Expanding the attack surface with Shodan's lesser known filter

-

I have been using Shodan extensively for bug bounty hunting lately and I found some neat tricks to expand the attack surface of the given target. There are many blogs and tutorials on "Shodan Recon" and most of them talk about the same filters - ssl, ssl.cert.subject.cn, org, ip, hostname, etc. but I have not seen anyone talk about this filter - all. So, I won't talk much about the basics of shodan and directly jump to the topic. 

Shodan's regular search bar (without any filter) is not consistent and when you search for a keyword, it only looks for the "keyword" in https://www.shodan.io/host/<ip> BUT shodan's raw data (https://www.shodan.io/host/<ip>/raw) contains much more information or what I like to call it as "references" about the target. To find those references and juicy hosts, this "all" filter is very handy. I have been using this filter a lot and it has found many hosts that no other filter could find. The usage is pretty simple as well - all:"InternalDomain", all:"SomethingInternalKeyword".. and so on.

The results might contain false positives or assets a company may not own but they can be reduced by combining with other filters. For example, let's say my target is Grab and I'm looking for assets owned by them. What I will do is, use this filter as all:grab. 


25k hosts hmmmm. Let's reduce the numbers! Grab is based in Southeast Asia (mostly Singapore) and their infra is mostly in AWS/Azure. Using this same information, we can craft another search query - all:grab country:"SG" org:"Amazon Data Services Singapore" 

25k hosts reduced to 257. Check each result one by one, you will be surprised by the information that you can find about your target ;)

Comments

Post a Comment

Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

-
Image
Introduction After hacking into a private program for a while now, I found some nice bugs, mostly through recon and chaining one clue after another. In this blog post, I'll discuss the same as well as my approach to finding them. Since I've signed an NDA with them, all references to the project and company are redacted. For the sake of this blog, I am going to refer to the project as MeowCorp project and their primary domain as meowcorp.io.  Findings #1 /.git/config file to root shell After running regular subdomain enumeration tools, I picked up some interesting subdomains. One of them was api.scan.meowcorp.io. While performing content discovery on this subdomain, I found  git config file. Quickly I dumped the files from .git dir with GitTools  but it was all static CSS, JS files that were of no use. When I was about to close the terminal tab, I noticed that the git repo belonged to a personal GitHub profile.  The company has its own GitHub org profile but the reference to a p
Read more

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

-
Image
I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - sysadmin@changenow.io) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i
Read more