しょうがない - Shouganai@ 29/11/09 11:07 am
flatwhatson showed me a website called shodan a little while back. It allows you to search through the banners that the owner picks up while scanning (ssh version banners, ftp servers, http headers, etc). I thought it was a pretty cool idea, but also though it could be done much better, so yesterday I wrote a clone of it.
You can see said clone here.
It's got a few features shodan doesn't, shodan has some features that mine doesn't, so it's not meant to replace shodan. The thing is, it seems I can add many many many more entries at a much faster rate than the other guy can. I've written a few small scanners over the last few months for ftp, http, etc, so I know what works and what doesn't when it comes to scanning for large amounts of hosts. Right now I'm adding about 1500 hosts per minute, pretty quickly approaching 1.1 million entries. Keep in mind that it's only been scanning for around 18 hours.
If you're wondering about the name, it's a Japanese word. Depending on context, it can mean "hopeless", "no choice in the matter", "no helping it" and other things along those lines. In this case, it means "once I have your data on here, there's nothing you can do about it". That is if you're running an old version of apache or something.
It's pretty straightforward to use. Without any explanation, you can probably start finding interesting stuff on there. Try this search out for instance: http://shouganai.mastercj.net/index.php?q=openssh. There are a few modifiers you can use in search terms and they act just like their google-inspired brethren. This includes prefixing them with "-" to denote a desire to exclude all results matching that modifier. Allow me to demonstrate.
The first is "software": http://shouganai.mastercj.net/index.php?q=software%3Athttpd. This will only work for headers that I've written definitions for. I catch a fair few http server versions and a large chunk of sshd versions, so specifying things like "IIS" or "dropbear" or "cisco sshd" should work as expected.
The second is "version": http://shouganai.mastercj.net/index.php?q=version%3A2. This can be combined with the "software" modifier to pick out what exactly you want to find. This is a slightly fuzzy search in that "2" will match "2" and "2.1.0".
Next up is "port". This works for all results and is pretty self explanatory. http://shouganai.mastercj.net/index.php?q=port%3A80.
Fourth is "protocol". There's a pretty good chance that this will work, but it's not guaranteed. I've erred on the side of false negatives instead of false positives with this, so you might miss some malformed server responses. Here's an example of when it works: http://shouganai.mastercj.net/index.php?q=protocol%3Assh.
There's a few more modifiers I'm yet to get around to implementing that I'd like to, such as "country" and "domain". Neither will be very hard to do, but I probably won't have time to do it until later in the week.
Anyway, that's that. If you've read this far, thanks! Have fun with it and excuse any sluggishness until I switch over to sphinx or senna or something.
Happy hacking!
You can see said clone here.
It's got a few features shodan doesn't, shodan has some features that mine doesn't, so it's not meant to replace shodan. The thing is, it seems I can add many many many more entries at a much faster rate than the other guy can. I've written a few small scanners over the last few months for ftp, http, etc, so I know what works and what doesn't when it comes to scanning for large amounts of hosts. Right now I'm adding about 1500 hosts per minute, pretty quickly approaching 1.1 million entries. Keep in mind that it's only been scanning for around 18 hours.
If you're wondering about the name, it's a Japanese word. Depending on context, it can mean "hopeless", "no choice in the matter", "no helping it" and other things along those lines. In this case, it means "once I have your data on here, there's nothing you can do about it". That is if you're running an old version of apache or something.
It's pretty straightforward to use. Without any explanation, you can probably start finding interesting stuff on there. Try this search out for instance: http://shouganai.mastercj.net/index.php?q=openssh. There are a few modifiers you can use in search terms and they act just like their google-inspired brethren. This includes prefixing them with "-" to denote a desire to exclude all results matching that modifier. Allow me to demonstrate.
The first is "software": http://shouganai.mastercj.net/index.php?q=software%3Athttpd. This will only work for headers that I've written definitions for. I catch a fair few http server versions and a large chunk of sshd versions, so specifying things like "IIS" or "dropbear" or "cisco sshd" should work as expected.
The second is "version": http://shouganai.mastercj.net/index.php?q=version%3A2. This can be combined with the "software" modifier to pick out what exactly you want to find. This is a slightly fuzzy search in that "2" will match "2" and "2.1.0".
Next up is "port". This works for all results and is pretty self explanatory. http://shouganai.mastercj.net/index.php?q=port%3A80.
Fourth is "protocol". There's a pretty good chance that this will work, but it's not guaranteed. I've erred on the side of false negatives instead of false positives with this, so you might miss some malformed server responses. Here's an example of when it works: http://shouganai.mastercj.net/index.php?q=protocol%3Assh.
There's a few more modifiers I'm yet to get around to implementing that I'd like to, such as "country" and "domain". Neither will be very hard to do, but I probably won't have time to do it until later in the week.
Anyway, that's that. If you've read this far, thanks! Have fun with it and excuse any sluggishness until I switch over to sphinx or senna or something.
Happy hacking!
permalink
1 comment
Comment by Ben @ 01/01/10 06:06 am
SUGOI!!! This is pretty wicked. I'd be happy to submit some data to your search engine. A database of all the banners on the internet would be pretty cool.