lostrabbitlabs

WisQuas v1 – Manual & How To

1. What is WisQuas?
The WisQuas engine attempts to reveal that which may be hidden, through slight fuzzing, enumeration, and fingerprinting around your entire domain and its web services (‘Digital Footprint Discovery and Inventory’). Using a small number of web requests, WisQuas attempts to identify areas of weakness around Information Disclosures, Security and Service Misconfigurations, Default Installations, Missing Input Sanitization, and more. Hidden web containers granting access to Shadow VHosts and localhost data, are detected along with WAF bypassing payloads, Host Header Manipulations, successful VERB Tampering, and User Agent redirection. DNS anomalies and Domain Shadowing may also be detected across a domain.

2. How to use WisQuas...
  A. Sign-up & Logging In – Getting started with WisQuas
  B. Scanning – Running WisQuas on your domain
  C. Generating a Report – Identifying issues and investigating scores & stats
  D. Viewing Results – Subdomain results explained
  E. Searching – Domain vs. Global searching
  F. OSINT and ‘Next Pivots’ – Digital Footprinting / Threat Intel


2A. Sign-up & Logging In - Getting started with WisQuas
1. Go to the URL below and complete the Signup form (by signing up you agree to the Terms of Use):
https://wisquas.lostrabbitlabs.com/signup



2. Once the signup process has been completed, you can log into your account at the link below:
https://wisquas.lostrabbitlabs.com/login


Account Types & Descriptions:
n00b: FREE! No sign-up required. 20 results per query. No crawling.
Jr Analyst: FREE! Email sign-up required. 100 (paginated) results per query. No crawling.
Infosec Pro ($20/mo): Unlimited results per query. Limited crawling to public container (20 crawl credits) with Report access.
Researcher ($99/mo): Unlimited results per query. Ability to Privately tag crawls (50 crawl credits) with Report access.
Business ($999/mo): Up to 10 user accounts, Unlimited Crawling, & Privately tagged crawls.
Enterprise (CONTACT US): Domain Monitoring & Reporting Portal, Unlimited Crawling with Private Workers & Private system.
If you would like to purchase a WisQuas account, go to our main website and scroll down to find the desired account type:
https://www.lostrabbitlabs.com/

3. After successfully logging in, you will be presented with the main WisQuas dashboard:



2B. Scanning - Running WisQuas on your domain
1. Input the domain you want to scan into the 'Run Scan' input bar and click 'SCAN'. By default WisQuas will tag the domain as PUBLIC in our database and allow all WisQuas users to search through the results:
If you would like the domain to be PRIVATELY TAGGED and only be visible to your user, you will need to toggle the 'Private Scan' slider until it turns gold before clicking on 'SCAN'.
Private Scanning has been enabled and only you will be able to search through the results.

NOTE: Scanning a domain can take several hours depending on the amount of subdomains, firewalls/WAFs, speed and resiliency of services, and more. Be patient for all crawls to complete.


2C. Generating a Report - Identifying issues and investigating scores & stats

The Researcher, Business, and Enterprise paid accounts come with the ability to generate a domain-wide report that shows all unique titles, servers, cookies, redirect locations, IP addresses, and more. Simply type the desired name into the 'Generate Report' input bar and click the ‘View Report’ button.



After a brief moment your results should load, and you will be presented with the report:

If all crawls have been completed for your domain scan, you will see the date and timestamp after the 'Completed' status (left-middle of view), otherwise you will see 'In Progress' and will need to wait for all results to complete to get the final report. From the status results below we can see that there were 88 total subdomains discovered (which can be copied to your clipboard by click the 'COPY SUBDOMAINS' button), of which 178 web services were observed.



Further explanation of each Report output section will be provided below. Many data-points within the WisQuas report view are clickable, and lead to additional resources (NOTE: some of these links are outside the WisQuas web service framework, use at your own discretion).

Domain & IP Address Info

Domain & Scanned IP/Host
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)


Registrant & Geo-Location Info

Registrar Info
Domain Creation & Expiration Dates
Company Address / Google Maps Link (click for more info)



Digital Footprint & Next Pivots

On some views you will be presented with Whois Information, Digital Footprint & Next Pivots, along with OSINT & informational links to external sites. Click on the ‘Next Pivots’, which include the Whois attributes (organization name, person, emails, IP address) and you will be shown a list of domains associated with that attribute.

