DEV Community: rrrowan

A Single Dork to Understand Your Infrastructure: Asset Exposure & Configuration Profiling

rrrowan — Sat, 29 Nov 2025 06:25:13 +0000

In cybersecurity, identifying internet-facing infrastructure and rapidly building configuration profiles is fundamental to effective defense. There are multiple ways to capture this information, and ZoomEye provides a powerful capability that allows analysts to easily discover exposed services and configurations.

With a single well-crafted dork query, we can enumerate exposed architectures, technology stacks, operating systems, and service configurations.

This article introduces how to leverage ports, service banners, icon hashes (iconhash), and other metadata to quickly fingerprint infrastructure and help security teams gain visibility into exposure risks.

1. Exposure Surface & Configuration Profiling of Infrastructure

1.1 Core Indicators of Asset Exposure

When we perform searches on ZoomEye, we are not simply querying IPs or ports. Instead, we leverage service banners, icon hashes (iconhash), SSL/TLS certificate fields, and other metadata to accurately identify service implementations and system configurations. Common indicators include:

Port Numbers: Many services run on well-known ports—for example, HTTP on port 80, HTTPS on 443, SSH on 22, and so on. Exposed ports provide initial insight into the type of service running.
Service Banners: When a service starts, it typically returns a recognizable banner string that may include software version, operating system, hardware architecture, or framework information. These banners enable precise fingerprinting of the technology stack.
Icon Hash (iconhash): By hashing a site’s favicon or icon file, we can identify the CMS, framework, or platform it is built on. CMS platforms such as WordPress, Joomla, and Drupal exhibit distinct favicon fingerprints, making it possible to mass-enumerate sites with similar templates or deployment origins.
SSL/TLS Certificates: Certificate fields such as subject and issuer often reveal important attributes of the service or domain, including certificate owner, issuing CA, organization name, and other metadata relevant to configuration profiling.

1.2 ZoomEye Query Examples: Rapid Identification of Architecture & Technology Stack

With a single dork query, ZoomEye can quickly reveal publicly exposed services and their underlying technology stack. Below are several common query examples that demonstrate how to identify these components:

Query: Identify Exposed HTTP Services and Version Information
(port=80 || port=443) && banner="Apache"
Explanation:

This query enumerates HTTP services exposed on ports 80 or 443 where the service banner contains the string "Apache", indicating that the target is likely running Apache HTTP Server.
Query: Identify Exposed WordPress Sites
title="WordPress" || iconhash="000bf649cc8f6bf27cfb04d1bcdcd3c7"
Explanation:

title="WordPress" identifies sites that explicitly return a WordPress page title.
iconhash matches sites sharing the same favicon fingerprint, which often correlates with specific CMS platforms or themes.
This method enables large-scale enumeration of exposed Content Management Systems (CMS).

Query: Identify Exposed Jenkins CI/CD Systems
title="Jenkins" || banner="Jenkins CI"
Explanation:

This query detects exposed Jenkins services either through the page title or the banner string. Jenkins is widely used for Continuous Integration / Continuous Delivery (CI/CD), and publicly exposed instances can introduce significant security risks.

Query: Find Exposed MySQL Databases
port=3306 && banner="MySQL"
Explanation:

This query identifies MySQL services exposed on the default port 3306, where the banner confirms a MySQL database instance. Exposing database interfaces directly to the internet represents a high-risk security issue.

2. Building an Infrastructure Exposure Profile

Using ZoomEye and other reconnaissance tools, we can rapidly construct a configuration profile of an organization’s public-facing infrastructure. This process typically involves the following steps:

2.1 Collecting Service Information

ZoomEye queries allow us to gather key details such as:

Service Types:

By analyzing open ports and service banners, we can determine which services are running—such as web servers, databases, and development tools.
Version Information:

Many banners expose software version numbers, enabling analysts to assess whether known vulnerabilities may be present.
Technology Stack Identification:

Specific indicators—such as service banners and icon hashes—provide insight into the underlying technology stack (e.g., Nginx, Apache, Tomcat, MySQL).

