DEV Community

Cover image for Finding Exposed Services & Vulnerabilities: A Developer's Quick Guide with ScanSearch
Billy
Billy

Posted on

Finding Exposed Services & Vulnerabilities: A Developer's Quick Guide with ScanSearch

Ever been in a situation where you need to quickly identify what services are exposed on a particular network range, or even across the internet? Maybe you're auditing your own infrastructure, or perhaps performing some ethical hacking. Traditional methods can involve port scanning specific IPs, which is fine for small scopes but quickly becomes impractical for broader reconnaissance.

This article will walk you through a practical approach to quickly discover network devices, their services, and even potential vulnerabilities using a powerful internet-wide search engine called ScanSearch. We'll focus on common developer use cases, showing you how to formulate queries to get actionable insights without running a single nmap command yourself.

The Problem: Blind Spots and Manual Scanning

Imagine you're responsible for securing a fleet of IoT devices. You've configured them, but how do you verify they aren't accidentally exposing a web interface or an SSH port to the public internet? Or perhaps you're developing a new service and want to see what similar services are exposing. Manually scanning vast IP ranges is time-consuming and often requires dedicated infrastructure.

This is where an internet-wide search engine comes in. Instead of actively scanning, it aggregates data from continuous scans, allowing you to query this massive dataset instantly.

Introducing ScanSearch: A Practical Tool

ScanSearch is essentially Google for network devices. It continuously scans the internet and indexes information about network devices, the services they run, and known vulnerabilities. This allows you to search for specific criteria, like devices running a particular version of Apache, or devices with an open RDP port.

Let's dive into some practical examples.

Use Case 1: Discovering Exposed Web Servers

Let's say you want to find all devices on the internet running an Apache web server on port 80. ScanSearch's query language is fairly intuitive.

You'd use a query like this:

service.name:apache AND port:80
Enter fullscreen mode Exit fullscreen mode

This query tells ScanSearch to look for devices where the service name contains "apache" and the port is 80. The results would show you IP addresses, along with other details about the discovered service. This is incredibly useful for understanding the landscape of publicly accessible web servers.

Use Case 2: Identifying Devices with Specific Vulnerabilities

One of the most powerful features for developers and security professionals is the ability to search for devices with known vulnerabilities. ScanSearch indexes information about vulnerabilities associated with discovered services.

Let's say you're concerned about devices running services known to be vulnerable to a specific CVE (Common Vulnerabilities and Exposures) ID, for example, CVE-2021-44228 (Log4Shell).

While ScanSearch doesn't let you query by CVE ID directly in the current iteration, you can achieve similar results by searching for specific service versions or patterns often associated with that vulnerability. For instance, if Log4Shell primarily affected specific versions of Java applications exposing certain services, you could try to narrow it down.

For a more general approach to finding vulnerable services, you might search for a service known to have many common vulnerabilities, like certain versions of an older database or web server.

Let's try to find devices running an older, potentially vulnerable version of nginx.

service.name:nginx AND service.version:"1.14.0"
Enter fullscreen mode Exit fullscreen mode

(Note: Always check the specific version information against public CVE databases like NVD to determine actual vulnerability status.)

This query helps you quickly pinpoint instances that might need immediate patching or further investigation. It's a great first step in a vulnerability management workflow.

Use Case 3: Finding Open RDP Ports for Auditing

Remote Desktop Protocol (RDP) is a common target for attackers, and accidentally exposing it to the internet is a significant security risk. You can quickly check for publicly exposed RDP services.

port:3389 AND protocol:rdp
Enter fullscreen mode Exit fullscreen mode

This simple query will list all devices with an open RDP port (3389). If you manage a large network, running this query periodically can act as a quick check against misconfigurations.

Tips for Effective Querying

  • Be Specific: The more specific your query, the more relevant your results will be. Use AND and OR operators to combine terms.
  • Explore Fields: ScanSearch offers various fields you can query, such as ip, port, service.name, service.version, protocol, etc. Experiment with these to narrow down your searches.
  • Regular Checks: For ongoing security, integrate ScanSearch queries into your regular audit routine. It's a fantastic way to passively monitor your public-facing assets.

Beyond the Basics

While we've only scratched the surface, ScanSearch's capabilities extend to discovering a wide array of network services, like databases (MongoDB, MySQL), industrial control systems (SCADA), and various IoT devices. The key is to understand what you're looking for and formulate your query accordingly.

For more detailed query syntax and available fields, I recommend checking out the ScanSearch website directly.

Conclusion

ScanSearch offers a powerful and efficient way for developers, system administrators, and security professionals to gain insights into the internet's observable attack surface. By leveraging its internet-wide scanning data, you can quickly identify exposed services, pinpoint potential vulnerabilities, and audit your own infrastructure without the need for active scanning. It's a valuable tool in any developer's security toolkit for proactive defense and reconnaissance.

Top comments (0)