binaryedge / 40fy Goto Github PK

When looking at an IP address, I can see the AS number but not the AS name, it would be really helpful to see the name too. This information is available publicly in different places like http://www.cidr-report.org/as2.0/autnums.html

In this feature we would like to look back in the history of scans of an ip address in a timeline fashion, similar to the timeline on the dataleaks.

It would use the historical API endpoint which allows you to look back 6 months.

Hi,

It would be nice to have an entry point in the API to get the quota used this month but also the type of plan.

Thanks
Tek

Even where authentication is generally required, Kubernetes makes some API server paths available unauthenticated as part of the system:discovery cluster role. Whilst this has been locked down a bit in the latest versions many clusters will disclose some interesting information without authentication on the API server port, which gets returned via the type:kubernetes search.

The paths allowed by the role are as below. Probably the interesting ones are /version which shows things like software version and discloses some info. about the type of install and /swagger.json which can disclose info. about software installed on the cluster.

  - /api
  - /api/*
  - /apis
  - /apis/*
  - /healthz
  - /openapi
  - /openapi/*
  - /swagger-2.0.0.pb-v1
  - /swagger.json
  - /swaggerapi
  - /swaggerapi/*
  - /version
  - /version/

When doing a search such as

product:mongodb version:<4.0.9

you would expect to only see versions less than 4.0.9. If you take a look in the screenshot below you will see a version 4.0.10 in the results. It's possible the comparison is being done on the first digit (ex: 1 < 9).

Example Search - product:mongodb version:<4.0.9

reason:

https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/

zoomeye: 3000 installations

https://www.zoomeye.org/searchResult?q=%2Bapp%3A%22Sphinx%20Search%20daemon%22%20%2Bafter:%222019-01-01%22%20%2Bbefore:%222020-01-01%22%20%2Bport:%229306%22&t=all

We would like to have a tag that automatically filters for interesting events for bugbounties, like MongoDB, Redis, Elasticsearch

A possible feature you could add for your kubernetes facilities, is access to the read-only kubelet port. This is common on older clusters and leaks quite a lot of information. It's generally interesting as , where running, it's always available without authentication.

Port 10255/TCP

A query to / will likely just back 404
A query to /pods/ will dump the configuration of all workloads running on the host.

This feature allows you as a user to provide an ip address and in return receive a list of websites potentially hosted on that ip address:
For example for the ip address: 213.13.146.142
you would see the following data:

[{"A": ["213.13.146.142"], "subdomain": "www", "created_at": "2018-01-21T14:23:00.397489", "root": "sapo.pt", "title": "SAPO", "name": "sapo", "domain": "www.sapo.pt", "AAAA": ["2001:8a0:2102:c:213:13:146:142"], "suffix": "pt", "updated_at": "2018-06-12T21:40:56.463209", "org": "MEO Servicos de Comunicacoes e Multimedia SA"}, {"A": ["213.13.146.142"], "subdomain": "", "created_at": "2018-09-21T06:01:01.647817", "root": "sapo.pt", "name": "sapo", "domain": "sapo.pt", "suffix": "pt", "updated_at": "2018-09-21T06:01:01.647817"}]

If in an IP address we detect as en example an apache 2.4.7 running a CPE is generated for it which looks like:
cpe:/a:apache:http_server:2.4.7

This features allows you to automatically see the CVE's (Vulnerabilities) associated with this cpe.

Example for cpe:/a:apache:http_server:2.4.7

Typeahead example https://ng-bootstrap.github.io/#/components/typeahead/examples

Could possibly add a typeahead for the following:

product
as_name
country
port
...

any and all of the existing filters.

In some cases, it is really helpful to search for web pages with a specific hash. It would be great to have this feature in Binary Edge (sha256 maybe ?)

SNMP: tcp and udp

161/162 (snmp, trap)
10161/10162 (snmps, trap)

if open -> bad
if open + communitystring is readable (like public) -> critical

impact: ability to read machine-data, configs (firewall, router 'n' stuff). if not secured,, ability to alter machine-settings

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Using_SNMP_to_attack_a_network

This features allows you as a user to give a domain ie: binaryedge.io

and receive in return a list of subdomains that we have on our database associated with that domain ie:

app.binaryedge.io
blog.binaryedge.io

etc...

This feature enables access to our listener data. This means we can identify IP addresses which are scanning or doing requests.

With this data its possible to:

• If a vulnerability came out we can see if there as been anyone scanning for that as we can see the ip that did the scanning and the payload
• Identify malware infected IP
• Detect crawlers

Example events:

{"origin":{"type":"sinkhole","ts":1543620828902,"client_id":"sinkhole","ip":"116.31.116.9"},"target":{"ip":"172.104.186.81","port":22,"protocol":"tcp"},"data":{"payload":"\x00\x00\x02\x84\x07\x14u\xbb\x8bI\xc7\x17V\xd1R\xaf\xd8\x98{\xc2J\xc0\x00\x00\x00Ydiffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1\x00\x00\x00\x0fssh-rsa,ssh-dss\x00\x00\x00\x92aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\x00\x00\x00\x92aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\x00\x00\x00Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected]\x00\x00\x00Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected]\x00\x00\x00\x04none\x00\x00\x00\x04none\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\xf5W\xc8]\xddX","extra":{"ssh":{"hassh_algorithms":"diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc;hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected];none","hassh":"92674389fa1e47a27ddd8d9b63ecd42b"}}}}

