Ever wondered what parts of your infrastructure are inadvertently exposed to the internet? Or maybe you're trying to debug a network service that just isn't behaving as expected, and you suspect a firewall issue or misconfiguration somewhere upstream. Manually scanning IP ranges can be tedious and slow, especially if you're dealing with a dynamic environment.
This article will walk you through a practical approach to quickly identify internet-facing services and potential vulnerabilities using ScanSearch, an internet-wide search engine for network devices and services, combined with a bit of Python to automate and interpret the results. The goal isn't to hack anything, but to gain insight into your own network's perimeter and improve its security posture.
The Problem: What's Visible?
It's surprisingly easy to accidentally expose services that shouldn't be public. A developer might spin up a test database, forget to configure its firewall rules, and suddenly it's reachable from anywhere. Or a misconfigured router might forward ports intended for internal use. These oversights create attack vectors that bad actors actively scan for.
Instead of waiting for a security incident, let's proactively find what's visible.
Introducing ScanSearch
ScanSearch is a powerful tool for discovering network devices, services, and even vulnerabilities across the internet. Think of it like Google, but for network ports and banners. You can query it for specific port numbers, service banners, protocols, and more.
For instance, if you want to find all devices exposing port 22 (SSH), you can simply search for port:22 on their website. The real power, however, comes from combining these queries and using their API for programmatic access.
Scenario: Finding Unexpected SSH Exposure
Let's say you manage a set of servers and want to ensure that only specific, hardened SSH servers are exposed to the public internet. You want to quickly check if any other devices within your known IP ranges are also inadvertently exposing SSH.
We'll use ScanSearch to query for devices running SSH on port 22, filtered by a specific IP range (e.g., your organization's public IP block). For this example, let's assume your organization uses the fictional IP range 192.0.2.0/24.
Step 1: Manual Query (for exploration)
Before diving into code, it's often helpful to test your query directly on the ScanSearch website. Go to the site and try searching for:
port:22 ip:192.0.2.0/24
This query tells ScanSearch to look for devices with port 22 open and that fall within the 192.0.2.0/24 IP range. You'll get a list of results, each showing the IP, port, and often a service banner (e.g., SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3).
Step 2: Automating with Python
Manually checking results is fine for a one-off, but for regular auditing or more complex analysis, an API is essential. ScanSearch offers an API that allows you to programmatically submit queries and retrieve results. (Note: You'll typically need an API key for programmatic access beyond basic public queries. Refer to the ScanSearch documentation for details on API usage and authentication).
Here's a simple Python script to query ScanSearch for exposed SSH services within our example IP range and print the results.
import requests
import json
# Replace with your actual ScanSearch API endpoint and API key
# For simplicity, we'll use a placeholder URL here.
# Check ScanSearch documentation for the correct API endpoint and authentication.
SCANSEARCH_API_URL = "https://api.scansearch.net/v1/search"
# SCANSEARCH_API_KEY = "YOUR_API_KEY_HERE" # Uncomment and set if required by API
def search_scansearch(query, ip_range):
full_query = f"port:22 {query} ip:{ip_range}"
print(f"Executing ScanSearch query: {full_query}")
headers = {
"Content-Type": "application/json",
# "Authorization": f"Bearer {SCANSEARCH_API_KEY}" # Uncomment if using API key
}
payload = {
"query": full_query,
"limit": 100 # Adjust limit as needed, check API docs for max
}
try:
response = requests.post(SCANSEARCH_API_URL, headers=headers, data=json.dumps(payload))
response.raise_for_status() # Raise an exception for HTTP errors
results = response.json()
return results
except requests.exceptions.RequestException as e:
print(f"Error querying ScanSearch API: {e}")
return None
if __name__ == "__main__":
target_ip_range = "192.0.2.0/24" # Replace with your actual public IP range
# We're specifically looking for SSH on port 22, so the initial query is simple.
# You could expand this to include specific SSH versions, e.g., 'ssh-2.0-openssh'
query_string = ""
search_results = search_scansearch(query_string, target_ip_range)
if search_results and search_results.get("data"):
print(f"\nFound {len(search_results['data'])} potential SSH exposures in {target_ip_range}:\n")
for result in search_results['data']:
ip = result.get("ip")
port = result.get("port")
service_banner = result.get("banner", "N/A")
print(f" IP: {ip}, Port: {port}, Banner: {service_banner}")
# Further analysis: Check if these IPs are expected or unexpected
# For example, maintain a whitelist of allowed SSH servers.
expected_ssh_servers = ["192.0.2.10", "192.0.2.20"]
print("\n--- Analysis ---")
for result in search_results['data']:
ip = result.get("ip")
if ip not in expected_ssh_servers:
print(f" WARNING: Unexpected SSH exposure on {ip} (Port: {result.get('port')}, Banner: {result.get('banner', 'N/A')})")
else:
print(f" INFO: Expected SSH server on {ip}")
elif search_results:
print(f"No SSH services found in {target_ip_range}.")
else:
print("Failed to retrieve ScanSearch results.")
Important Notes:
- API Key: The example above shows placeholders. You will need to refer to the ScanSearch API documentation for the correct API endpoint, authentication methods (likely involving an API key), and usage limits. Set
SCANSEARCH_API_KEYand uncomment theAuthorizationheader if required. - IP Range: Replace
192.0.2.0/24with your actual public IP address range or a specific IP address you want to monitor. - Error Handling: The script includes basic error handling for API requests. In a production scenario, you'd want more robust logging and error management.
- Rate Limiting: Be mindful of API rate limits. The
limitparameter helps control the number of results per query.
Interpreting Results and Taking Action
Once you run the script, you'll get a list of IPs within your specified range that have port 22 open. Your next steps depend on what you find:
- Expected Services: If an IP shows up and you know it's a legitimate, hardened SSH server, that's great. Document it as part of your known infrastructure.
- Unexpected Services: If an IP appears that you don't expect to have SSH exposed, this is a critical finding. Investigate immediately:
- Identify the machine: What server or device owns that IP? Who is responsible for it?
- Determine the cause: Is it a misconfigured firewall? An old test server that was never decommissioned? A rogue service?
- Remediate: Close the port, restrict access to specific trusted IPs, or remove the service if it's not needed. Ensure proper security configurations are in place (e.g., key-based authentication, disabled root login, up-to-date SSH daemon).
Beyond SSH: Finding Other Vulnerabilities
The power of ScanSearch isn't limited to just SSH. You can adapt the query_string to find a multitude of other potentially risky exposures:
- Databases:
port:3306(MySQL),port:5432(PostgreSQL),port:27017(MongoDB) – often found with default credentials or no authentication. - Web Servers:
port:80(HTTP),port:443(HTTPS) – look for unexpected admin panels or outdated server versions (server:nginx/1.10.3). - Remote Desktops:
port:3389(RDP) – a common target for brute-force attacks. - IoT Devices: Look for default credentials or known vulnerable device types.
- Unsecured Storage:
port:445(SMB) orport:21(FTP) with anonymous access.
By regularly scanning your external footprint with ScanSearch, you can proactively identify and mitigate risks before they become security incidents. It's a fundamental step in maintaining a robust security posture for any internet-connected infrastructure.
Top comments (0)