WisQuas™ How-To
1. What is WisQuas?
The WisQuas engine attempts to reveal that which may be hidden, through slight fuzzing, enumeration, and fingerprinting around your entire domain and its web services (‘Digital Footprint Discovery and Inventory’). Using a small number of web requests, WisQuas attempts to identify areas of weakness around Information Disclosures, Security and Service Misconfigurations, Default Installations, Missing Input Sanitization, and more. Hidden web containers granting access to Shadow VHosts and localhost data, are detected along with WAF bypassing payloads, Host Header Manipulations, successful VERB Tampering, and User Agent redirection. DNS anomalies and Domain Shadowing may also be detected across a domain.
2. How to use WisQuas...
A. Sign-up & Logging In – Getting started with WisQuas
B. Scanning – Running WisQuas on your domain
C. Generating a Report – Identifying issues and investigating scores & stats
D. Viewing Results – Subdomain results explained
E. Searching – Domain vs. Global searching
F. OSINT and ‘Next Pivots’ – Digital Footprinting / Threat Intel
B. Scanning – Running WisQuas on your domain
C. Generating a Report – Identifying issues and investigating scores & stats
D. Viewing Results – Subdomain results explained
E. Searching – Domain vs. Global searching
F. OSINT and ‘Next Pivots’ – Digital Footprinting / Threat Intel
2A. Sign-up & Logging In - Getting started with WisQuas
A. Go to the URL and complete the Sign-up form. (By signing up you agree to the Terms of Use) https://wisquas.lostrabbitlabs.com/signup
B. Once the signup process has been completed, you can log into your account using the link: https://wisquas.lostrabbitlabs.com/login
Account Types & Descriptions
n00b: FREE! No sign-up required. 20 results per query. No crawling.
Jr. Analyst: FREE! Email sign-up required. 100 (paginated) results per query. No crawling.
Jr. Analyst: FREE! Email sign-up required. 100 (paginated) results per query. No crawling.
InfoSec Pro ($49/mo): Unlimited results per query. Limited crawling to public container (20 crawl credits) with Report access.
Researcher ($99/mo): Unlimited results per query. Ability to Privately tag crawls (50 crawl credits) with Report access.
Business ($999/mo): Up to 10 user accounts, Unlimited Crawling, & Privately tagged crawls.
Enterprise (CONTACT US): Domain Monitoring & Reporting Portal, Unlimited Crawling with Private Workers & Private System.
If you would like to purchase a WisQuas account, use the link below to find the license that works for your budget:
C. After successfully logging in, you will be presented with the main WisQuas dashboard:
2A. Sign-up & Logging In - Getting started with WisQuas
A. Input the domain you want to scan into the 'Run Scan' input bar and click 'SCAN'. By default, WisQuas will tag the domain as PUBLIC in our database and allow all WisQuas users to search through the results:
If you would like the domain to be PRIVATELY TAGGED and only be visible to your user, you will need to toggle the 'Private Scan' slider until it turn gold before clicking on 'SCAN'.
Private Scanning has been enabled and only you will be able to search through the results.
NOTE: Scanning a domain can take several hours depending on the amount of subdomains, firewalls/WAFs, speed and resiliency of services, and more. Be patient for all crawls to complete.
2C. Generating a Report - Identifying issues and investigating scores & stats
The Researcher,Business, and Enterprise paid accounts come with the ability to generate a domain-wide report that shows all unique titles, servers, cookies, redirect locations, IP addresses, and more. Simply type the desired name into the 'Generate Report' input bar and click the ‘View Report’ button.
After a brief moment your results should load, and you will be presented with the report:
If all crawls have been completed for your domain scan, you will see the date and timestamp after the 'Completed' status (left-middle of view), otherwise you will see 'In Progress' and will need to wait for all results to complete to get the final report. From the status results below we can see that there were 88 total subdomains discovered (which can be copied to your clipboard by click the 'COPY SUBDOMAINS' button), of which 178 web services were observed.
Further explanation of each Report output section will be provided below. Many data-points within the WisQuas report view are clickable, and lead to additional resources (NOTE: some of these links are outside the WisQuas web service framework, use at your own discretion).
Domain & IP Address Info
Domain & Scanned IP/Host
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)
Registrant & Geo-Location Info
Registrar Info
Domain Creation & Expiration Dates
Company Address / Google Maps Link (click for more info)
Domain Creation & Expiration Dates
Company Address / Google Maps Link (click for more info)
Digital Footprint & Next Pivots
On some views you will be presented with Whois Information, Digital Footprint & Next Pivots, along with OSINT & informational links to external sites. Click on the ‘Next Pivots’, which include the Whois attributes (organization name, person, emails, IP address) and you will be shown a list of domains associated with that attribute.
'Findings of Interest' Section
'Findings of Interest' Section
IP Addresses
Titles
Servers
Status Codes
Headers
Cookies
Locations
Hosts
Traces
Viewing 'Subdomain Results'
You can view all subdomains that returned results by clicking on the domain name in the upper-left of the Report view. Once clicked, you will be redirected to the query results view.