2.2 Segmentation by Organization or Geographic Region

Assets can also be filtered by Autonomous System (AS) number or geographic attributes (e.g., country=CN) to analyze exposure for a specific country, network provider, or organization.

Example Query: Identify Exposed Jenkins Instances in China
title="Jenkins" && country=CN

This enumerates all publicly exposed Jenkins CI systems located in China, supporting targeted monitoring of a region’s attack surface.

2.3 Risk Assessment

Because exposed services may contain known vulnerabilities, risk assessment is a crucial part of configuration profiling. Several approaches include:

Version-to-CVE Mapping:

By correlating exposed service versions with entries in the CVE (Common Vulnerabilities and Exposures) database, analysts can determine whether high-risk vulnerabilities are present.
Default Configuration Review:

Many systems are deployed with insecure defaults, such as default credentials, unnecessary services enabled, or lack of SSL/TLS encryption.
Cross-Service Correlation:

By combining multiple query conditions—e.g., exposed MySQL plus phpMyAdmin, or Jenkins plus GitLab—we can identify compounded attack surfaces and multi-vector risk scenarios.

3. Conclusion

ZoomEye enables analysts to efficiently discover internet-exposed services and identify their underlying technology stacks through indicators such as open ports, service banners, and icon hashes. Leveraging this information, security teams can construct an accurate exposure and configuration profile of their infrastructure, assess associated risks, and implement appropriate defensive measures.

Recommended Practices:

Regular Exposure Surface Monitoring:

Periodically use ZoomEye or similar reconnaissance tools to review the current state of publicly exposed services and detect newly surfaced assets.
Vulnerability Identification & Hardening:

Use version information, configuration metadata, and publicly available intelligence to quickly identify known vulnerabilities and apply timely security hardening measures.

Using ZoomEye to Discover “Convenient Tools”: OSINT-Driven Reconnaissance for Security Researchers

rrrowan — Wed, 26 Nov 2025 07:00:39 +0000

1. Introduction: Intelligence Search Engines Are More Than Just “Asset Viewers”

Most people use ZoomEye primarily as an asset-scanning platform — entering an IP, domain, or port to check which services a host exposes to the Internet.

However, from a security research and offensive–defensive operations perspective, ZoomEye functions more like a search engine for cyberspace. It can help you locate online systems, components, frameworks — and even forgotten open-source tools, testing interfaces, and administrative panels that remain publicly accessible.

In other words, you can use it not only to find targets, but also to find tools exposed on the Internet.

2. Logic of Tool Discovery: From Protocol Fingerprints to Product Identification

ZoomEye’s query syntax is highly flexible. It supports filtering based on:

banner / title / header fields
Metadata such as port, country, service
SSL/TLS certificates, iconhash (favicon hash), and HTTP fingerprints

When the objective is to identify tool-type assets exposed online, the following methodology applies:

These queries allow you to quickly identify tools that are publicly reachable but intended to be internal-only, revealing misconfigurations or accidental exposure in an organization’s attack surface.

3. From “Finding Tools” to “Building a Knowledge Graph”

Once you collect these results in bulk (e.g., via the ZoomEye API), you can process the data in a structured manner, such as:

Extracting domains/IPs
Grouping by SSL certificate fingerprints
Aggregating by country/ASN
Analyzing component versions and exposure timelines

This enables the construction of a “security tool ecosystem graph”, answering questions like:

Which countries or industries expose Kibana most frequently?
Which versions of SonarQube are most prone to public exposure?
Which organizations are using the same SSL certificate in their testing environments?

This intelligence not only aids in attack surface research but also reflects the maturity distribution of security practices across organizations.

4. Example: Identifying Globally Exposed Vulnerability Scanning Systems

(title="OpenVAS" || title="Nessus") && country="CN"

Running this query in ZoomEye reveals a large number of exposed security scanning consoles, some of which lack authentication entirely.
Further filtering by port (e.g., port=9392 or port=8834) or combining with HTTP response indicators such as "HTTP/1.1 200 OK" can help isolate systems that are truly online and reachable.

