Complete Documentation

Everything ASNSPY Can Do

Comprehensive guide to all reconnaissance capabilities, from basic network discovery to advanced vulnerability detection and enterprise integration.

Network Discovery & Mapping

Comprehensive ASN reconnaissance and asset discovery

Overview

ASNSPY automatically maps entire ASN networks by querying multiple authoritative sources and performing comprehensive DNS intelligence gathering. This is the foundation for all subsequent security analysis.

Key Capabilities

ASN Prefix Discovery

Fetches all announced IP prefixes (both IPv4 and IPv6) for any given ASN using the RIPE Stat API. Supports filtering by first octet range for targeted reconnaissance.

./asnspy.sh AS15169 # Fetch all prefixes for Google ./asnspy.sh AS13335 --prefix-range 104-108 # Only 104-108.x.x.x ranges

ASN Range Scanning

Scan multiple consecutive ASNs simultaneously with WHOIS intelligence parsing from 5 Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AfriNIC) plus 5 National Internet Registries (JPNIC, KRNIC, TWNIC, CNNIC, NIC.br).

./asnspy.sh --asn-range AS13335-AS13340 --fetch-prefixes # Scans 6 ASNs, gets WHOIS for each, fetches all prefixes

PTR Record Enumeration

Performs reverse DNS lookups across all IP addresses in discovered prefixes. Supports parallel processing for speeds up to 15,000+ IPs per minute. Automatically handles both drill and dig DNS tools.

./asnspy.sh AS15169 --parallel 50 # Scan with 50 concurrent DNS lookups

Filtering Modes:

  • --skip-dead: Skip .0, .127, .255 octets
  • --internet-only: Skip .0, .1, .127, .254, .255
  • --strict-valid: Only scan .2 through .254
  • --gateway-only: Only .1 and .254 (routers/gateways)
  • --host-range N-M: Custom octet range

Domain Extraction

Automatically extracts and deduplicates unique domains from PTR records. Filters out reverse DNS arpa entries and provides clean domain list for further analysis.

Certificate Transparency Logs

Queries crt.sh for all certificates issued to discovered domains, revealing subdomains that may not be in DNS. Includes timeout protection and size limits to handle large/popular domains.

./asnspy.sh AS15169 --ct --ct-timeout 30 # Query CT logs with 30s timeout per domain

Output Files

  • prefixes.txt: All IP prefixes (CIDR notation)
  • ptr_results.txt: CSV format: IP,hostname
  • domains.txt: Unique domains extracted
  • ct_results.txt: Subdomains from CT logs
  • asn_whois.txt: Full WHOIS data for the ASN

Use Cases

  • Asset inventory and attack surface mapping
  • Shadow IT discovery
  • M&A due diligence (map target company infrastructure)
  • Competitive intelligence
  • Compliance (discover all company-owned infrastructure)

CVE Vulnerability Detection

Automated version detection with vulnerability correlation

Overview

ASNSPY automatically detects server software versions via HTTP headers, then correlates them with known CVEs from the National Vulnerability Database (NVD) and Vulners. This two-phase approach identifies vulnerable software across your entire attack surface.

Phase 1: Server Version Detection

HTTP Header Analysis

Sends HTTP requests to discover web server software and versions. Checks multiple ports simultaneously and extracts:

  • Server header (e.g., "nginx/1.18.0")
  • X-Powered-By header (e.g., "PHP/7.4.3")
  • X-AspNet-Version header
./asnspy.sh AS15169 --version-detect --version-ports "80,443,8080,8443" # Check common web ports for versions

Target Selection Modes

  • --version-mode ptr: Only IPs with PTR records (default)
  • --version-mode gateway: Only .1 and .254 addresses
  • --version-mode all: Every IP in prefix ranges

Phase 2: CVE Correlation

NVD Integration

Queries the National Vulnerability Database API v2.0 with automatic rate limiting (6 seconds between requests to comply with NVD's 5 requests/30s limit).

Vulners Integration

Alternative/supplementary CVE source via Vulners.com API. Can be used alone or in combination with NVD.

./asnspy.sh AS15169 --version-detect --cve --cve-api all # Use both NVD and Vulners for maximum coverage

Severity Filtering

Filter results by CVSS severity to focus on critical issues:

./asnspy.sh AS15169 --cve --cve-min-severity HIGH # Only show HIGH and CRITICAL vulnerabilities

Severity Levels: LOW, MEDIUM, HIGH, CRITICAL

Real-Time Alerting

CRITICAL findings trigger immediate notifications via configured webhooks (Slack, Discord, Teams, PagerDuty) and SIEM integrations.

