Syhunt IcyDark: Getting Started

The information in this document applies to version 6.9.10 of Syhunt IcyDark.

How to perform a domain check

Syhunt IcyDark can help you map data leaks on the surface, deep and dark layers of the web that affect your organization, including file and credential exposures, and allows you to compare the privacy and security score of your Internet domains based on their track record and testing results.

Follow along with this guide to learn how to perform a domain check and generate a security report.

  1. Make sure you meet the pre-scan requirements and are properly authorized to perform the check against the target domain.
  2. Launch Syhunt Hybrid and click the Syhunt IcyDark icon or New Scan button in the welcome page.

    1. If this is the first time you access IcyDark, the IcyDark setup will open and allow you to install its dependencies.
  3. Enter the domain address you want to check.
  4. Select a hunt method. We recommend the Dark Web Scan Plus (Default) method, which checks for surface-to-darknet leaks plus incident records using the recommended settings - the different methods are explained in the Hunt Methods document.
  5. Check edit domain preferences if you wish to assign specific domain settings or enable score comparison.
  6. Press the OK button to start the scan.

In the end of the scan, you can click Generate a Report to save the results as a HTML report or any other prefered format.

How to perform a domain check via command-line

  1. Go to the directory Syhunt is installed using the command prompt.
  2. Use the following command-line:
 scandark [target] -hm:[a huntmethod]] -gr

// Example:
scandark mydomain.com -gr

Syhunt scandark tool reports are automatically generated and saved if the -gr parameter is provided. You can also open the session by launching Syhunt and using the Menu -> Past Sessions option.

The following parameters can be provided when calling the scandark tool, all of which are optional:

ParameterDescriptionDefault Value
sn:[name]A session name that must be unique. If omitted, an unique ID will be generated and assignedauto generated ID
hm:[name]the Hunt Method to be used during the scan. If omitted, the default method will be useddarkplus
grGenerates a report file after scanning 
gxGenerates an export file after scanning 
orOpens report after generation 
erEmails report after generation 
etrk:[trackername]Email preferences to be used when emailing report 
esbj:[subject]Email subject to be used when emailing reportSyhunt IcyDark Report
rout:[filename]Sets the report output filename and report formatReport_[session name].html
rtpl:[name]Sets the report templateStandard
xout:[filename]Sets the export output filename and report formatExport_[session name].xml
xout2:[filename]Sets a second export output filename and report formatExport_[session name].xml
pfcond:[condition]Sets a pass/fail condition to be reported 
nvTurn off verbose. Error and basic info still gets printed 
aboutDisplays information on the current version of Syhunt 
help (or /?)Displays the list of available parameters 

How to assign special domain properties

The Domain preferences screen allows you to assign special properties to a domain which can extend the IcyDark analysis about the domain. If before starting a scan you checked Edit domain preferences before starting scan, the Domain Preferences screen will open.

Under Extended Analysis, click the Properties button. You can now enter one or more property lines. The following is a list of accepted property lines:

cnpj:[number]Allows to associate a CNPJ number with the domain

Obtaining access to the leaked information

After purchasing a copy of the full-featured Syhunt IcyDark, you must select between the online mode or the offline mode:

  • The online mode: auto-downloads available leak information (“encrypted dumps”) related to your Internet domain from the cloud. The leaked information is only stored in the cloud if you select this mode.
  • The offline mode: allows you to request and obtain a file copy of the encrypted dump through a secure channel (PGP, email, etc) and import the file into Syhunt IcyDark. The leaked information is not stored in the cloud if you select this mode.

To protect identified leaked information of its customers, Syhunt adopted various strong security measures including segregating and securing data per domain with unique encryption passphrases. This allows Syhunt to use external cloud partners to store the identified leaked information securely without the risk of exposing any consolidated data leak details of its customers to unauthorized third-parties, such as the list of leaked credentials, file exposure details, leak download addresses among other leak-related details. In addition to file encryption, Syhunt adopts partially masking and BCrypting of leaked passwords with a high cost factor within the encrypted files.

Because the encryption passphrase is different for each domain, you can only download or import dumps related to your authorized Internet domains.

The IcyDark Score

The Syhunt IcyDark Score (a.k.a. IcyScore) is a score of an Internet domain based on publicly available Internet information about its privacy and security track record which is dynamically calculated by the Syhunt IcyDark software at the end of a Dark Web Scan Plus check. The IcyScore varies from Very Poor to Excellent and takes into account various information from the last 5 up to 15 years.

Today the IcyScore covers over 58 million domains from all over the globe, including regional domains from North America, South America, Europe, Africa, Asia and Oceania, and international domains.

Using the Community version, you can get an idea of what kind of information is being taken into account by SyhuntDark to calculate the score of your domain or domains. By obtaining a trial copy of the full-featured Syhunt, you can also view the current score of your domain or domains together with limited information about any identified leaks or breaches.

When calculating a score of any domain, the following kind of public information is taken into account by Syhunt IcyDark:

  • Exposed information by ransomware group sites on the dark web
  • Exposed information by hackers through hacking forums and online communities
  • Information about data leaks on the surface web
  • Information on past security incidents (such as defacements and etc.) on the surface web

Score Comparison Feature

The professional version of Syhunt IcyDark allows an user to compare the score of a domain with other subsidiaries of the same company and with third-parties such as partners of an organization.

How to assign domains for comparison

The Domain preferences screen allows you to assign domains for comparison. If before starting a scan you checked Edit domain preferences before starting scan, the Domain Preferences screen will open.

Under Extended Analysis, click the Domains button. You can now enter one or more domains.

Terms

The IcyScore is provided “AS IS” and without warranties of any kind either express or implied. For more details, please read the Syhunt EULA.

Due to active targeting by hostile foreign actors, access to the scores of .mil and .gov domains specifically have been restricted to American military and government personnel and require a special license. Country specific .mil and .gov domains also require a special license to calculate and view their scores and detailed leak information.

Differences between Hunt Methods

Hunt MethodCLI nameDarkDeepSurfaceIncident Records
Dark Web Scan Plus (Default)darkplus
Dark Web Scan Plus - No Subdomainsdarknosub
Dark Web Scandark
Dark'N'Deep Web Scandarkndeep
Deep Web Scandeep
Surface Web Scansurface
Deep-Onlydeeponly
Dark-Onlydarkonly
Dark Web Scan Paranoid (Experimental)darknoid

Customizing the Report

Adding a Logo to the Report

Before saving a report, you can add a logo that will be included with any generated reports from now on:

  1. Click the Edit Report Preferences button in the toolbar. The Report Preferences dialog will open.
  2. Enter the image URL containing the logo
  3. Click OK to save the preferences.

Now when you generate a report, it will contain your organization logo instead of Syhunt's logo.

Pre-Scan Requirements

  1. This software should be used only by system administrators (or other people in charge). It should not be used to scan domains outside of your direct control.
    1. If you need to scan a domain outside of your direct control, it is recommended that you obtain a written permission from the domain's owner or administrator.
  2. Make sure you meet the Internet connection requirements.
  3. You must read and agree with the Syhunt EULA before launching any scans.
  1. Before executing your first scan, you must have the proper region dependencies installed:
    1. On Windows, the Syhunt IcyDark setup will execute before the first scan and allow you to install the dependencies.
    2. On Linux, you can install the dependencies by calling the syget command:
  • If you have an Americas or international domain (.com, .net, .us, .ca, .ar, etc): ./syget --install_icyd_americas
  • If you have an Americas - Brazilian domain (.br): ./syget --install_icyd_brasil
  • If you have an Europe, Asia, Africa or Oceania regional domain (.uk, .pt, .jp, .au, etc): ./syget --install_icyd_eastern
  • If you have a Government or military domain (.gov or .mil): ./syget --install_icyd_govmil

System Requirements

Syhunt Hybrid (including its Community Edition) can be installed on 64-bit versions of Windows, macOS or Linux, but it is able to analyze applications designed for any target platform, including Android, Apple iOS and macOS, BSD, Linux, Windows, Solaris and Unix, independently of the platform it is executed from.

  1. 4GB of available RAM (8GB recommended)
  2. 2GB of free disk space*
  3. Internet Connection (recommended for code scans and dynamic scans and some features)
  4. One of the following compatible 64-bit operating systems:
    1. Windows 7, 8, 10 or 11, or Windows Server 2008 to 2019
    2. macOS Big Sur or higher
    3. Ubuntu Server or Desktop 18 or higher
    4. CentOS 7 or 8 (Minimal or Everything)
    5. Any unofficially supported Linux distribution such as the ones listed below.
  5. (Optional) GIT on Linux/macOS or GIT for Windows (optional for GIT repository scans)
  6. Java or Java Headless installed on Linux/macOS
  7. If native binary is not available for your specific OS type or distribution yet, Wine64 Stable (3, 4 or 5) is required to be installed.
  8. (Optional) Java 8 or higher (optional for Android APK file scan)

* This does not include the space required to save scan session data, which varies depending on the website or source code being analyzed and the scan frequency.

Compatible Linux Distributions

Officially Supported:
Ubuntu Server/Desktop 18.10 and later
CentOS 7.7 and later (Minimal or Everything)
Unofficially (Successfully Tested):
Kali Linux 2019 and later
Parrot OS 4.1, 4.7 and later
Debian 9.11 and later
Linux Mint 19.2 and later
OpenSUSE Leap 15.1 and later
Fedora 32
MX Linux 19.1 and later
KDE Neon 2020.03 and later
Deepin 15.9
Manjaro 19
Arch Linux 2019 and later
Unsupported:
Elementary OS 5.1 (Successfully Tested), 5.0 (Unsupported)
CentOS 6.1 (Successfully Tested)
Solus 4.1 (Unstable)


For additional product documentation, visit syhunt.com/docs