Intrigue Core v0.5 Released!

Announcing the immediate availability of Intrigue Core v0.5. This release is  heavy with system level improvements and bugfixes. There are also key investments made in this release with the removal of (the now-deprecated) PhantomJS and the  integration of Chrome Headless browser for screenshots and javascript fingerprinting.

A number of security-related improvements were made as well, with all platforms (EC2, Docker, Vagrant) all relying on the same core system setup scripts and no longer using “rbenv sudo” to run as the root user.

This release continues to make progress on fingerprinting with a number of new fingerprints being added.

Enjoy, and Happy 4th!

– jcran

New Functionality: 

  • Update to Ruby 2.5.1
  • Moved headless browsing components from PhantomJS to Chrome Headless
  • Consolidated & simplified system bootstrap for Docker / Vagrant / AMI
  • Removal of rbenv sudo
  • Support for dynamic task queues
  • Lots of new fingerprints (pfsense, telerik, atlassian, etc)
  • Faster exports (streaming JSON) & dynamically generated export UI

New Tasks:

How to get it 

You can download and run Intrigue Core 0.5 immediately on the following platforms.

Announcing … Intrigue Core v0.4!

Announcing the immediate release of Intrigue Core v0.4!

In this release, you’ll find:

If that weren’t enough, we added a total of 19 new modules:

This release also had a ton of work over the last few weeks as we prepared for RSA 2018. At RSA, Ed Bellis & I discussed “Recon for Defenders” and offered up a few specific CVEs and software that defenders must be very quick to patch – particularly when it’s available for scanning.

As part of that work, we spun up around over 100 simultaneous instances of Intrigue Core, and used these instances to scan the F500 using the “org_asset_discovery_active” strategy and a single domain seed. After running for 10 hours total, we had the world’s first ~complete attack surface scan of the entire F500. Pretty sweet.

We then anonymized and released the data from those tests. As you dig into them, you’ll notice a large number of servers and applications exposed at the perimeter that were still running vulnerable versions of this software at the time of testing.

Digging through the results, I realized that Core’s fingerprinting capabilities needed a lot of work, and so shortly after the talk, I sat down and overhauled the application fingerprinter, creating a pluggable system. Now, for each URI that the system wants to fingerprint, any piece of software can plug in a set of checks. This architecture us to minimize the number of HTTP requests we make, while still supporting a large number of fingerprints.

Now that v0.4 is available,  you can now immediately download and run Core through the normal AMI, Dockerfile, or (new in this release) in a local or remote VM using Vagrant!

Intrigue Core v0.3 released at DEFCON 25!

We’re proud to announce that Intrigue Core v0.3 is now GA, and available on the ‘master’ git branch. There’s a load of new features available, including entity correlation, enrichment and vastly improved search and analysis capabilities. We’ve got new AWS S3 discovery tasks, Github discovery tasks and a cool new Org-based whois search. See below for links to more detail for each of these features. This release also adds support for multiple strategies, and adds a new “Domain Intel” strategy (blog post forthcoming).

New Features

New Tasks

New Strategies 

Feature Update: Project Statistics

Just a quick note to mention a new addition: Project Statistics. Sometimes you need an overview of the types of entities and activity in the project. This is a handy way to get an overview. The individual counts are linked to the ‘Entities’ viewer, allowing you to dig in and get a better understanding.

Here’s a screenshot from a recent project:

This feature is immediately available on the ‘master’ branch. Enjoy!

Entity Correlation and Meta-Entity views

Earlier this week, we added a couple features named “Entity Enrichment” and “Entity Aliasing”. These features allowed users to get a better picture of an entity through techniques such as DNS and clever ways of comparing entities.

Now, to make this even easier, we’ve added a way to show these correlated entities as a single unit. This makes seeing an entity with many different names easier.

Announcing the “Meta-Entity” view:

Now you can see there are 107 unique “meta-entities” vs the standard view with each entity shown as its own row (202). Previously, you’d need to do this correlation yourself on the Entities page, and it was difficult to tell if you’d already looked into an entity because many lines could represent the same entity, just a different view.

