ONYPHE

Identify Risks

As we have many tags and device & protocol identification technics, we have to know what to search for to identify risks your assets are exposing. This is the goal of this Dorkpedia chapter: a list of queries to identify vulnerabilities or weaknesses.

This list will be expanded when we add new tags or risks of interest.

Exposed VPN server

category:datascan device.class:“vpn server”

SMB null session is enabled

category:datascan app.smb.nullsession:true

Anonymous FTP access is enabled

category:datascan app.ftp.anonymous:true

Command & control server is hosted

category:datascan device.class:c2

Infostealer is hosted

category:datascan device.class:infostealer

Database is exposed (with or without authentication)

category:datascan device.class:database

Database is exposed without authentication

category:datascan device.class:database tag:open

Sensitive medical device exposed

category:datascan device.class:medical

Remote access control device exposed

category:datascan device.class:“remote access control”

SCADA device exposed

category:datascan device.class:scada

Unverified CVE has been found

category:datascan -exists:cve

Version information disclosure

category:datascan -orexists:device.productversion -orexists:app.http.component.productversion -orexists:productversion

Vulnerable version to CVE-2021-41773

category:datascan ?productversion:2.4.49 ?productversion:2.4.50 productvendor:apache

SIP protocol is exposed (with or without authentication)

category:datascan protocol:sip

SIP protocol is exposed without authentication

category:datascan protocol:sip tag:open

SMB share is exposed

category:datascan protocol:smb

Protocol with clear-text credentials

category:datascan ?protocol:telnet ?protocol:pop3 ?protocol:imap ?protocol:ftp tls:false

OMIGOD impacted asset

category:datascan protocol:winrm tag:open

Remote login interface

category:datascan ?protocol:x11 ?protocol:rdp ?protocol:vnc

Sensitive protocol exposed

category:datascan ?protocol:adb ?protocol:rdp ?protocol:x11 ?protocol:vnc ?protocol:smb ?protocol:ssh ?protocol:snmp ?protocol:ntp ?protocol:rsync ?protocol:telnet ?protocol:xdmcp

Sensitive device exposed

category:datascan ?device.class:printer ?device.class:camera ?device.class:hvac ?device.class:ups ?device.class:EVCMS

Emotet C2 identification

category:datascan subject.commonname:example.com subject.organization:“global security” subject.city:london subject.country:gb app.http.headermd5:“0703f8de6c918848f0335fb425ed3435” app.http.bodymd5:“465981b2c7142b9fb660b39e2de874c1”

Compromised asset identified

category:datascan tag:compromised

Compromised by deadbolt asset identified

category:datascan tag:deadbolt

Debug interface exposed

category:datascan tag:debug

Default configuration found

category:datascan tag:default

Open bucket found (Google or Amazon)

category:datascan tag:openbucket

Open Web directory found

category:datascan tag:opendir

Something else then open Web directory found

category:datascan tag:open !tag:opendir

phpinfo enabled on the Web server

category:datascan tag:phpinfo

serverinfo enabled on the Web server

category:datascan tag:serverinfo

serverstatus enabled on the Web server

category:datascan tag:serverstatus

Web shell found in an open Web directory

category:datascan tag:webshell

TLS certificate has expired

category:datascan -tlsexpired:1

Asset is scanning Internet

category:sniffer !tag:benign

Asset is known as a threat

category:threatlist !tag:benign

Critical vulnerability found

category:vulnscan -exists:cve