Finding vulnerable systems on the Internet with Netlas.io

Open Source Intelligence (OSINT)

Often, as cyber warriors, we need to check whether our systems or the systems of others are vulnerable to various known vulnerabilities and attacks. Whether it's pentesters, security engineers or other malicious actors, this information can be critical to the success of this mission.

There are several other sites that offer some information in this key area, such as Shodan and Censys, but netlas.io is probably the best! To be honest, if you're not using netlas.io, you're missing out on one of the best resources on the web.

netlas14

 

Netlas.io can be used in at least 5 different use cases such as,

  1. OSINT

  2. Offensive Security

  3. Defensive Security

  4. Leads and contacts

  5. MarketingResearch

In this guide, we will focus on using netlas.io as an offensive security tool in the context of penetration testing. The first steps of a pentest, including identifying and forming an attack surface, are faster and easier with Netlas.io. Use whois and DNS lookup option including A, NS, PTR, MX and SPF records to configure network perimeter, scaling and performance.

Step #1: Login to netlas.io

The first step is to navigate to netlas.io and create an account.

netlas

Since netlas.io is in its early stage of development, it offers multiple free accounts.

netlas0

Step #2: Basic search

Like many other search engines, you can create a search query with search fields and search phrases separated by colons (:). You can search by IP address, host, whois and many other fields. Additionally, you can search by subfields using the field name followed by the subfield name separated by a period.

field.subfield:value

So if you were looking for apache web servers you could type,

tag.name:apache

netlas1

As you can see below, netlas.io was able to find 94 million servers running apache.

Each entry has a response tab, a certificates tab, a Whois tab, and a domains tab. When we click on the domains tab, all the domains hosted on the specific IP address are displayed.

netlas2

We can also search by host using the syntax,

host: cybrary

netlas3

 

Step #3: Search for vulnerabilities

One of the beauties of this site is the ability to search by vulnerability and cve. For example, if I wanted to see all sites with CVE vulnerabilities greater than 9, I could enter the search,

cve.base_score:>9

netlas4

If I wanted to find all SMB-enabled sites, I could enter the search,

smb:*

netlas5

Note that in the response field we have a subfield “smbv1_support". We can use this subfield to find all sites with faulty and vulnerable SMBv1 (true) enabled.

smb.smbv1_support:true

netlas6

Note that over 113.000 sites were found with this outdated and flawed version of SMB.

netlas7

We can also search for sites that have a known public exploit using the search,

cve.has_exploit:*

netlas8

This search reveals that there are over 74 million websites that are potentially vulnerable to some known public exploit. On the right edge of the screen you can see the CVEs of the vulnerabilities found. We can then click on the tab CVE above the listing and netlas.io will list all known vulnerabilities. Note that the website below has 3 vulnerabilities with severity above 9!

netlas9

We can also search based on the severity level of known vulnerabilities. If we wanted to see all the sites with a degree of seriousness”critical", we use the search term,

cve.severity:critical

netlas10

If we wanted to find all websites that are vulnerable to the infamous EternalBlue (remote SMB code execution) exploit, we can search by CVE name,

cve.name: CVE-2017-0145

netlas11

Over 161 thousand websites are still vulnerable to this exploit. Just for background, here is the list of CVEs in NVD.

netlas12

Step #4 Use logical operators

As with other sites similar to netlas.io, you can use logical operators to narrow your search. You can use AND, OR ή NOT (&&, ||, !, respectively). The default operator is the AND.

So if you are looking for sites running the outdated and vulnerable MySQL v5 sites with ASN number 4134 you could create a query like,

mysql.server.version:5 and asn.number:4134

netlas13

Netlas.io also allows you to search using regular expressions (regex) and wildcards (* and ?).

Summary

If you are into pentest or OSINT, netlas.io is a must have tool. It can save you hours of searching for key information and vulnerabilities.

I hope it goes without saying that no tool is perfect and that goes for netlas.io as well. That's why you need to familiarize yourself with a wide variety of tools and then use the best tool for the job or situation.

iGuRu.gr The Best Technology Site in Greecefgns

OSINT, Netlas

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).