Identify Risks
As we have many tags and device & protocol identification technics, we have to know what to search for to identify risks your assets are exposing. This is the goal of this Dorkpedia chapter: a list of queries to identify vulnerabilities or weaknesses.
This list will be expanded when we add new tags or risks of interest.
Exposed VPN server
category:datascan device.class:“vpn server”
SMB null session is enabled
category:datascan app.smb.nullsession:true
Anonymous FTP access is enabled
category:datascan app.ftp.anonymous:true
Command & control server is hosted
category:datascan device.class:c2
Infostealer is hosted
category:datascan device.class:infostealer
Database is exposed (with or without authentication)
category:datascan device.class:database
Database is exposed without authentication
category:datascan device.class:database tag:open
Sensitive medical device exposed
category:datascan device.class:medical
Remote access control device exposed
category:datascan device.class:“remote access control”
SCADA device exposed
category:datascan device.class:scada
Unverified CVE has been found
Version information disclosure
Vulnerable version to CVE-2021-41773
category:datascan ?productversion:2.4.49 ?productversion:2.4.50 productvendor:apache
SIP protocol is exposed (with or without authentication)
category:datascan protocol:sip
SIP protocol is exposed without authentication
category:datascan protocol:sip tag:open
SMB share is exposed
category:datascan protocol:smb
Protocol with clear-text credentials
category:datascan ?protocol:telnet ?protocol:pop3 ?protocol:imap ?protocol:ftp tls:false
OMIGOD impacted asset
category:datascan protocol:winrm tag:open
Remote login interface
category:datascan ?protocol:x11 ?protocol:rdp ?protocol:vnc
Sensitive protocol exposed
Sensitive device exposed
Emotet C2 identification
Compromised asset identified
category:datascan tag:compromised
Compromised by deadbolt asset identified
category:datascan tag:deadbolt
Debug interface exposed
Default configuration found
Open bucket found (Google or Amazon)
category:datascan tag:openbucket
Open Web directory found
Something else then open Web directory found
category:datascan tag:open !tag:opendir
phpinfo enabled on the Web server
serverinfo enabled on the Web server
category:datascan tag:serverinfo
serverstatus enabled on the Web server
category:datascan tag:serverstatus
Web shell found in an open Web directory
category:datascan tag:webshell
TLS certificate has expired
category:datascan -tlsexpired:1
Asset is scanning Internet
Asset is known as a threat
category:threatlist !tag:benign