us

Email: info@lostrabbitlabs.com
Phone: (904) 513-1337
Discord: https://discord.gg/A6WqsyY
Contact Form: https://lostrabbitlabs.com/contact-us



Feeling Generous?

BTC: 168Zezsvrjm4EGKoJWo5AJSiDv1rMdMhhB

XMR: 4AgfU1zoJRYaeWTpEKtDnRQct2YfLmKakRv6NuVn2CEkDTt2GufscSgTCgFP5nYHezJ8wwjdHVKg5JwyUrtGg5m3Gs1jrrr