Skip to content

molemantis/scry

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

scry

SCRYStack, CDN & Routing Yield-er. Scry the unseen infrastructure.

Quick infrastructure fingerprinting for SREs and security folks. Point it at a URL or domain and it figures out — from public signals — what the site runs on: DNS providers, CDN/edge, hosting, the web stack, TLS posture, email security, the network backbones in front of it, and (the interesting part) the real origin servers hiding behind the CDN.

Pure Python standard library — no pip install required. It shells out to common tools (dig, whois, curl, openssl, traceroute, …) when present and degrades gracefully when they aren't.

⚠️ Authorized use only. Some checks are active — they connect to the target (HTTP fetches, origin exposure probing, ping, SSH banner grab, and opt-in --nmap / --trace). Scanning systems you do not own or do not have explicit permission to test may be illegal (e.g. CFAA in the US, the Computer Misuse Act in the UK). Only run this against assets you own or are authorized to assess. See Passive vs active.

Example output

scry sample output

Sample run against a fictional example-shop.com. All hostnames, IPs, and ASNs are IETF reserved-for-documentation values (RFC 5737 / RFC 5398) — no real company is depicted.

What it does

  • DNS — A/AAAA/NS/MX/TXT/CNAME/SOA via dig
  • Provider inference — DNS, CDN/edge, hosting, email, web stack/CMS
  • CDN/edge detection — CNAME patterns, IP ownership, response headers, PTR
  • Stack fingerprintingServer/X-Powered-By, cookies, HTML signatures, <meta generator>
  • TLS — cert issuer/SANs/expiry (openssl); posture via testssl.sh or sslscan if installed (legacy protocols, Heartbleed/ROBOT/POODLE…)
  • WAF detection — via wafw00f if installed
  • ASN / network — every IP annotated with ASN + network name + BGP prefix (Team Cymru whois, passive)
  • Email security — SPF / DMARC presence, MX provider
  • Origin discovery — finds the real backend behind a CDN by probing common origin subdomains (origin-www, web1, …) plus hostnames mined from Certificate Transparency logs (crt.sh), then flags any that resolve off the CDN. Splits results into web origins vs other exposed infrastructure (VPN, mail, FTP, non-prod, admin).
  • Origin exposure check — connects to a discovered origin directly (correct SNI/Host) to test whether the CDN/WAF can be bypassed
  • OS guess — best-effort, probes discovered origins directly (ping TTL, SSH banner, optional nmap -O) rather than just the CDN edge
  • Backbone/transit listing--trace lists the de-duplicated networks along the path, role-tagged (your ISP → transit → target-side)

Install

No installation needed beyond Python 3.6+:

git clone https://github.com/molemantis/scry.git
cd scry
python3 scry.py example.com

Optional tools (auto-detected, used if present)

Tool Adds Install
dig, whois DNS + whois/ASN usually preinstalled (bind-utils / dnsutils)
curl, openssl headers, redirects, TLS cert usually preinstalled
traceroute / mtr backbone/transit listing apt install traceroute / brew install mtr
wafw00f WAF identification pip install wafw00f
testssl.sh / sslscan deep TLS posture brew install testssl / sslscan
nmap OS fingerprint (--nmap) apt/brew install nmap

Usage

python3 scry.py example.com                 # full default run
python3 scry.py https://www.example.com     # honors scheme (redirects)
python3 scry.py example.com --json          # machine-readable output
python3 scry.py example.com --trace         # add backbone/transit list
python3 scry.py example.com --no-exposure   # skip active origin probe
python3 scry.py example.com --nmap          # deep OS scan (needs sudo)

Flags

Flag Effect
--json Emit full structured JSON
--trace Traceroute + de-duplicated backbone listing (targets an origin if found)
--nmap Run nmap -O for OS fingerprint (slow, needs root, usually CDN-blocked)
--find-origin Probe origin subdomains even when no CDN is detected
--check-exposure / --no-exposure Origin direct-exposure test (on by default)
--no-crtsh Skip Certificate Transparency subdomain mining
--no-ssh Skip the TCP/22 SSH banner grab
--no-whois Skip whois IP lookups (faster, less accurate CDN filtering)
--no-color Plain output

Passive vs active

Passive (no packets to target) Active (connects to target)
DNS lookups (dig) HTTP/header fetch (curl)
whois / ASN (Team Cymru) Origin exposure check
Certificate Transparency (crt.sh) ping TTL, SSH banner grab
--nmap, --trace, testssl.sh, wafw00f

To stay closest to passive, run with --no-exposure --no-ssh.

Extending it

The fingerprint knowledge lives in signature tables near the top of scry.py (CNAME_SIGNATURES, NS_SIGNATURES, HEADER_PRESENCE, ORIGIN_PREFIXES, …). Add entries there as you learn new patterns — contributions welcome.

Contributing

Issues and PRs welcome. Please keep it dependency-free (stdlib + shelled-out common tools) and add new detections to the signature tables rather than hard-coding logic where possible.

License

MIT © molemantis

Disclaimer

This tool is provided for legitimate system administration, SRE, and authorized security testing only. The author assumes no liability for misuse. You are responsible for ensuring you have permission to scan any target.

About

Quick infrastructure fingerprinting for SREs — DNS, CDN/edge, hosting, web stack, TLS, WAF, ASN, origin discovery, and backbone listing. Stdlib-only Python.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages