How to use the command 'waymore' (with examples)
The ‘waymore’ command is a powerful and versatile tool designed for digital forensics and cybersecurity professionals. It serves the primary purpose of fetching URLs from various online archival and security databases, including the Wayback Machine, Common Crawl, AlienVault OTX, URLScan, and VirusTotal. The tool is invaluable for retrieving historical data, conducting domain investigations, and understanding the footprint of web domains over time.
Use case 1: Search for URLs of a domain
Code:
waymore -i example.com
Motivation:
Gathering a comprehensive list of URLs associated with a particular domain is essential for cybersecurity analysts looking to map out the attack surface of a site. By retrieving URLs across multiple databases, one can identify potentially malicious URLs, understand the structure and changes of a domain over time, and highlight areas for security auditing.
Explanation:
waymore
: The command initiates the waymore process.-i example.com
: Specifies the domain of interest whose URLs are to be fetched.
Example output:
In the ~/.config/waymore/results/
directory, you might find a file named example.com-<timestamp>.txt
containing URLs like:
http://example.com/page1
http://example.com/page2
...
Use case 2: Limit search results to only include a list of URLs for a domain and store outputs to the specified file
Code:
waymore -mode U -oU path/to/example.com-urls.txt -i example.com
Motivation:
When performing a domain reconnaissance, focus is often on creating a simple list of URLs. This use case is crucial when you only need the URLs without additional metadata, which can then be used for activities like link analysis or feeding into other URL processing tools.
Explanation:
-mode U
: Specifies the mode to only fetch URLs, disregarding other data.-oU path/to/example.com-urls.txt
: Customizes the output location to a specified file, aiding in organizing results by name and directory.-i example.com
: Indicates the target domain.
Example output:
The specified path, path/to/example.com-urls.txt
, would contain:
http://example.com/page1
http://example.com/contact
...
Use case 3: Only output the content bodies of URLs and store outputs to the specified directory
Code:
waymore -mode R -oR path/to/example.com-url-responses -i example.com
Motivation:
In-depth analysis of the content returned by URLs helps cybersecurity experts understand the nature of data served by a domain, potentially identify exploitable content, and inspect changes over time. This use case specifically assists in examining the context within which URLs exist, thus empowering more refined threat assessments.
Explanation:
-mode R
: Specifies the mode to retrieve the response bodies/content from requested URLs.-oR path/to/example.com-url-responses
: Defines the directory where the response bodies will be saved, enabling targeted review or archival of data.-i example.com
: Sets the domain for URL content retrieval.
Example output:
The directory path/to/example.com-url-responses
would contain files named after URLs with their body content, such as:
page1.html
contact.html
...
Use case 4: Filter the results by specifying date ranges
Code:
waymore -from 20230101 -to 20231001 -i example.com
Motivation:
Forensic investigations often require examining historical data within specific timeframes to correlate incidents or trace changes leading up to vulnerabilities. This feature is essential for narrowing results to relevant data and time windows, thus optimizing the analysis process in targeted investigations.
Explanation:
-from 20230101
: Defines the start of the date range inYYYYMMDD
format, focusing retrieval efforts to a narrowed timeframe.-to 20231001
: Sets the end of the date range, similarly formatted, ensuring data relevancy within defined bounds.-i example.com
: Specifies the domain being investigated.
Example output:
The results directory will contain files detailing URLs accessed between January 1, 2023, and October 1, 2023, like:
http://example.com/new-feature (retrieved from Jan to Oct 2023)
...
Conclusion:
The ‘waymore’ command is a robust tool that aids cybersecurity professionals in comprehensively investigating domains. From fetching and storing URLs to examining content and historical changes, its diverse functionalities cater to various investigative needs, thereby ensuring both breadth and depth in digital forensic analysis. By utilizing the specific use cases outlined above, users can maximize their efficiency and effectiveness in conducting thorough domain investigations.