Comments & feedback welcome!



Entity enrichment and aliasing

Announcing two new features called “entity enrichment” and “entity aliasing”.

Entity enrichment allows us to get a more complete picture of an entity. It is a process that happens automatically for certain entities upon their creation. Today IpAddress, DnsRecord, and Uri are supported. For each of these entity types, one or several enrichment tasks will be run as soon as the entity is created, allowing us to discover additional facts and alternate names (“aliases”) for the entity.

How it works: Upon creation, an enrichment task (lib/tasks/enrich/*) will be scheduled and run. In the case of an IpAddress, the name will be resolved to A, CNAME, or PTR records, DnsRecord entities created,  and finally “aliased” to the IpAddress.

Let’s show a quick demo.

First, create a new project and select the “Create Entity” task with a DnsRecord entity. In this case, we’ll use the DnsRecord “” with no recursive depth:


Hit “Run Task” and you’ll see that it kicks off the task, creating the entity:


Now browse to the entities page. Notice that there are now 3 total entities, one DnsRecord, and two IpAddress entities. Note also that the IpAddress entities are both are aliased to the “” DnsRecord. In this way, we can quickly find load balancers and other interesting DNS configurations.


Now, let’s try with a larger iteration strategy (3):4

Give it a few moments, and now, on the Entities view, filtering for IpAddress only, we can see the correlation of IpAddress to DnsRecord:


This is also a good way to find DNS entries that are no longer active or resolving to an IP, but this is left as an exercise for the reader.


Getting started with Intrigue Core on Docker

NOTE: this post will tell you how to build the standalone Docker image locally on your system. If you’d just like to USE the latest standalone docker image, there’s a pre-built image available on DockerHub

To build an Intrigue Core image using Docker, you’ll need to install Docker on your machine.

Next, pull down the Intrigue Core repository to your local machine with a git clone and jump into the directory:

$ git clone
$ cd intrigue-core

Then use Docker to build an image:

$ docker build -f Dockerfile. -t intrigue-core

Now, we can run the newly-minted image with Docker, and we’ll want to expose the UI/API listening on :7777! 

### Use the following command to start the Intrigue Core service
### NOTE: remove the -v option if you do not need to preserve
### data between runs!
$ docker run -e LANG=C.UTF-8 \
-v ~/intrigue-core-data:/data \
-p \
--memory=8g \
-it intrigue-core

NOTE: If you’re running on a system as a user other than root, you may need to add the —privileged flag.

This will start the docker image with the intrigue-core services, giving you output that looks like the following (shortened for brevity):

Starting PostgreSQL 12.0 database server                                                                                                                                                           [ OK ] 
Starting redis-server: redis-server.
Starting intrigue-core processes
[+] Setup initiated!
[+] Generating system password: [PASSWORD]
[+] Copying puma config....
[ ] File already exists, skipping: /core/config/puma.rb

* Listening on tcp://
Use Ctrl-C to stop

As it starts up, you can see that it generates a unique password. You can  now log in with the username intrigue and the password above at on your host machine!

Now, you’re up and running,  see: Up and running with Intrigue Core

DEPRECATED – Intrigue Core EC2 AMI

NOTE! THE AWS IMAGE IS NO LONGER SUPPORTED AS OF v0.8.0. While it is still possible to run intrigue core in AWS, there is no prebuilt image available at this time. If you’re interested in a supported image, please join us in the Support channel (linked above).

The current AMI name is: intrigue-core-standalone-v0.70. The ID is: ami-076efce5ffba6e5c0 in US-East-1. The instance is optimized for the m5.xlarge instance type, and make sure to open :7777 to your network. Once it’s up & running, the services will need to be started with the provided command, copied below for convenience:

$ cd core && rake setup && rake update && god -c /home/ubuntu/core/util/god/intrigue-ec2.rb && god start

Congrats, you’re up and running! You can now access the core interface over SSL at https://HOSTNAME:7777.