Pentesting and Security Personal Blog

Pentesting and Security Personal Blog



XRay is a tool for network OSINT gathering, its goal is to make some of the initial tasks of information gathering and network mapping automatic.


How Does it Work?

XRay is a very simple tool, it works this way:

  1. It'll bruteforce subdomains using a wordlist and DNS requests.
  2. For every subdomain/ip found, it'll use Shodan to gather open ports and other intel.
  3. If a ViewDNS API key is provided, for every subdomain historical data will be collected.
  4. For every unique ip address, and for every open port, it'll launch specific banner grabbers and info collectors.
  5. Eventually the data is presented to the user on the web ui.

Grabbers and Collectors

  • HTTP Server, X-Powered-By and Location headers.
  • HTTP and HTTPS robots.txt disallowed entries.
  • HTTPS certificates chain ( with recursive subdomain grabbing from CN and Alt Names ).
  • HTML title tag.
  • DNS version.bind. and hostname.bind. records.
  • MySQL, SMTP, FTP, SSH, POP and IRC banners.


Shodan API Key

The API key parameter ( -shodan-key KEY ) is optional, however if not specified, no service fingerprinting will be performed and a lot less information will be shown (basically it just gonna be DNS subdomain enumeration).


If a ViewDNS API key parameter ( -viewdns-key KEY ) is passed, domain historical data will also be retrieved.

Anonymity and Legal Issues

The software will rely on your main DNS resolver in order to enumerate subdomains, also, several connections might be directly established from your host to the computers of the network you're scanning in order to grab banners from open ports. Technically, you're just connecting to public addresses with open ports (and there's no port scanning involved, as such information is grabbed indirectly using Shodan API)

Building a Docker image

To build a Docker image with the latest version of XRay:

    git clone
    cd xray
    docker build -t xraydocker .

Once built, XRay can be started within a Docker container using the following:

    docker run --rm -it -p 8080:8080 xraydocker xray -address -shodan-key shodan_key_here -domain 


    Usage: xray -shodan-key YOUR_SHODAN_API_KEY -domain TARGET_DOMAIN
      -address string
            IP address to bind the web ui server to. (default "")
      -consumers int
            Number of concurrent consumers to use for subdomain enumeration. (default 16)
      -domain string
            Base domain to start enumeration from.
      -port int
            TCP port to bind the web ui server to. (default 8080)
            Do not remove subdomain from the provided domain name.
      -session string
            Session file name. (default "<domain-name>-xray-session.json")
      -shodan-key string
            Shodan API key.
      -viewdns-key string
            ViewDNS API key.
      -wordlist string
            Wordlist file to use for enumeration. (default "wordlists/default.lst")


    # xray -shodan-key yadayadayadapicaboo... -viewdns-key foobarsomethingsomething... -domain

    ____  ___
    \   \/  /
     \     RAY v 1.0.0b
     /    by Simone 'evilsocket' Margaritelli
    /___/\  \

    @ Saving session to
    @ Web UI running on

You can find it here:


Thanks for reading!

maninwire =D

Know your enemy!

Written by in Tools on mié 02 agosto 2017. Tags: shodan, tool, pentesting, enumeration, subdomains,