Output Files

  • server_versions.csv: IP, port, product, version, headers
  • vulnerabilities.csv: IP, port, product, version, CVE-ID, severity, description
  • cve_summary.txt: Human-readable summary with statistics

Example Output

192.0.2.1,443,nginx,1.18.0,CVE-2021-23017,HIGH,"nginx resolver off-by-one heap write" 192.0.2.5,8080,Apache,2.4.29,CVE-2021-44790,CRITICAL,"mod_lua request smuggling"

Advanced Features

  • Smart Product Matching: Skips generic/unhelpful product names (cloudflare, envoy)
  • Timeout Control: --cve-timeout for per-API-request timeout, --cve-total-timeout for entire phase
  • Database Integration: When --database is enabled, tracks vulnerabilities over time for trend analysis
  • Diff Mode: Compare scans to detect newly introduced vulnerabilities

Use Cases

  • Continuous vulnerability monitoring
  • Patch management verification
  • Compliance reporting (PCI DSS, HIPAA, SOC 2)
  • Penetration testing reconnaissance
  • Bug bounty hunting

TLS Certificate Intelligence

Deep certificate inspection with 24+ security checks

Overview

ASNSPY performs comprehensive TLS certificate analysis, connecting to HTTPS services to extract and analyze certificate details. Includes expiry tracking, security posture assessment, and certificate authority chain analysis.

Certificate Data Extraction

Basic Certificate Information

  • Common Name (CN): Primary domain
  • Subject Alternative Names (SANs): All covered domains
  • Organization: Company/entity name
  • Country: Issuing country
  • Issuer: Certificate authority that signed the cert
  • Validity Period: Not Before / Not After dates
  • Serial Number: Unique certificate identifier

Cryptographic Details

  • Key Type: RSA, ECDSA, Ed25519
  • Key Size: Bit length (2048, 4096, 256, etc.)
  • Signature Algorithm: sha256WithRSAEncryption, ecdsa-with-SHA256, etc.
  • TLS Version: TLSv1.2, TLSv1.3, etc.
  • Cipher Suite: Negotiated cipher

Security Checks (24+ Assessments)

Expiry Monitoring

Automatically calculates days remaining until expiration. Status classifications:

  • valid: More than 30 days remaining
  • expiring_soon: Less than 30 days remaining
  • expired: Past expiration date

Self-Signed Detection

Identifies self-signed certificates by comparing Common Name with Issuer. Critical for finding dev/staging environments and potential security issues.

Weak Key Detection

Flags certificates with insufficient key lengths:

  • RSA keys < 2048 bits
  • ECDSA keys < 256 bits

Deprecated TLS Detection

Identifies use of outdated/insecure protocols:

  • SSLv2 / SSLv3 (severely deprecated)
  • TLSv1.0 / TLSv1.1 (deprecated as of 2020)

Certificate Transparency

Checks for SCT (Signed Certificate Timestamp) logs, required by major browsers since 2018.

Wildcard Certificates

Identifies wildcard certs (*.example.com) which can indicate shared hosting or over-permissive configurations.

Scanning Modes

./asnspy.sh AS15169 --tls --tls-mode ptr --tls-port 443 # Only scan IPs with PTR records on port 443 ./asnspy.sh AS15169 --tls --tls-mode all --tls-parallel 20 # Scan all IPs with 20 concurrent connections

Output Files

  • tls_certificates.csv: Complete cert details (24 columns)
  • tls_results.txt: Raw OpenSSL output
  • tls_issues.txt: Security problems found
  • tls_chains.txt: Certificate authority analysis
  • tls_statistics.txt: Key types, sizes, TLS versions

Integration Features

  • Database Storage: Track certificate changes over time
  • Diff Mode: Alert on newly expired certificates
  • SIEM Events: Send certificate issues to Splunk/Elasticsearch
  • Webhook Alerts: Notify on expiring/expired certificates

Use Cases

  • Certificate expiry monitoring and alerting
  • TLS configuration audit
  • Identify dev/staging environments (self-signed certs)
  • Compliance verification (PCI DSS requires valid certs)
  • Certificate inventory management

Port & Service Scanning

TCP connect scanning with ethical safeguards

Overview

ASNSPY includes a built-in TCP port scanner with nmap-style "top ports" functionality. Designed for speed and ethical use with authorization prompts and clear consent requirements.

