Passive OSINT

Discover as much about the target without revealing your IP address

Netcraft.com

Finds underlying OS, web server version uptime

Find subdomains

Sometimes SSL is a goldmine of information

crt.sh
#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot
if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain. Also you might have to install jq - 'apt get install jq'"
	exit 1

else

curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > $1

fi

If you can't get jq installed - try this script

#!/bin/bash
# a basic script to pull information from crt and present it
# example ./crt.sh offsecnewbie.com
# author rowbot

if [[ $# -eq 0 ]] ;

then
	echo "Usage: ./crt.sh domain"
	exit 1

else

curl -s "https://crt.sh/?q=%.$1" -o rawdata; cat rawdata | grep "<TD>" | grep -vE "style" | cut -d ">" -f 2 | grep -Po '.*(?=....$)' | sort -u | grep -v "*" > $1

fi

Compare subdomains found using theHavester with crt.sh script as some will be missing - not all domains have ssl.

theHarvester -d offsecnewbie.com -l 500 -b google

IP addresses from subdomains

for i in $(cat subdomains.txt); do dig $i | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -vE "10.*"; done

Use Virustotal to find subdomains

https://www.virustotal.com

Also you can play about with a nice entity diagram

Read

https://www.bugcrowd.com/blog/discovering-subdomains/

FireFox addon - passive recon

Google hacking

examples here
site:offsecnewbie.com doctype:docx
inurl:/etc/passwd%00 intext:root
also check out doc meta info, ie doc creator, where doc was stored, created with Office 2010, saved on this network share eg its IP address

also heck out doc meta info, gives info such as where doc was stored - network share ip address, who created it, what was it created with etc

https://github.com/ElevenPaths/FOCA

Search for people on social media

/opt/sherlock/sherlock.py

Recon

A giant inventory of recon tools is available via the Skip Tracing Framework

https://makensi.es/stf/

Find information about a device that is connected

Create a https://grabify.link/ and get someone to click on it.

On device go to https://www.deviceinfo.me/

List of OSINT Tools

  1. title:camera – general search for anything matching the “camera” keyword.

  2. webcam has_screenshot:true – a general search for any IoT device identified as a webcam that has screenshots available.

  3. has_screenshot:true IP Webcam – another version of the above search, see how the results might differ?

  4. server: webcampxp – webcamXP is one of the most popular and commonly encountered network camera software for Windows OS.

  5. server: “webcam 7” – webcam 7 cameras; not as popular as the above type, but still they are still popular and encountered out there.

  6. title:”blue iris remote view” – webcams identified as belonging to the Blue Iris webcam remote management and monitoring service.

  7. title:”ui3 -“ – UI3 is a HTML5 web interface for Blue Iris mentioned above.

  8. title:”Network Camera VB-M600″ – Canon manufactured megapixel security cameras.

  9. product:”Yawcam webcam viewer httpd” – Yawcam stands for Yet Another WebCAM, free live streaming and webcam software.

  10. title:”IPCam Client” – IPCam Client webcam devices.

  11. server: GeoHttpServer – GeoVision (GeoHttpServer) Webcams, older webcam software with some had well documented vulnerabilities.

  12. server: VVTK-HTTP-Server – Vivotek IP cameras.

  13. title:”Avigilon” – access to the Avigilion brand camera and monitoring devices.

  14. ACTi – various IP camera and video management system products.

  15. WWW-Authenticate: “Merit LILIN Ent. Co., Ltd.” – a UK-based house automation / IP camera provider.

  16. title:”+tm01+” – unsecured Linksys webcams, a lot of them with screenshots.

  17. server: “i-Catcher Console” – another example of an IP-based CCTV system.

  18. Netwave IP Camera Content-Length: 2574 – access to the Netwave make IP cameras.

  19. 200 ok dvr port:”81″ – DVR CCTV cameras accessible via http.

  20. WVC80N – Linksys WVC80N cameras.

Explore further by these tags:

WEBCAM: https://www.shodan.io/explore/tag/webcam

CAM: https://www.shodan.io/explore/tag/cam

CAMERA: https://www.shodan.io/explore/tag/camera

VOIP communication devices

  1. device:”voip” – general search for Voice over IP devices.