'Findings of Interest' Section



Score Boxes

IP Addresses


Titles


Servers


Status Codes


Headers


Locations


Hosts


Traces

      

Viewing 'Subdomain Results'
You can view all subdomains that returned results by clicking on the domain name in the upper-left of the Report view. Once clicked, you will be redirected to the query results view.





This view is similar to normal spreadsheet (.csv) output, with columns and rows of result data (with each discovered subdomain/host on a new line or row). Detailed descriptions of column data below:




From this view you can click on the desired Subdomain/Host to drill into the Subdomain View.



2D. Viewing the Results - Subdomain View Explained

Once you click on a specific host or subdomain you will be presented with the Subdomain View. This view will provide information about all crawls performed on the subdomain and associated response data.


Domain/IP/ASN/DNS Information

Subdomain & Scanned IP/Host
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)
OSINT / Social Media / Attribution / Framework
Data Leakage Awareness / Google Dorks Links

Scoreboxes - Total Results for Subdomain Requests

Payloads – 80+ payload results
Headers - All observed headers
Verbs – HTTP Verb enumeration results
Hosts – Host header results
User-Agents  – All unique User-Agent header values
Titles – All unique Title header values
Servers – All unique Server header values
Robots - Output of robots.txt file if is exists
414Flood - Output of leaked shadow vhost info if exists

Titles & Verbs Scoreboxes

         

Servers & Robots.txt Scoreboxes

       

Payload Results Listing with Response Information


This view is similar to normal spreadsheet (csv) output, with columns and rows of result data (with each payload result on a new line or row). Detailed descriptions of column data below:



Clicking on Payload name (ie: index.html) will open a browser request to that specific URL.
Clicking on ‘Server’ will result in a lookup on https://cve.mitre.org/ for web server vulnerabilities.

Verb Enumeration Output



You can validate results by clicking on the 'COPY ICON' to copy the custom curl command to your clipboard.

Host Header Enumeration Output



You can validate results by clicking on the 'COPY ICON' to copy the custom curl command to your clipboard.

User-Agent Enumeration Output



You can validate results by clicking on the 'COPY ICON' to copy the custom curl command to your clipboard.

2E. Searching - Domain vs. Global

Through crawling efforts and storing some results with WisQuas, Lost Rabbit Labs is building a haystack of digital inventory for further analysis. Once all crawls have completed you can search all saved data using our custom Rabbit Query Language (RQL)RQL is Lucene based, with some additional custom search parameters and scoring methods (more info below) to increase likelihood of retrieving legitimate findings versus false positive findings. Our goal is to decrease noise-to-signal ratio, and increase the amount of actionable intelligence provided by WisQuas.

RQL Parameters Defined

cookie - example = cookie:wordpress_test_cookie
header - example =header:"x-pingback"

Example WisQuas Searches Using RQL

NOTE: You must start your query with one (1) of the following before using other parameters:

                                                              url,  payload,  verb,  host


Find all subdomains for a domain:
url:domain.tld

Find a unique host:
url:www.domain.tld

Find results in entire database where title matches “Index of /” :
url:. title:”Index of /”

Find all instances of ‘phpMyAdmin’ in entire database:
url:. payload:phpMyAdmin/ title:”phpMyAdmin”

Find successful hidden container or Shadow VHOST access:
host:. status:200 baseline.status:!200

Some Lucene is supported including wildcard (.) and fuzzy matching ($).
payload:server-status url:. title:$”Apache Stat” status:200 length:55,9999999

2F. OSINT AND 'Next Pivots' - Digital Footprinting / Threat Intel

On some views you will be presented with Whois Information, Digital Footprint & Next Pivots, along with OSINT & informational links to external sites. Click on the ‘Next Pivots’, which include the Whois attributes (orgname, person, emails, IP address) and you will be shown a list of domains associated with that attribute.

                     




3. Feedback

We appreciate your interest in WisQuas and would love to hear your feedback or new feature requests. You can submit feedback here: Feedback Form


4. Contact Us

Email: info@lostrabbitlabs.com
Phone: (904) 513-1337
Discord: https://discord.gg/A6WqsyY
Contact Form: https://lostrabbitlabs.com/contact-us


Feeling Generous?

BTC: 168Zezsvrjm4EGKoJWo5AJSiDv1rMdMhhB
XMR: 4AgfU1zoJRYaeWTpEKtDnRQct2YfLmKakRv6NuVn2CEkDTt2GufscSgTCgFP5nYHezJ8wwjdHVKg5JwyUrtGg5m3Gs1jrrr