5. Security Guidance and Compliance Boundaries

The purpose of these searches is intelligence analysis and defensive strategy, not intrusion or exploitation.

You can:

Identify exposed assets within your own organization
Study global deployment trends of security tools
Build SOC training datasets for offense–defense exercises

You must not:

Scan or validate vulnerabilities on unauthorized assets
Share raw, non-sanitized results on public platforms

6. Conclusion

ZoomEye is not just a magnifying glass for security researchers, but also a window into the cyber ecosystem.
Learning to use it to “discover tools” reveals a more authentic, chaotic, and intriguing Internet —
a world full of misconfigurations, debugging interfaces, and forgotten assets.
“The boundary of information security is not the firewall; it is perception.”

I’ve heard that ZoomEye will also launch a Black Friday promotion. If you need it, now’s a good time to grab a subscription.

A Few Simple Introductions to ZoomEye Pages

rrrowan — Fri, 26 Sep 2025 08:51:59 +0000

ZoomEye Search Description Feature

On ZoomEye's search page, the Search Description window provides users with a quick reference to search syntax and logic. This feature serves as a practical guide for both beginners and advanced users, helping them perform queries more efficiently.

Key Highlights

1. Search Scope

Supports searching for IPv4, IPv6 devices, and websites (domain names).
Keywords are matched in "global mode," covering multiple protocols such as HTTP/HTTPS, SSH, FTP, as well as titles, SSL, and protocol headers.

2. Syntax Matching Rules

Searches are case-insensitive and matched after segmentation.
Use == for strict and precise matching.

3. Special Characters & Syntax Tips

Quotation marks are recommended for search strings (e.g., "Cisco System").
Escape characters are supported: \ can be used to escape quotes, brackets, and other symbols.

4. Search Logic Table

Lists common logical operators such as = and ==.
Each operator includes a description and an example for quick understanding.

Benefits

Beginner-Friendly: Helps new users quickly grasp search syntax.
Advanced Reference: Provides detailed syntax rules for researchers needing high-precision searches.
On-Page Help: Always accessible without leaving the search page.

ZoomEye Site Message Feature

The Site Message feature in ZoomEye is designed to keep users updated with the platform's latest news. It mainly pushes notifications about feature updates, promotional events, and security insights, ensuring users don't miss any important information.

Key Features

1. Feature Update Notifications

Whenever ZoomEye releases a new feature or enhances existing ones, users are notified through Site Messages to stay up to date.

2. Promotions & Event Announcements

Includes limited-time discounts, new plan launches, points activities, and more—directly delivered to the inbox.

3. Security Intelligence Alerts

Periodic updates on industry reports or risk summaries, such as vulnerabilities in specific sectors, helping users improve awareness and defenses.

4. Guides & Announcements

a. Provides quick-start guides for new tools and official announcements, making it easier for users to learn and adopt features.

Benefits

Instant Updates: Receive all important platform news directly within ZoomEye.
Never Miss Deals: Get timely alerts about discounts and promotional campaigns.
Enhanced Security Awareness: Access industry insights and risk notices to stay protected.

ZoomEye Profile Page

On the Profile page of ZoomEye, users can manage their account information and access their unique Invitation Code and API Key. These features not only enhance account usability but also provide extra benefits and convenience.

1. Invitation Code

Exclusive Referral: Every user has a unique invitation code.
Referral Rewards: Friends using your code to purchase a membership will receive a 5% discount, and you will earn 10,000 ZoomEye Points per purchase.
One-Click Copy: The code can be copied with a single click, making it easy to share.

Value: The invitation system creates a win-win — your friends save money while you earn points.

2. API Key

Unique Key: Each account is assigned a personal API Key for accessing ZoomEye’s API.
API Usage: Without logging in, you can send requests with your API Key to automate searches and data collection.
Point Deduction: API calls consume points, and the usage will be reflected in your account balance.
Security Management: Users are advised to regularly replace their API Key to maintain account security.

Value: The API Key enables users to integrate ZoomEye into their own tools, scripts, or platforms, making large-scale and automated asset searches possible.