  2. device:”voip phone” – more specific search for anything VoIP containing a “phone” keyword.

  3. server: snom – Snom is a VoIP provider with some legacy devices online.

  4. “snom embedded 200 OK” – Snom devices with enabled authentication.

  5. AddPac – an older VoIP provider, nearly exclusively legacy devices.

  6. mcu: tandberg – Tandberg is a hardware manufacturer of multi-point control units for video conferencing.

  7. title:”polycom” – Polycom is another VoIP communication brand.

  8. title:”openstage” – Siemens Openstage brand IP phones.

  9. 39 voip – some more VoIP services, mostly behind login screens

  10. Server: MSOS/2.0 mawebserver/1.1 – VoIP media gateway, commonly used by services such as Patton SN4112 FXO.

Database searches

  1. product:MySQL – broad search for MySQL databases.

  2. mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.

  3. “MongoDB Server Information” port:27017 – another variation of the above search.

  4. kibana content-length:217 – Kibana dashboards accessible without authentication.

  5. port:”9200″ all:elastic – Elasticsearch open databases.

  6. port:5432 PostgreSQL – remote connections to PostgreSQL servers.

  7. product:”CouchDB” – Apache CouchDB databases listed.

  8. port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag: https://www.shodan.io/explore/tag/database Database searches

  1. product:MySQL – broad search for MySQL databases.

  2. mongodb port:27017 – MongoDB databases on their default port. Unsecured by default.

  3. “MongoDB Server Information” port:27017 – another variation of the above search.

  4. kibana content-length:217 – Kibana dashboards accessible without authentication.

  5. port:”9200″ all:elastic – Elasticsearch open databases.

  6. port:5432 PostgreSQL – remote connections to PostgreSQL servers.

  7. product:”CouchDB” – Apache CouchDB databases listed.

  8. port:”5984″+Server: “CouchDB/2.1.0” – vulnerable CouchDB where remote code execution may be possible.

Explore further by the DATABASE tag: https://www.shodan.io/explore/tag/database

Maritime devices

  1. maritime – general search for anything related to maritime devices.

  2. sailor – another wide search, could yield unrelated results!

  3. org:marlink – general search; Marlink is the world’s largest maritime satellite communications provider.

  4. satcom – another maritime satellite communications services provider.

  5. inmarsat – as above, but a slightly less known equipment vendor.

  6. vsat – abbreviation for “very-small-aperture terminal”, a data transmitter / receiver commonly used by maritime vessels.

  7. ECDIS – abbreviation for Electronic Chart Display and Information Systems, used in navigation and autopilot systems.

  8. uhp vsat terminal software -password – satellite network router without a password.

  9. ssl:”Cobham SATCOM” – maritime radio and locations systems.

  10. title:”Slocum Fleet Mission Control” – maritime mission control software.

Explore further by the VSAT tag: https://www.shodan.io/explore/tag/vsat

Files & directories

  1. http.title:”Index of /” – open lists of files and directories on various servers.

  2. port:80 title:”Index of /” – slight variation of the above, note how the results might differ.

  3. “220” “230 Login successful.” port:21 – FTP resources potentially accessible without login credentials.

  4. 230 ‘anonymous@’ login ok – anonymous login allowed to FTP resources.

  5. vsftpd 2.3.4 – legacy Linux based FTP service with a widely known security vulnerability

  6. ftp port:”10000″ – Network Data Management Protocol (NDMP), used for backup of network-attached storage (NAS) devices.

  7. “QuickBooks files OverNetwork” -unix port:445 – default settings for sharing QuickBooks files.

  8. filezilla port:”21″ – popular file sharing software Filezilla.

Explore further by these tags:

FTP: https://www.shodan.io/explore/tag/ftp

SMB: https://www.shodan.io/explore/tag/smb

Legacy Windows operating systems

  1. os:”Windows 5.0″ – Windows 2000; support ended in 2010.