This view is similar to normal spreadsheet (.csv) output, with columns and rows of result data (with each discovered subdomain/host on a new line or row). From this view you can click on the desired Subdomain/Host to drill into the Subdomain View. Detailed descriptions of column data below:
| Host | Subdomain or hostname |
|---|---|
| IP | IP address of host |
| ASN | ASN ID |
| GEO | Geography or Region |
| Title | Title of default webpage of default container of host |
| Status | HTTP response status code |
| Reason | Reason why status code was provided |
| Location | Landing page of 301/302 redirect |
| Time | Total time in seconds the request to complete |
| Server | Serer name header value |
| Length | Content-length of request body |
| Headers | Total numbers of observed headers in response |
| Cookies | Total numbers of observed cookies in response |
| Payloads | 100+ payload status code result totals - 2xx=Green, 3xx=Yellow, 4xx=White, 5xx=Red |
| Verbs | 11 verb enums status code result totals - 2xx=Green, 3xx=Yellow, 4xx=White, 5xx=Red |
| Host Header | 9 host header status code result totals - 2xx=Green, 3xx=Yellow, 4xx=White, 5xx=Red |
| UAs | 12 user-agent status code result totals - 2xx=Green, 3xx=Yellow, 4xx=White, 5xx=Red |
2D. Viewing the Results - Subdomain View Explained
Once you click on a specific host or subdomain you will be presented with the Subdomain View. This view will provide information about all crawls performed on the subdomain and associated response data.
Domain/IP/ASN/DNS Information
Subdomain & Scanned IP/Host
ASN / GEO Information
Reputation Lookups / Blocklists
All Resolved DNS (click on host for ASN Info)
OSINT / Social Media / Attribution / Framework
Data Leakage Awareness / Google Dork Links
Scoreboxes - Total Results for Subdomain Requests
Payloads - 100+ payload results
Headers - All observed headers
Verbs - HTTP Verb enumeration results
Hosts - Host header results
User-Agents - All unique User-Agent header values
Titles - All unique Title header values
Servers - All unique Server header values
Robots - Output of robots.txt file if it exists
414Flood - Output of leaked shadow vhosts if exists
Headers - All observed headers
Verbs - HTTP Verb enumeration results
Hosts - Host header results
User-Agents - All unique User-Agent header values
Titles - All unique Title header values
Servers - All unique Server header values
Robots - Output of robots.txt file if it exists
414Flood - Output of leaked shadow vhosts if exists
Payload Results Listing with Response Information
This view is similar to normal spreadsheet (.csv) output, with columns and rows of result data (with each payload result on a new line or row). Detailed descriptions of column data below:
| Payload | Payload string or content requested from web server |
|---|---|
| Title | Title of webpage of requested payload |
| Status Code | HTTP response status code |
| Reason | Reason why status code was provided |
| Location | Landing page of 301/302 redirect |
| Time | Total time in seconds the request took to complete |
| Server | Server name header value |
| Length | Content-length of request body |
| Headers | Total numbers of observed headers in response |
| Cookies | Total numbers of observed cookies in response |
Clicking on Payload name (ie: index.html) will open a browser request to that specific URL. Clicking on 'Server' will result in a lookup on https://cve.mitre.org/ for web server vulnerabilities.
Payload Results Listing with Response Information
You can validate results by clicking on the 'COPY ICON' to copy the custom curl command to your clipboard.
Payload Results Listing with Response Information
You can validate results by clicking on the 'COPY ICON' to copy the custom curl command to your clipboard.
Payload Results Listing with Response Information
You can validate results by clicking on the 'COPY ICON' to copy the custom curl command to your clipboard.
2E. Searching - Domain vs. Global
Through crawling efforts and storing some results with WisQuas, Lost Rabbit Labs is building a haystack of digital inventory for further analysis. Once all crawls have completed you can search all saved data using our custom Rabbit Query Language (RQL). RQL is Lucene based, with some additional custom search parameters and scoring methods (more info below) to increase likelihood of retrieving legitimate findings versus false positive findings. Our goal is to decrease noise-to-signal ratio, and increase the amount of actionable intelligence provided by WisQuas.
RQL Parameters Defined
Example WisQuas Searches Using RQL
NOTE: You must start your query with one (1) of the following before using other parameters: url, payload, verb, host, header, header.headername
Find all subdomains for a domain:
url:domain.tld
Find a unique host:
url:www.domain.tld
Find results in entire database where title matches "Index of /":
url:. title:"Index of /"
Find all instances of 'phpMyAdmin' in entire database:
url:. payload:phpMyAdmin/ title:"phpMyAdmin"
Find successful hidden container or Shadow VHOST access:
host:. status:200 baseline.status:!200
Some Lucense is supported including wildcard (.) and fuzzy matching ($).
payload:server-status url:. title:$"Apache Stat" status:200 length:55,9999999
2F. OSINT & 'Next Pivots' - Digital Footprinting / Threat Intel
On some views you will be presented with Whois Information, Digital Footprint & Next Pivots, along with OSINT and informational links to external sites. Click on the 'Next Pivots', which include the Whois attributes (orgname, person, emails, IP address) and you will be shown a list of domains associated with that attribute.
3. Feedback
We appreciate your interest in WisQuas and would love to hear your feedback or new feature requests. You can submit your feedback using the link below:
