- shodan cli with an account and api key instructions here
- nrich
- httpx for quick scanning of live webhosts
- one of my lovely bash aliases:
alias grip='grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"'
- golang (dont forget sudo and your GOPATH)
- shodan is our point for dorking in this example. google for some baseline shodan dorks, or find your own
- some good tags include:
http.favicon.hash, http.component, product, org, hostname, asn, hostname, cloud.region
- use the ui to your advantage, shodan facets are a really useful tool
- some good tags include:
- once you've found your desired dork, you can use the cli to download it to your machine for parsing and scanning
- cloud.region:"us-east-1" 200 product:"Elastic"
shodan download $file_name 'query'
- example:
shodan download elastic_us_east 'cloud.region:"us-east-1" 200 product:"Elastic"' --limit 9999
- example:
- now use shodan's builtin parsing to extract the important data fields
shodan parse --fields $field_1,$field_2 $file_name.json.gz | tee $file_name_parsed.out
- example:
shodan parse --fields ip_str,port elastic_us_east.json.gz | tee elastic_us_east_parsed.out
- example:
- the data is not yet ready to be processed by httpx so let's do a bit of modification with awk
cat $file_name_parsed.out | awk '{print $1":"$2}'
- this turns our data from "ip port" to "ip:port" which can be passed directly into httpx or saved into a file
cat $file_name_parsed.out | awk '{print $1":"$2}' | httpx -silent -o $file_name_httpx.out
- example:
cat elastic_us_east_parsed.out | awk '{print $1":"$2}' | httpx -silent -o elastic_us_east_httpx.out
- disclaimer: i'm not suggesting you should, or even are legally allowed to scan an entire cloud space for vulns. you will face repercussions if you do.
- with that out of the way, i think you can see we're building up to a lovely one liner
- this part isn't mandatory as your recon is realistically done here. there are infinitely many ways you can proceed from here.
- use
httpx -td
for tech detection, you can use aquatone to grab screenshots, you cannuclei -as
to automatically scan with templates for detected fingerprints
- use
- for our case, we will hypothetically scan with nuclei
cat $file_name_httpx.out | nuclei -as -silent -o $file_name_nuclei.out
- you can also filter out informational findings by appending
grep -v info
- example:
cat elastic_us_east_httpx.out | nuclei -as -silent -o elastic_us_east_nuclei.out | grep -v info
- you can also filter out informational findings by appending
- some time has passed and you have your nuclei output in the format below
[1969-4-20] [1337] [lol] [info] https://127.0.0.1:420/69.html
- for the next step of hypothetical attribution that you already knew about before scanning, we need to turn the IPs into their hostnames
- we extract the vulnerable path (the last element) with
cat $file_name_nuclei.out | awk -F " " '{print $6}' | tee $file_name_paths.out
- next we use that alias from earlier to only grab the IPs
cat $file_name_paths.out | grip | uniq -u | tee $file_name_vuln_ips.out
- we can then use nrich
cat $file_name_vuln_ips.out | nrich - | tee $file_name_nrich.out
- we extract the vulnerable path (the last element) with
- this part isn't mandatory as your recon is realistically done here. there are infinitely many ways you can proceed from here.
shodan download testing 'cloud.region:"us-east-1" 200 product:"Elastic" port:8001'; shodan parse --fields ip_str,port testing.json.gz | tee testing_parsed.out | awk '{print$1":"$2}' | httpx -silent -o testing_httpx.out | nuclei -as -silent -o testing_nuclei.out; cat testing_nuclei.out
cat testing_nuclei.out | awk -F " " '{print $6}' | grip | uniq -u | tee testing_vuln_ips.out | nrich - | tee testing_nrich.out
shodan download testing 'cloud.region:"us-east-1" 200 product:"Elastic" port:8001'; shodan parse --fields ip_str,port testing.json.gz | tee testing_parsed.out | awk '{print$1":"$2}' | httpx -silent -o testing_httpx.out | nuclei -as -silent -o testing_nuclei.out; cat testing_nuclei.out | awk -F " " '{print $6}' | grip | uniq -u | tee testing_vuln_ips.out | nrich - | tee testing_nrich.out