ZoomEye vs. Other Search Engines: Why It’s the Top Choice for Security Researchers

rrrowan — Thu, 18 Sep 2025 08:09:11 +0000

In today’s cybersecurity research and threat intelligence field, cyberspace mapping search engines play a crucial role. Whether for enterprise security teams, threat analysts, or independent researchers, these tools are indispensable. Common platforms include ZoomEye, Shodan, FOFA, and Censys. While they share some similarities, their differences in functionality, data coverage, and usability are significant.

1. Data Coverage & Real-Time Updates

ZoomEye: As one of the earliest cyberspace mapping engines, ZoomEye continuously conducts global active scans and passive monitoring, covering devices, services, and web applications. Its real-time updates ensure fast reflection of changes in the global internet landscape.
Shodan: Strong in industrial control systems (ICS/SCADA) data, but its update frequency in certain regions is less consistent than ZoomEye.
FOFA: Offers diverse fingerprint search syntax, but since it partially relies on passive data collection, its breadth of coverage is slightly weaker.
Censys: Well-regarded for academic and enterprise research, with strong SSL/TLS certificate scanning capabilities, but its overall coverage is not as broad as ZoomEye.

2. Search Syntax & Flexibility

ZoomEye: Supports advanced query syntax, such as filtering by protocol (app), port (port), service (service), and vulnerabilities (vul.cve). This enables highly precise asset discovery and risk identification.
Shodan: Simple syntax, good for beginners, but limited flexibility in complex scenarios.
FOFA: Syntax is more complex, with a steeper learning curve, though it’s still useful for in-depth research.
Censys: Uses a structured query language that is very precise but less beginner-friendly.

3. Features & Value-Added Services

ZoomEye provides visualization reports, global threat maps, and specialized datasets for attack surface management and threat monitoring. These features align well with enterprise security teams’ daily needs.
Shodan offers APIs for integration but fewer advanced features.
FOFA focuses on information presentation but is weaker in multi-source integration.
Censys is widely used in academia, with reliable APIs, but its visualization and commercial security features are less extensive than ZoomEye.

4. Overall Evaluation

In summary:

For broad data coverage, real-time accuracy, flexible syntax, and multi-scenario use, ZoomEye clearly stands out.
Shodan is suitable for ICS/SCADA-focused research.
FOFA is more friendly for Chinese users but lacks ZoomEye’s international reach and feature set.
Censys is strong in certificate-related analysis but not as comprehensive overall.

Conclusion

With global cyber threats escalating, researchers must rely on trustworthy search engines for asset discovery, vulnerability monitoring, and threat intelligence gathering. Among all available options, ZoomEye, with its comprehensive coverage, powerful syntax, and visualization features, is the top choice for security professionals and researchers worldwide.

The Most Popular Cybersecurity Search Engine ZoomEye and Similar Platforms, and How to Perform Subdomain Collection

rrrowan — Wed, 17 Sep 2025 07:27:04 +0000

I. ZoomEye

1. Introduction

ZoomEye is a cyberspace search engine specializing in the discovery and analysis of devices and services connected to the internet. Its primary objective is to provide insights into online devices, security vulnerabilities, and network infrastructure, assisting users in penetration testing, cybersecurity analysis, and asset management.

2. Official Website

ZoomEye Official Website: https://www.zoomeye.ai/

3. Key Features

Device Search: Users can search for specific devices using criteria such as IP address, service type, and response content.
Vulnerability Detection: ZoomEye surfaces known security vulnerabilities, aiding users in identifying potential security risks.
Real-time Data Updates: The platform regularly scans the internet and updates its database to ensure data timeliness and accuracy.

