Meet SQL Explorer: One of the Best Alternatives to Shodan

Abspielen

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. In this modern age of IP reconnaissance and security research combined with the ever-growing list of software services accessible via the public internet, it's critical to stay ahead of the curve. With hundreds, if not thousands, of websites being launched every day, the increasing size of the internet makes it nearly impossible to manually scan and build reliable reports. Internet scanning, as it's commonly called, can often be too slow for timely catching of security vulnerabilities when done manually. And that's even within small to medium-sized organizations. Tools like Shodan make handling this task easier by using Shodan dorks to find and filter out specific bits of information (such as web servers running a particular software version in a specific city or country). SQL Explorer: An SQL-like, similar alternative to Shodan Today we're introducing you to SQL Explorer, a Shodan-esque tool supercharged with the ability to use the SQL language syntax, and one of the many enterprise-grade features offered by Surface-browser. With the ability to use conditional statements like OR, AND, NOT and more, SQL Explorer offers unmatched flexibility and control over queries being searched for. To get intelligence about hosts or IPs, let’s see some practical examples of how SQL Explorer helps security researchers to perform queries similar to Shodan. Databases SQL Explorer can be used to find database instances that are exposed to the public internet, by filtering out the ports they serve off of. To lookup MongoDB based databases running on port 27017: Similarly, let's take a look at Redis, a popular NoSQL-style database which runs on port 6379. To lookup Redis-powered databases we use the following query: If searching for ElasticSearch instances available on the public internet, we can use this query: To look up a specific ASN with port 9200, replace ASN number with the ASN number in question: Further, to look up all ElasticSearch instances whose DNS is served by ns1.digitalocean.com: Software versions Software versions are an important aspect to consider, whether you're doing IP research or securing your own organization's websites. And while running the latest software can help keep you secure, the growing number of websites in any one organization makes keeping track of numerous versions an often challenging task. For example, let's consider Word-press, which powers all sorts of websites (including ecommerce) and remains one of the most popular CMS (content management systems) on the internet. For starters, let's find all Word-press-powered websites running on ns1.digitalocean.com: Next, let's take a look for older versions of Word-press, say 4.9.13 (which is quite an old version, considering version 5.7.2 is the latest version at the time of this writing): The above query lists all Word-press-powered websites running on the Digital ocean nameserver "ns1.digitalocean.com" that, in turn, run the old and vulnerable 4.9.13 version. Operating systems Operating systems are the core of a web application. They run everything in the web stack from storing files to running the database, the web server and more. To filter out Ubuntu-powered servers, we use the following query: Similarly, if we wish to filter out Cent O S, a popular RHEL clone-powered website: The above queries list all websites powered by Ubuntu or CentOS running on the Digital ocean nameserver "ns1.digitalocean.com". Web servers When a website or web service is attacked, web servers are first in the line of fire. That's because a web server is responsible for accepting or denying requests from the client or attacker—and passing it onto the backend for further processing. Which means that an out-of-date web server can lead to security issues that allow attackers to access your server's filesystem and more. In this example, let's look at finding engine x-powere...