Greetz! Explored Archive.today (redirects to archive.is or archive.ph) the other day, and after checking something out I decided to look at the site a little bit. Specifically I was interested in the search function for showing snapshots for subdomains. The query to enter in the search field looks like this, but without the quotes: “*.[target domain/host name].” I’ll get to that in a moment.
Let me back up a little and first explain what archive.today is for those that aren’t aware.
Archive.today is a website archival service. It takes a snapshot of a website and preserves it. For those that are interested in the history of web pages, it allows you to see how things change over time. For journalists, this might help you uncover that missing piece to the story you’re working on. For this article though, I’m looking at archive.today more as a passive tool for those that are doing external pentests and where it’s similarities begin and end with an active reconnaissance tool called eyewitness.
Before continuing I want to make clear that this article is for educational purposes only.
With this in mind, let’s take a quick look at archive.today.
This is the main page you’re greeted with at archive.today
Next, let’s look at searching subdomains.
If you look at the following screenshot of foo.com you can see the snapshot images on the left and the list of subdomains on the right. This is where that query of *.[target domain/host name] comes in. In this case it’s: *.foo.com
For those conducting reconnaissance for a pentest, some of the snapshots provided might show you interesting information to explore for a particular subdomain to help with your client engagement.
With eyewitness, which you can find the documentation here, you’ll get the snapshots(like this one) plus the URL you’re looking at and headers. The thing with eyewitness is that it’s active reconnaissance, meaning you are directly interacting with the target system. archive.today is passive and will create the least amount of noise.
When it comes to similarities, they begin and end with archive.today and eyewitness both providing snapshots of a host you’re looking at.
What would be great to have for archive.today is a way to export the subdomain list and/or the snapshots or access to an API to get them. That’s wishful thinking and it would be nice to have something to reference offline should archive.today be down for whatever reason.
That’s pretty much it.
I just wanted to share this for those looking for passive ways to find interesting information.
If you’d like to share any interesting way’s you’ve used archive.today, please use the contact form below to reach out. If you’re an organization or law firm looking for help or to learn more about what services Bsquared Intel provides, please also fill out the contact form.
While you’re here, sign up for Bsquared Intel’s free newsletter on cyber/information security and intelligence. Here’s the sign up link https://bsquaredintel.com/newsletter-signup/