Scanning Methods

TCP Connect Scan

Uses standard TCP three-way handshake. Does not require root privileges. More detectable than SYN scans but completely legal and ethical.

Top Ports Selection

Based on nmap's port frequency analysis. Scan the most commonly open ports first:

./asnspy.sh AS15169 --port-scan --port-scan-top 100 # Scan the top 100 most common ports ./asnspy.sh AS15169 --port-scan --port-scan-top 1000 # Comprehensive scan of top 1000 ports

Default Port List (Top 200):

21,22,23,25,53,80,110,143,443,445,3306,3389,5432,5900,6379,8080,8443,9200,27017

Custom Port Lists

Specify exact ports for your environment:

./asnspy.sh AS15169 --port-scan --port-scan-ports "80,443,8080,8443" # Only check web ports

Performance Options

Parallel Scanning

Configure concurrency for speed vs. stealth balance:

./asnspy.sh AS15169 --port-scan --port-scan-parallel 100 # Very fast, less stealthy ./asnspy.sh AS15169 --port-scan --port-scan-parallel 1 # Slow, more stealthy

Timeout Control

./asnspy.sh AS15169 --port-scan --port-scan-timeout 5 # 5 second timeout per port (default: 1)

Target Selection

  • --port-scan-mode ptr: Only IPs with PTR records (default, most efficient)
  • --port-scan-mode gateway: Only .1 and .254 (routers/firewalls)
  • --port-scan-mode all: Every IP in discovered prefixes

Authorization & Ethics

Built-in Authorization Prompts

ASNSPY requires explicit authorization before port scanning:

############################################################################### PORT SCANNING AUTHORIZATION REQUIRED ############################################################################### You are about to perform PORT SCANNING on network infrastructure. LEGAL REQUIREMENTS: * You must have EXPLICIT WRITTEN AUTHORIZATION to scan this network * Unauthorized port scanning may violate: - Computer Fraud and Abuse Act (CFAA) - USA - Computer Misuse Act - UK - Similar laws in other jurisdictions Do you have authorization to port scan this network? (yes/no):

For Automation: Use --yes or --auto-confirm to skip prompts (you must still have authorization!)

Integration with Other Features

Smart Targeting for Version Detection

When port scanning completes before version detection, ASNSPY automatically uses discovered open ports instead of the default port list.

Smart Targeting for Leak Detection

Similarly, leak detection can leverage port scan results to target only ports that are actually open.

Output Files

  • port_scan_results.csv: IP, port, state, protocol
  • port_scan_summary.txt: Statistics and top findings

Example Output

192.0.2.1,22,open,tcp 192.0.2.1,80,open,tcp 192.0.2.1,443,open,tcp 192.0.2.5,3306,open,tcp

Use Cases

  • Attack surface mapping
  • Firewall rule validation
  • Unauthorized service discovery
  • Compliance verification (only expected ports open)
  • Change detection (new services appeared)

Security Leak Detection

Discover exposed configurations and credentials

Overview

ASNSPY scans for 40+ types of commonly exposed configuration files and credentials. This includes environment files, version control artifacts, database backups, and more. Pattern matching detects passwords, API keys, and other secrets in responses.

Å¡ Ã¯¸ Authorization Required

Like port scanning, leak detection requires explicit authorization. ASNSPY will prompt before scanning and explain legal requirements.

ðŸ" No Redaction Policy

ASNSPY does NOT redact discovered credentials in reports. This follows industry standard practices (Burp Suite, Metasploit, OWASP ZAP) and provides complete evidence for incident response. You are responsible for:

  • Handling reports securely
  • Redacting before public sharing (if applicable)
  • Following responsible disclosure practices
  • Notifying affected parties appropriately

Exposure Types Checked (40+)

Environment Files

.env, .env.local, .env.production, .env.development, .env.test, .env.backup, .env.example

Version Control

.git/config, .git/HEAD, .gitignore, .svn/entries

Configuration Files

wp-config.php, config.json, config.yaml, config.yml, settings.py, settings.json, docker-compose.yml

Database Backups

backup.sql, db_backup.sql, dump.sql, database.sql, backup.zip

Credentials & Secrets

credentials.json, secrets.json, api-keys.json, token.json

IDE Configuration

.idea/workspace.xml, .vscode/settings.json, .project, .classpath

Server Configuration

phpinfo.php, info.php, server-status, .htaccess, .htpasswd

Log Files

debug.log, error.log, laravel.log, storage/logs/laravel.log

Pattern Matching

Credential Patterns

Scans HTTP response bodies for sensitive patterns:

