as a Passive Alternative to Eyewitness (Kind Of)

Greetz! Explored (redirects to or the other day, and after checking something out I decided to look at the site a little bit. Specifically I was interested in the search function for showing snapshots for subdomains. The query to enter in the search field looks like this, but without the quotes: “*.[target domain/host name].” I’ll get to that in a moment.

Let me back up a little and first explain what is for those that aren’t aware. is a website archival service. It takes a snapshot of a website and preserves it. For those that are interested in the history of web pages, it allows you to see how things change over time. For journalists, this might help you uncover that missing piece to the story you’re working on. For this article though, I’m looking at more as a passive tool for those that are doing external pentests and where it’s similarities begin and end with an active reconnaissance tool called eyewitness.

Before continuing I want to make clear that this article is for educational purposes only.

With this in mind, let’s take a quick look at

This is the main page you’re greeted with at

Next, let’s look at searching subdomains.

If you look at the following screenshot of you can see the snapshot images on the left and the list of subdomains on the right. This is where that query of *.[target domain/host name] comes in. In this case it’s: *

For those conducting reconnaissance for a pentest, some of the snapshots provided might show you interesting information to explore for a particular subdomain to help with your client engagement.

With eyewitness, which you can find the documentation here, you’ll get the snapshots(like this one) plus the URL you’re looking at and headers. The thing with eyewitness is that it’s active reconnaissance, meaning you are directly interacting with the target system. is passive and will create the least amount of noise.

When it comes to similarities, they begin and end with and eyewitness both providing snapshots of a host you’re looking at.

What would be great to have for is a way to export the subdomain list and/or the snapshots or access to an API to get them. That’s wishful thinking and it would be nice to have something to reference offline should be down for whatever reason.

That’s pretty much it.

I just wanted to share this for those looking for passive ways to find interesting information.

If you’d like to share any interesting way’s you’ve used, please use the contact form below to reach out. If you’re an organization or law firm looking for help or to learn more about what services Bsquared Intel provides, please also fill out the contact form.

While you’re here, sign up for Bsquared Intel’s free newsletter on cyber/information security and intelligence. Here’s the sign up link


Contact Us | Bsquared Intel

Please fill out the form below, or call 203.828.0012, to learn how bsquared intel can assist you.