{"target":{"protocol":"tcp","port":445,"ip":"213.32.78.78"},"data":{"payload":"\x00\x00\x00\x85\xffSMBr\x00\x00\x00\x00\x18S\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00@\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00"},"origin":{"ts":1543620834696,"ip":"142.4.193.169","type":"sinkhole","client_id":"sinkhole"}}

{"target":{"ip":"47.106.200.110","port":5060,"protocol":"udp"},"data":{"payload":"REGISTER sip:47.106.200.110 SIP/2.0\r\nVia: SIP/2.0/UDP 195.154.49.119:4040;branch=z9hG4bK1713871061\r\nMax-Forwards: 70\r\nFrom: "47106200110" sip:[email protected];tag=799463280\r\nTo: "me" sip:[email protected]\r\nCall-ID: 1491721404-394118509-1512312112\r\nCSeq: 1 REGISTER\r\nContact: sip:[email protected]:4040\r\nExpires: 3600\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO\r\nUser-Agent: pplsip\r\nContent-Length: 0\r\n\r\n"},"origin":{"ip":"110.185.170.198","client_id":"sinkhole","type":"sinkhole","ts":1543620995572}}

{"target":{"port":502,"ip":"213.219.39.228","protocol":"tcp"},"data":{"payload":"GET / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0\r\nHost: 213.219.39.228:502\r\nConnection: Keep-Alive\r\n\r\n"},"origin":{"type":"sinkhole","ts":1543621097552,"ip":"37.49.231.146","client_id":"sinkhole"}}

If you had the ability to do on demand scans, what would you like to do and how would you like to configure them?

would be great

when copying data from banners, no linebreaks are copied

goto:

• https://app.binaryedge.io/services/query/2a02:7b40:b945:36ee::1

• open data for port 34128

• copy data from banner

• insert data into editor of choice:

• all lines are on one single line

same effect when copying the data into a form-field in a browser

• scan 3128/8080
• check if squid is in result
• bonuspoints: make a proxycall to a domain/ip you cpontrol and see, if the proxies sends stuff through, aka is useable as proxy (misconfig?) for unauthenticated 3rd party

Currently you are able to quickly add to the search query by clicking any of the red links as seen below.

It would be nice to be able to exclude them as easily as it is to add them to the search.

Possibly something like this:

Hi,

Just a suggestion of improvement in the web interface : when I am searching for an IP in https://app.binaryedge.io/services/query, I get a list of results for this related IP which is not what I am looking for, I am looking for the page with all the details about this IP (like https://app.binaryedge.io/services/query/8.8.8.8). This result page is really helpful when searching for a keyword / tag / complex search, but not for an IP, and half of my searchs in BE are details about an IP. Would it be possible to have a check server side for the IP address format and redirect to the IP page directly if it is an IP ?

What do you think ?

In app scss please justify align the google recaptcha api for sign-up (margin-left:auto;margin-right:auto) etc.

Also for login inputs <input ng-model="username" id="username" type="email"../> the lack of left-padding feels off.

Referenced on line 10622 of app.scss:
.splash-container .input-group .form-control {
padding: 0;

Or by adding padding to the element.

Abstract:

For OSINT and continuous monitoring of specific targets it would be incredibly useful to be able to store and access specify "investigations" via the dashboard. A simple query and private tag with a description would be sufficient. You may wish to limit the qnty based on subscription level. This would also reduce failed or invalid queries as new customers on-board.

Giving users the ability to publicly share these queries (Twitter and Slack share buttons) would also help create awareness of the platform and further build the community through collaborative research.

like:

• pulsevpn
• open mongodb/redis/ES_servers

will be highly manual, but can give a huge value for orgs monitoring their own datacenters OR the datacenters on their supplychain

curl -6 -v -k https://[2001:4ca0:xx.yy.zz] -> redirects /user/sign_in -> loads page
curl -6 -v -k http://[2001:4ca0:xx.yy.zz] -> redirects to cname-host
curl -v -k https://129.xx.yy.zz -> redirects /user/sign_in -> loads page
curl -v -k http://129.xx.yy.zz -> redirects to cname-host

the html-body and headers are only available in ipv4-results for port 443, while ipv6 - reults only displays th ssl-cert - info but nothing on the html.

this strips certain ipv6 - results out of searches/filters and leads to missing/false-negatives on ipv6 - only hosts or resulst where cnames with ipv4 and ipv6 are located on different machines.

For each host found display the SSL cert info(if any) such as:
Common Names, Organization, Creation and Expiry, supported versions of SSL / TLS,
Shodan.io does a similar thing to the above.

Another thing that is maybe a bit more advanced to make, is to make a custom dashboard experience by letting users build dashboards with the search terms they desire, would be dope and could be expanded for a lot of different purposes.

For each IP that has a certificate (regardless of port) query the serial and/or cn/SANs against CT log to see if it exists in the dataset. If the certificate is visible within CT logs, pull that info (this is similar to what censys.io does presently, but their scans miss a lot of ports and hosts). From the UX perspective, make the tag (ex: in_ct) searchable and visible to the end user. example search: ssl "string" AND tag:in_ct WHERE cert_expired:FALSE. You could also make the tag itself click searchable from within the UI; example workflow: user looks at IP, sees cert serial, clickable leads to information about cert and how many hosts presently serve it.

Note: there are a number of ways to do this, but the simplest would be to maintain your own local index of the CT logs and query against them - use something akin to axeman

• Log sources: https://www.certificate-transparency.org/known-logs
  • https://www.gstatic.com/ct/log_list/log_list.json (Chrome Trusted / Compliant)
  • https://www.gstatic.com/ct/log_list/all_logs_list.json (All)