SCRY — Stack, CDN & Routing Yield-er. Scry the unseen infrastructure.
Quick infrastructure fingerprinting for SREs and security folks. Point it at a URL or domain and it figures out — from public signals — what the site runs on: DNS providers, CDN/edge, hosting, the web stack, TLS posture, email security, the network backbones in front of it, and (the interesting part) the real origin servers hiding behind the CDN.
Pure Python standard library — no pip install required. It shells out to
common tools (dig, whois, curl, openssl, traceroute, …) when present
and degrades gracefully when they aren't.
⚠️ Authorized use only. Some checks are active — they connect to the target (HTTP fetches, origin exposure probing, ping, SSH banner grab, and opt-in--nmap/--trace). Scanning systems you do not own or do not have explicit permission to test may be illegal (e.g. CFAA in the US, the Computer Misuse Act in the UK). Only run this against assets you own or are authorized to assess. See Passive vs active.
Sample run against a fictional
example-shop.com. All hostnames, IPs, and ASNs are IETF reserved-for-documentation values (RFC 5737 / RFC 5398) — no real company is depicted.
- DNS — A/AAAA/NS/MX/TXT/CNAME/SOA via
dig - Provider inference — DNS, CDN/edge, hosting, email, web stack/CMS
- CDN/edge detection — CNAME patterns, IP ownership, response headers, PTR
- Stack fingerprinting —
Server/X-Powered-By, cookies, HTML signatures,<meta generator> - TLS — cert issuer/SANs/expiry (
openssl); posture viatestssl.shorsslscanif installed (legacy protocols, Heartbleed/ROBOT/POODLE…) - WAF detection — via
wafw00fif installed - ASN / network — every IP annotated with ASN + network name + BGP prefix (Team Cymru whois, passive)
- Email security — SPF / DMARC presence, MX provider
- Origin discovery — finds the real backend behind a CDN by probing common
origin subdomains (
origin-www,web1, …) plus hostnames mined from Certificate Transparency logs (crt.sh), then flags any that resolve off the CDN. Splits results into web origins vs other exposed infrastructure (VPN, mail, FTP, non-prod, admin). - Origin exposure check — connects to a discovered origin directly (correct SNI/Host) to test whether the CDN/WAF can be bypassed
- OS guess — best-effort, probes discovered origins directly (ping TTL, SSH
banner, optional
nmap -O) rather than just the CDN edge - Backbone/transit listing —
--tracelists the de-duplicated networks along the path, role-tagged (your ISP → transit → target-side)
No installation needed beyond Python 3.6+:
git clone https://github.com/molemantis/scry.git
cd scry
python3 scry.py example.com| Tool | Adds | Install |
|---|---|---|
dig, whois |
DNS + whois/ASN | usually preinstalled (bind-utils / dnsutils) |
curl, openssl |
headers, redirects, TLS cert | usually preinstalled |
traceroute / mtr |
backbone/transit listing | apt install traceroute / brew install mtr |
wafw00f |
WAF identification | pip install wafw00f |
testssl.sh / sslscan |
deep TLS posture | brew install testssl / sslscan |
nmap |
OS fingerprint (--nmap) |
apt/brew install nmap |
python3 scry.py example.com # full default run
python3 scry.py https://www.example.com # honors scheme (redirects)
python3 scry.py example.com --json # machine-readable output
python3 scry.py example.com --trace # add backbone/transit list
python3 scry.py example.com --no-exposure # skip active origin probe
python3 scry.py example.com --nmap # deep OS scan (needs sudo)| Flag | Effect |
|---|---|
--json |
Emit full structured JSON |
--trace |
Traceroute + de-duplicated backbone listing (targets an origin if found) |
--nmap |
Run nmap -O for OS fingerprint (slow, needs root, usually CDN-blocked) |
--find-origin |
Probe origin subdomains even when no CDN is detected |
--check-exposure / --no-exposure |
Origin direct-exposure test (on by default) |
--no-crtsh |
Skip Certificate Transparency subdomain mining |
--no-ssh |
Skip the TCP/22 SSH banner grab |
--no-whois |
Skip whois IP lookups (faster, less accurate CDN filtering) |
--no-color |
Plain output |
| Passive (no packets to target) | Active (connects to target) |
|---|---|
DNS lookups (dig) |
HTTP/header fetch (curl) |
| whois / ASN (Team Cymru) | Origin exposure check |
| Certificate Transparency (crt.sh) | ping TTL, SSH banner grab |
--nmap, --trace, testssl.sh, wafw00f |
To stay closest to passive, run with --no-exposure --no-ssh.
The fingerprint knowledge lives in signature tables near the top of
scry.py (CNAME_SIGNATURES, NS_SIGNATURES, HEADER_PRESENCE,
ORIGIN_PREFIXES, …). Add entries there as you learn new patterns —
contributions welcome.
Issues and PRs welcome. Please keep it dependency-free (stdlib + shelled-out common tools) and add new detections to the signature tables rather than hard-coding logic where possible.
MIT © molemantis
This tool is provided for legitimate system administration, SRE, and authorized security testing only. The author assumes no liability for misuse. You are responsible for ensuring you have permission to scan any target.