banner
andrewji8

Being towards death

Heed not to the tree-rustling and leaf-lashing rain, Why not stroll along, whistle and sing under its rein. Lighter and better suited than horses are straw sandals and a bamboo staff, Who's afraid? A palm-leaf plaited cape provides enough to misty weather in life sustain. A thorny spring breeze sobers up the spirit, I feel a slight chill, The setting sun over the mountain offers greetings still. Looking back over the bleak passage survived, The return in time Shall not be affected by windswept rain or shine.
telegram
twitter
github
HomeArchives

How to use Shodan to find high-risk vulnerabilities

#渗透82
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article provides notes on a speech given by the well-known bounty hunter @GodfatherOrwa at NahamCon2023. The notes include tips on finding information related to a target, such as using SSL searches and filtering results. It also suggests using IP addresses instead of domain names to bypass WAF and conducting further searches on Bing for better results related to Windows applications.
Preface#

This article mainly consists of some notes on the speech given by renowned bounty hunter @GodfatherOrwa at NahamCon2023.

Main Text#

  1. To find all information related to . target., first you need to determine the target organization's name. This can be done by clicking on the lock icon ------> secure connection (connection is secure) ------> certificate is valid.

Screenshot_2
2. Use the following statement to search for information related to the target:

ssl:"Organization Name"

3. If your target is a specific TLD, for example, *. target.com, use the following search:

Ssl.cert.subject.CN:"target.com"

4. Searching for a large target domain will give you a massive amount of results. To filter out unnecessary results, such as "Invalid URL," use the following search:

Ssl.cert.subject.CN:"target.com" -http.title:"invalid URL"

5. You can view all HTTP titles and other information related to the target in "Facet Analysis." Suppose you find pages with the title "302 Found" when filtering using http.title and you only want to view the corresponding IP addresses. In that case, use this search:

Ssl.cert.subject.CN:"target.com" http.title:"302 Found"

6. Sometimes a domain may be inaccessible, but finding the corresponding IP in Shodan will provide you with real-time pages. In such cases, search for the domain in Google, Bing, URLScan, Web Archive, etc. 7. If there is a large amount of cached data for the target domain, manually check if certain directories are accessible. Try to understand the types of errors encountered when accessing certain pages and guess the web server being used. Then, you can perform content discovery (such as directory probing) on the page.

  1. You can also use status codes such as 302, 200, 403 in your search to find pages corresponding to them. See what discoveries can be made with pages that have a 403 status.

  2. Sometimes, bypassing a WAF can be achieved by accessing the page's IP instead of the domain name. Once you have obtained an IP without a WAF, you can accordingly perform fuzz testing.

  3. If there is a Windows application (target) such as IIS Web Server Page, search for more results on that domain in Bing for better results.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.