Discover Hidden Infrastructure: A Guide to Network Recon with Scopify

Want to quickly map out a company's digital footprint and uncover potential security weaknesses? Scopify, a reconnaissance tool, automates the process of gathering infrastructure data, giving you a head start in penetration tests and bug bounty hunts. This guide will walk you through using Scopify to identify CDNs, hosting providers, and SaaS platforms, plus leverage AI to understand the collected data.

Why Use Scopify? Uncover Hidden Infrastructure Quickly

Scopify streamlines the initial stages of security assessments. Here's how it can benefit you:

• Automated Data Gathering: Quickly scrape infrastructure details from Netify.ai, saving you hours of manual research.
• Comprehensive Overview: Identify CDNs, hosting providers, and SaaS platforms used by a target company.
• AI-Powered Analysis (Optional): Leverage OpenAI to highlight potential vulnerabilities and suggest reconnaissance strategies, all in one tool.

Getting Started with Scopify: Installation and Setup

Follow these steps to get Scopify up and running:

1. Clone the Repository: Obtain the necessary files, including scopify.py and requirements.txt.
2. Create a Virtual Environment: Isolate project dependencies to avoid conflicts. Use python3 -m venv venv to create the environment.
3. Activate the Environment:
   • Linux/macOS: source venv/bin/activate
   • Windows: .\venv\Scripts\activate
4. Install Dependencies: Use pip install -r requirements.txt to install the required packages.

Unleash the Power of Scopify: Basic Usage

To use Scopify, run the script from the command line, providing the company name as an argument.

python scopify.py -c <company-name>

Replace <company-name> with the target company's name (lowercase, use hyphens as needed, based on Netify.ai's URL structure).

Example: To analyze Walmart's infrastructure to identify potential attack vectors, use the following command:

python scopify.py -c walmart

This command will output tables listing the CDNs, hosting providers, and SaaS platforms used by Walmart.

Level Up with AI: Analyzing Data with OpenAI

Scopify can optionally leverage OpenAI to analyze the gathered data. This feature provides valuable insights, highlighting potential areas of interest and suggesting reconnaissance methodologies.

Setting Up OpenAI Integration

1. Obtain an OpenAI API Key: If you don’t have one yet, sign up for an OpenAI account and generate an API key.

2. Set the Environment Variable: Export your OpenAI API key as an environment variable named OPENAI_API_KEY.

   • Linux/macOS:

     export OPENAI_API_KEY='your-api-key-here'
     

     Copy

   • Windows (Command Prompt):

     set OPENAI_API_KEY=your-api-key-here
     

     Copy

   • Windows (PowerShell):

     $env:OPENAI_API_KEY = 'your-api-key-here'
     

     Copy

   Replace 'your-api-key-here' with your actual OpenAI API key.

Running Scopify with AI Analysis

To enable AI analysis, use the --analyze flag:

python scopify.py -c walmart --analyze

This command will perform the same data scraping as before, but will also send the data to OpenAI for analysis. The AI-generated summary will provide potential vulnerabilities and suggest further reconnaissance steps.

Interpreting Scopify's Findings: From Data to Actionable Insights

CDN Insights

• Akamai: Look for subdomain-origin mismatches and test for Host header bypasses.
• Amazon CloudFront: Probe for Host header overrides and enumerate unused edge configurations.
• Cloudflare: Check for subdomain takeovers on unclaimed DNS entries.

Hosting Insights

• Google Hosted: Investigate potential GCP metadata service attacks via SSRF.
• Amazon AWS: Test for SSRF vulnerabilities and publicly exposed services.
• Unitas Global & Equinix: Scan for open management interfaces and default credentials.

SaaS Insights

• Email Marketing Platforms: Inspect tracking pixels, CORS policies, and parameter injection.
• Email Delivery APIs: Test URL callbacks, webhook endpoints, and API key exposure.
• CRM Integration Points: Look for custom subdomains ripe for subdomain takeover.

Expanding Your Recon: Advanced Techniques and Vulnerability Spotting

The data provided by Scopify is a starting point. Here are additional reconnaissance techniques to consider:

• Subdomain Enumeration: Exhaustively discover subdomains using various tools and techniques.
• WAF Fingerprinting & Bypass Testing: Identify CDN vendors and attempt to bypass their protections.
• Origin Exposure Testing: Connect directly to origin IPs to bypass CDN protections.

By combining Scopify's automated data gathering with your own expertise, you can significantly enhance your reconnaissance efforts and identify potential security vulnerabilities. This makes Scopify a powerful reconnaissance tool in your cybersecurity arsenal. Remember always to use it ethically and with permission.