How NetTrace Works

How it works

NetTrace uses the dnspython library to query authoritative DNS servers for 7 record types: A (IPv4), AAAA (IPv6), MX (mail), TXT (SPF, verification), NS (nameservers), CNAME (aliases), and SOA (authority). Each resolved IP gets a reverse DNS (PTR) lookup to map IPs back to hostnames.

DNSSEC Validation

A separate module checks DNSSEC by querying for DNSKEY, DS (Delegation Signer), and RRSIG records using EDNS (Extension Mechanisms for DNS). This verifies the cryptographic chain of trust from root servers to the domain.

Propagation Check

Queries 8 global resolvers simultaneously (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9, OpenDNS, CleanBrowsing, Yandex, DNSPod, KT) to verify the domain resolves consistently worldwide. Detects DNS propagation issues after recent changes.

SSL Certificate

Connects to the target via TLS using Python's ssl module and the cryptography library. Extracts the full X.509 certificate: subject, issuer chain, serial number, validity period, days until expiry, negotiated cipher suite, public key size (RSA/ECDSA), and all Subject Alternative Names (SANs).

TLS Cipher Analysis

Tests TLS version support by attempting connections with TLS 1.0, 1.1, 1.2, and 1.3 separately. Identifies deprecated protocols, checks for forward secrecy (ECDHE/DHE key exchange), and flags weak cipher suites.

Security Headers

Audits 9 critical HTTP security headers: HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and X-XSS-Protection. Each missing header is flagged with its risk level.

IP Reputation

Checks the resolved IP against 6 DNS-based blacklists (Spamhaus ZEN, SpamCop, SORBS, Barracuda, CBL) using reverse DNS queries. Reports clean/listed status per blacklist.

3-Layer WHOIS Fallback

NetTrace uses a sophisticated 3-layer approach to maximize coverage across all TLDs:

Domain Age & Archive

Calculates domain age from WHOIS creation date and queries the Wayback Machine CDX API for historical snapshot count, earliest and latest captures. Provides a complete registration timeline.

Uses the ip-api.com geolocation API with batch support for up to 100 IPs per request. Maps each IP to its physical location, network provider, and autonomous system.

The resolved coordinates are plotted on an interactive Leaflet.js map with custom styling for both dark and light themes, showing the server's approximate location with ISP/ASN details.

Path Tracing

Executes the system traceroute command with a fallback to TTL-based ping probing when traceroute is unavailable. Each hop's IP is resolved via concurrent geoIP lookups using a ThreadPool.

Live Map

Results stream in real-time to a Leaflet.js map. Each hop appears as an animated dot with polyline connections. The origin is green, intermediate hops are blue with gradient styling, and the destination is red. Popups show latency, provider, ASN, and location per hop.

Privacy

The first 3 hops are hidden and replaced with masked entries to protect internal network infrastructure. Configurable hop limit: 5–50 hops (max 20 for unauthenticated users).

Screenshot

Captures a full-page screenshot using headless Chromium. SSRF-protected — rejects private/internal IPs before connecting. The screenshot is stored and served for visual preview.

WAF & CDN Detection

Fingerprints WAF/CDN providers by matching response headers and cookies against a signature database: Cloudflare, AWS WAF, Akamai, Imperva, F5 BIG-IP, Sucuri, and more.

Protocol Detection

Tests HTTP/2 support via ALPN negotiation during TLS handshake and HTTP/3 (QUIC) via Alt-Svc header analysis. Reports supported protocol versions.

Technology Stack

Detects server software, frameworks, CMS platforms, analytics tools, and JS libraries by scanning HTTP headers (Server, X-Powered-By) and HTML content against regex patterns.

Cookie Audit

Audits every cookie for security flags: Secure, HttpOnly, SameSite, and __Host- / __Secure- prefix compliance. Each cookie gets a security score.

Content Security

Scans page content for mixed content (HTTP resources on HTTPS pages), counts inline scripts, catalogs external script domains, and detects unencrypted form submissions.

Robots.txt & Sitemap

Fetches and parses robots.txt and sitemap.xml. Detects exposed sensitive paths matching keywords like admin, api, backup, config, and database. Lists sitemap URLs.

TCP Probing

Uses raw TCP socket connections with a 2-second timeout to probe each port. Open ports are fingerprinted: known service ports get a named label (SSH, HTTP, MySQL, etc.), and banner-grabbing is performed on common banner ports (FTP, SSH, SMTP, etc.).

5 Depth Levels

Levels 2–5 require authentication. Rate limited to 1 scan per 30 minutes for unauthenticated users.

Email Authentication

DNS lookups for SPF, DKIM, and DMARC records. Analyzes policy strength, mechanism details, and spoofability risk. Produces a composite email security score (0–3).

Social Discovery

Scans the target's HTML for social media profiles (Twitter, Facebook, LinkedIn, Instagram, GitHub, YouTube, TikTok, Reddit), email addresses (mailto: links), and phone numbers using regex pattern matching.

Certificate Transparency

Queries crt.sh (Certificate Transparency log aggregator) for every SSL certificate ever issued for the domain. Returns issuer breakdown, date range, and all SANs — useful for discovering subdomains.

Subdomain Takeover

Checks discovered CNAME targets against known vulnerable hosting services (S3, Heroku, GitHub Pages, Netlify, Azure, etc.) and scans for takeover fingerprint strings in responses.

CVE Lookup

Maps detected software versions (from HTTP headers and tech detection) to CPE vendor/product patterns, then queries the National Vulnerability Database (NVD) API. Returns matching CVEs with severity levels (Critical, High, Medium, Low) and affected version ranges.

Clickjacking Test

Analyzes X-Frame-Options and Content-Security-Policy frame-ancestors headers to determine if the site is vulnerable to clickjacking/UI redress attacks.

Open Redirect Test

Tests common URL parameter names (url, redirect, next, return, goto) with redirect payloads to detect open redirect vulnerabilities.