  • CRITICAL: password, passwd, pwd, api_key, apikey, secret, token, access_key, private_key
  • HIGH: database, db_pass, connection_string, auth, credential
  • MEDIUM: smtp, mail_password, session, cookie

Banner Grabbing

Service Banner Collection

Connects to common service ports and collects banners that may contain:

  • Software versions (FTP, SSH, SMTP, etc.)
  • System information
  • Configuration details
  • Sensitive data leaks

Default Ports: 21,22,23,25,80,110,143,443,3306,5432,6379,8080,9200,27017,3389,5900

./asnspy.sh AS15169 --leak-scan --leak-ports "21,22,25,3306" # Only check FTP, SSH, SMTP, MySQL ./asnspy.sh AS15169 --leak-scan --leak-no-banners # Skip banner grabbing, only check HTTP paths

Severity Classification

  • CRITICAL: Credentials detected, .env with passwords, exposed database backups
  • HIGH: .git/config, docker-compose.yml, credentials.json
  • MEDIUM: config.json, settings.py, .env.example
  • LOW: .gitignore, .idea/workspace.xml

Smart Targeting

When run after port scanning, leak detection automatically uses discovered open ports instead of the default list, making scans more efficient and targeted.

Output Files

  • leak_exposures.csv: IP, URL, status_code, severity, content_type, size, timestamp
  • leak_summary.txt: Statistics and critical findings

Example Output

192.0.2.1,http://192.0.2.1/.env,200,CRITICAL,CREDENTIALS_DETECTED,4523,2024-01-15 14:23:11 192.0.2.5,http://192.0.2.5/.git/config,200,HIGH,CONFIG_DATA,892,2024-01-15 14:23:15 192.0.2.10,http://192.0.2.10/backup.sql,200,CRITICAL,SENSITIVE_DATA,152340,2024-01-15 14:23:22

Integration Features

  • Webhook Alerts: CRITICAL findings trigger immediate notifications
  • SIEM Integration: Stream leak events to Splunk/Elasticsearch
  • Diff Mode: Detect newly exposed files

Use Cases

  • Pre-deployment security checks
  • Incident response (what data was exposed?)
  • Continuous security monitoring
  • Compliance verification (GDPR, PCI DSS)
  • Bug bounty hunting

Enterprise Integration & Automation

SIEM, webhooks, databases, and continuous monitoring

Overview

ASNSPY is built for enterprise environments with comprehensive integration capabilities. Stream events to SIEMs in real-time, trigger webhook notifications, store scan history in databases, and run automated scans with change detection.

SIEM Integration

Supported Platforms

  • Splunk: HTTP Event Collector (HEC) format
  • Elasticsearch: Direct HTTP API with ECS format
  • QRadar: Syslog CEF format via TCP/UDP
  • ArcSight: Syslog CEF format via TCP/UDP
  • Graylog: GELF (Graylog Extended Log Format)
  • Sumo Logic: HTTP endpoint
  • Generic Syslog: RFC 5424/3164 format

Example: Splunk Integration

./asnspy.sh AS15169 --profile security \ --siem splunk \ --siem-host splunk.company.com:8088 \ --siem-token YOUR_HEC_TOKEN \ --siem-index security

Example: Elasticsearch Integration

./asnspy.sh AS15169 --profile security \ --siem elasticsearch \ --siem-host elastic.company.com:9200 \ --siem-token YOUR_API_KEY \ --siem-index asnspy

Event Types Sent to SIEM

  • vulnerability (CVE detected)
  • credential_leak (exposed credentials)
  • certificate_issue (expired/weak/self-signed certs)
  • scan_complete (scan finished with statistics)
  • diff_critical_findings (change detection alerts)

Webhook Notifications

Supported Services

  • Slack: Incoming webhooks with rich attachments
  • Discord: Webhook embeds with color-coding
  • Microsoft Teams: MessageCard format
  • PagerDuty: Events API v2 (creates incidents)
  • Generic: Custom JSON for any service

Configurable Events

./asnspy.sh AS15169 --profile security \ --webhook https://hooks.slack.com/YOUR/WEBHOOK/URL \ --webhook-type slack \ --webhook-events scan_complete,critical_finding \ --webhook-severity HIGH