  2. os:”Windows 5.1″ – Windows XP; support ended in 2014.

  3. os:Windows 2003 – Windows Server 2003; support ended in 2015.

  4. os:”Windows Vista”– Windows Vista; support ended in 2017.

  5. os:Windows 2008 – Windows Server 2008; support ended in 2020.

  6. os:”Windows 7″ – Windows 7; support ended in 2020.

  7. os:”Windows 8″ – Windows 8; support ended in 2016.

  8. os:Windows 2011 – Windows Home Server 2011; support ended in 2016.

  9. os:”Windows 8.1″ – Windows 8.1; support ended in 2018.

  10. os:Windows 2012 – Windows Server 2012; support ended in 2018.

Explore further by the WINDOWS tag: https://www.shodan.io/explore/tag/windows

Default / generic credentials

  1. admin 1234 – basic very unsecure credentials.

  2. “default password” – speaks for itself…

  3. test test port:”80″ – generic test credentials over HTTP.

  4. “authentication disabled” “RFB 003.008” – no authentication necessary.

  5. root@” port:23 -login -password -name -Session – accounts already logged in with root privilege over Telnet, port 23.

  6. port:23 console gateway – remote access via Telnet, no password required.

  7. html:”def_wirelesspassword” – default login pages for routers.

  8. “polycom command shell” – possible authentication bypass to Polycom devices.

  9. “authentication disabled” port:5900,5901 – VNC services without authentication.

  10. “server: Bomgar” “200 OK” – Bomgar remote support service.

Explore further by the VNC tag: https://www.shodan.io/explore/tag/vnc

Printers

  1. printer – general search for printers.

  2. “HP-ChaiSOE” port:”80″ – HP LaserJet printers accessible through HTTP.

  3. title:”syncthru web service” – older Samsung printers, not secured by default.

  4. “Location: /main/main.html” debut – admin pages of Brother printers, not secured.

  5. port:161 hp – HP printers that can be restarted remotely via port 161.

  6. port:23 “Password is not set” – open access via Telnet to printers without set passwords.

  7. “Laser Printer FTP Server” – printers accessible via FTP with anonymous login allowed.

  8. Printer Type: Lexmark – access to control panels for Lexmark make printers.

  9. http 200 server epson -upnp – HTTP accessible Epson printers.

  10. “Server: EPSON-HTTP” “200 OK” – another variation of the above search.

  11. ssl:”Xerox Generic Root” – remote access to Xerox printers.

  12. “Server: CANON HTTP Server” – Canon printer servers through HTTP connection.

Explore further by these tags:

PRINTER: https://www.shodan.io/explore/tag/printer

PRINTERS: https://www.shodan.io/explore/tag/printers

PRINT SERVER: https://www.shodan.io/explore/tag/print%20server

Compromised devices and websites

  1. hacked – general search for the ‘hacked’ label.

  2. “hacked by” – another variation of the above search.

  3. http.title:”Hacked by” – another variation of the same search filter.

  4. http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.

  5. “HACKED-ROUTER” – compromised routers, labelled accordingly.

  6. port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.

  7. bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).

  8. port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.

  9. “attention”+”encrypted”+port:3389 – ransomware infected RDP services.

  10. “HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.

  11. “HACKED FTP server” – compromised FTP servers.

Explore further by the HACKED tag: https://www.shodan.io/explore/tag/hacked

Miscellaneous

  1. solar – controls for solar panels and similar solar devices.

  2. “ETH – Total speed” – Ethereum cryptocurrency miners.

  3. http.title:”Nordex Control” – searches for Nordex wind turbine farms.

  4. “DICOM Server Response” port:104 – DICOM medical machinery.

  5. http.title:”Tesla” – anything with the term “Tesla” in the banner.

  6. “in-tank inventory” port:10001 – petrol pumps, including their physical addresses.

  7. http.title:”dashboard” – literally anything labelled ‘dashboard’, with many not accessible due to security by default.

  8. http.title:”control panel” – as above, but whatever is labelled as control panels.

Favicon - Search in Shodan

https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv

Last updated