II. Similar Search Engines

1. Shodan

Description: The first and most well-known cyberspace search engine, focusing on discovering internet-connected devices (IoT, servers, industrial control systems, etc.).
Features:
- Supports filtering by IP, port, service, operating system, and geographic location
- Provides API access and real-time data monitoring
Website: https://www.shodan.io/

2. Censys

Description: A platform specializing in internet asset discovery and security assessment, offering detailed protocol and certificate data analysis.
Features:
- Tracks TLS/SSL certificates
- Identifies exposed services
- Supports large-scale network reconnaissance
Website: https://censys.io/

3. BinaryEdge

Description: A global cybersecurity search engine that focuses on threat intelligence and attack surface monitoring.
Features:
- Provides data on exposed services, vulnerabilities, and sensitive data leaks
- Powerful API integration
Website: https://www.binaryedge.io/

4. Netlas

Description: A search engine for internet-connected devices and services, offering extensive filtering and data export capabilities.
Features:
- Supports real-time scanning
- Historical data querying
- Customized alert notifications
Website: https://www.netlas.io/

5. Greynoise

Description: A specialized platform focused on analyzing internet background noise and filtering out benign scanning activity.
Features:
- Helps security teams distinguish between targeted threats and mass scanning events
- Reduces alert fatigue
Website: https://www.greynoise.io/

III. Subdomain Enumeration

1. Introduction

Subdomain enumeration is a critical component of cybersecurity reconnaissance and intelligence gathering, particularly in penetration testing and vulnerability assessment workflows.

2. Methods for Subdomain Enumeration

Search Engine Syntax Queries:
Utilize cyberspace search engines (e.g., ZoomEye) with advanced syntax (e.g., site:example.com) to filter and extract subdomain data from search results.
Subdomain Query Websites:
Employ WHOIS lookup tools to retrieve domain registration details, which may reveal associated subdomains through DNS records or administrative metadata.

A brief introduction to ZoomEye and similar search engines, and how to perform subdomain collection.

rrrowan — Wed, 17 Sep 2025 07:06:32 +0000

I. ZoomEye

1. Introduction

2. Official Website

ZoomEye Official Website: https://www.zoomeye.ai/

3. Key Features

Device Search: Users can search for specific devices using criteria such as IP address, service type, and response content.
Vulnerability Detection: ZoomEye surfaces known security vulnerabilities, aiding users in identifying potential security risks.
Real-time Data Updates: The platform regularly scans the internet and updates its database to ensure data timeliness and accuracy.

II. Similar Search Engines

1. Shodan

Description: The first and most well-known cyberspace search engine, focusing on discovering internet-connected devices (IoT, servers, industrial control systems, etc.).
Features:
- Supports filtering by IP, port, service, operating system, and geographic location
- Provides API access and real-time data monitoring
Website: https://www.shodan.io/

2. Censys

Description: A platform specializing in internet asset discovery and security assessment, offering detailed protocol and certificate data analysis.
Features:
- Tracks TLS/SSL certificates
- Identifies exposed services
- Supports large-scale network reconnaissance
Website: https://censys.io/

3. BinaryEdge

Description: A global cybersecurity search engine that focuses on threat intelligence and attack surface monitoring.
Features:
- Provides data on exposed services, vulnerabilities, and sensitive data leaks
- Powerful API integration
Website: https://www.binaryedge.io/

4. Netlas

Description: A search engine for internet-connected devices and services, offering extensive filtering and data export capabilities.
Features:
- Supports real-time scanning
- Historical data querying
- Customized alert notifications
Website: https://www.netlas.io/

5. Greynoise

Description: A specialized platform focused on analyzing internet background noise and filtering out benign scanning activity.
Features:
- Helps security teams distinguish between targeted threats and mass scanning events
- Reduces alert fatigue
Website: https://www.greynoise.io/

III. Subdomain Enumeration

1. Introduction

Subdomain enumeration is a critical component of cybersecurity reconnaissance and intelligence gathering, particularly in penetration testing and vulnerability assessment workflows.

2. Methods for Subdomain Enumeration

Search Engine Syntax Queries:
Utilize cyberspace search engines (e.g., ZoomEye) with advanced syntax (e.g., site:example.com) to filter and extract subdomain data from search results.
Subdomain Query Websites:
Employ WHOIS lookup tools to retrieve domain registration details, which may reveal associated subdomains through DNS records or administrative metadata.