It was last autumn that Manuel Brochand and Aurelien Boit founded Weakspot, partnering with Laurent Mayet, president of Inquest, a subsidiary of GM Consultant. Their course gives an overview of their area of expertise: both stayed for several years at the Ministry of the Armed Forces, as analyst / pentester for one, and engineer / security consultant for the other. They arrived at Inquest last summer for what looks like a click.
In practice Weakspot is used from an e-mail address or a domain name. Last his very simple web interface, the tool will, behind the scenes, seek to collect a maximum of data accessible in open sources on the corresponding domain.
And the range can be very wide, from the fields of DNS records , to the service banners exposed by systems connected to the Internet and identifiable via a specialized search engine like Shodan , among others. But it also involves elements brought back by conventional Web search engines on these elements, or related elements. The goal is simple, for Manuel Brochand and Aurélien Boit: find as many things as possible, which can be related to the company studied.
For e-mail addresses, the interest is twofold. Those appearing in sources accessible online at all, are more likely than others to be targeted by targeted phishing operations . This is an opportunity for a training and awareness exercise. Some addresses may also be in breakpoint databases. There is no question here of using the APIs of a service like haveibeenpwned , but the idea is the same: if the address is included in the lists distributed during breaches, it may be important to reinforce the security measures. around it, and in particular passwords used for access to the assets of the information system.
For online exposed hosts, Weakspot performs what is known as active discovery, seeking to identify, for example, versions of the software components used to produce the services exposed by hosts. For a web application, it can be an Apache and a CMS , for example.
But the range of services likely to be exposed is much larger, as a Shodan allows precisely to measure. With this discovery done, Weakspot looks for known vulnerabilities in the discovered components – but there is no question of testing its exploitability as part of an intrusion test .
The tool also seeks to know if certain addresses related to the infrastructure of the organization studied do not appear in ban lists or have not been used as Tor output nodes, among others. Weakspot adopts a highly modular architecture to consider going even further. Already, he knows how to look for the GitHub repositories of the studied organizations in order to know if some developers would not have left some API keys or identifiers behind him. Which unfortunately does not fail to happen.
After an analysis that can last from ten minutes to several hours, Weakspot delivers a synthetic and visual result to better understand its online exposure and measure the risks involved. Not without, sometimes, to reserve surprising surprises, according to the experience of Manuel Brochand and Aurelien Boit.
Weakspot is notably integrated by Inquest into its Cibero freemium offering, which includes awareness-raising, operational risk assessment and support for RGPD compliance. Of course, it can have some usefulness in addition to other tools and other approaches to gauge its online exposure.
Weakspot also has some potential in the field of cyber risk scoring. But for now, its creators prefer an approach between benchmarking and self-evaluation. Nevertheless, some sectors such as insurance could find their interest.