Available Events: scan_start, scan_complete, critical_finding, error

Severity Threshold: LOW, MEDIUM, HIGH, CRITICAL

Example: PagerDuty for CRITICAL Findings Only

./asnspy.sh AS15169 --profile security \ --webhook YOUR_PAGERDUTY_KEY \ --webhook-type pagerduty \ --webhook-events critical_finding \ --webhook-severity CRITICAL

Database Storage

Supported Databases

  • SQLite: Zero-config, perfect for single-user (default)
  • PostgreSQL: Enterprise multi-user, requires psql client
  • MySQL/MariaDB: Enterprise alternative, requires mysql client

Database Schema

Automatically creates tables for:

  • scans: Scan metadata, timestamps, statistics
  • findings: Vulnerabilities, leaks, certificate issues
  • assets: IP inventory with hostnames and cloud providers
  • vulnerabilities: CVE database with trending
  • certificates: TLS certificate tracking with expiry

Example: SQLite (Automatic)

./asnspy.sh AS15169 --profile security --database # Creates asnspy.db in scan output directory

Example: PostgreSQL (Enterprise)

./asnspy.sh AS15169 --profile security \ --database --db-type postgresql \ --db-host db.company.com \ --db-user scanner --db-pass secret \ --db-name asnspy

Querying Scan History

# View all scans sqlite3 asnspy.db "SELECT * FROM scans ORDER BY start_time DESC;" # Find persistent vulnerabilities sqlite3 asnspy.db "SELECT cve_id, COUNT(*) as appearances FROM findings WHERE finding_type='vulnerability' GROUP BY cve_id ORDER BY appearances DESC;" # Track certificate expiry sqlite3 asnspy.db "SELECT ip, cn, days_remaining FROM certificates WHERE is_expired=0 AND days_remaining < 30 ORDER BY days_remaining;"

Diff Mode (Change Detection)

Compare Scans

Detect changes between scans to identify new vulnerabilities, changed assets, expired certificates, and new exposures.

# Compare with most recent scan (requires --database) ./asnspy.sh AS15169 --profile security --database --diff LATEST # Compare with specific previous scan directory ./asnspy.sh AS15169 --profile security --diff-dir /path/to/previous/scan # Alert on new CRITICAL findings ./asnspy.sh AS15169 --profile security --database --diff LATEST \ --webhook https://hooks.slack.com/YOUR/WEBHOOK \ --diff-alert-new-critical

What Diff Mode Detects

  • New/removed assets (IPs that appeared/disappeared)
  • New/resolved vulnerabilities (CVEs)
  • Port changes (newly opened/closed ports)
  • Certificate changes (newly expired certs)
  • New credential leaks
  • Service version changes

Scan Profiles

Pre-configured Workflows

  • quick: Fast scan, first 50 IPs, internet-only filter
  • standard: Default balanced configuration
  • deep: Everything enabled, max parallelism, comprehensive
  • stealth: Slow and careful, low parallelism
  • security: Vulnerability focus (TLS + Version + CVE + Leaks)
./asnspy.sh AS15169 --profile deep --quiet --json

Configuration File

Persistent Settings

Store default configuration in ~/.asnspyrc or .asnspyrc

# Generate example config ./asnspy.sh --generate-config # Example .asnspyrc: PARALLEL=50 DO_TRACE=1 DO_TLS=1 DO_CVE=1 CVE_MIN_SEVERITY=MEDIUM DO_DATABASE=1 DO_JSON=1

Complete Automation Example

#!/bin/bash # Daily automated scan with full enterprise integration ./asnspy.sh AS15169 --profile security --yes \ --database --db-type postgresql \ --db-host db.company.com --db-user scanner --db-pass "$DB_PASS" \ --diff LATEST \ --siem splunk --siem-host splunk.company.com:8088 \ --siem-token "$SPLUNK_TOKEN" --siem-index security \ --webhook "$SLACK_WEBHOOK" --webhook-type slack \ --webhook-events scan_complete,critical_finding \ --webhook-severity CRITICAL \ --quiet --json # Add to cron for daily execution: # 0 2 * * * /opt/asnspy/daily-scan.sh >> /var/log/asnspy.log 2>&1

Use Cases

  • Continuous security monitoring (daily/weekly automated scans)
  • SOC integration (stream findings to SIEM)
  • Incident response (immediate alerts on CRITICAL findings)
  • Compliance reporting (historical data in database)
  • Vulnerability management (track remediation over time)

Ready to Get Started?

Request early access to ASNSPY and start comprehensive network reconnaissance today.

Request Early Access