DEV Community: StarkMan

Use ZoomEye to find Jupyter servers without identity verification enabled

StarkMan — Fri, 26 Sep 2025 06:42:00 +0000

1. Abstract

In the process of using Jupyter Notebook and JupyterLab, some users lack security awareness and do not enable the authentication function, so that any user can directly access their own Jupyter server and view the code and documents on their server.

We use the ZoomEye cyberspace search engine to find those Jupyter servers on the Internet that do not enable authentication through specific search keywords. The leaked code and documents on these servers, if exploited by criminals, may cause data leakage and asset loss.

We recommend that all Jupyter users follow the official security recommendations when starting the Jupyter service, and set it to log in through token or password.

2. Overview

ZoomEye [1] is a cyberspace search engine. Through the global deployment of detection nodes, it conducts uninterrupted in-depth detection of global Internet exposed assets, builds Internet security basic situation mapping maps, and provides comprehensive asset basic data for security research.

Jupyter Notebook [2] is a program that opens in the form of a web page. You can directly write and run code on the web page, and the running result of the code will also be displayed directly under the code block. If you need to write an instruction document during the programming process, you can write it directly on the same page, which is convenient for explanation [3]. It is one of the most familiar and commonly used tool for data scientists.

JupyterLab [4] is an interactive development environment, which is the next generation of Jupyter Notebook. You can use it to write Notebook, operate terminal, edit MarkDown text, open interactive mode, view csv files and pictures, etc. It can be said that JupyterLab is a more mainstream development environment for developers in the next stage [5].

In this article, we describe how to use ZoomEye to find Jupyter servers without identity verification enabled, and access their code and documentation through a web browser.

3. Installation and startup of Jupyter

3.1 Jupyter Notebook

In this chapter, we introduce how to install, startup normally, startup Jupyter Notebook without authentication, and the effect of the corresponding web browsing access.

For the installation method of Jupyter Notebook, refer to its official website [6]. You only need to enter a sentence command on the command line, which is simple and convenient.

pip install notebook

The normal way to startup Jupyter Notebook is to enter a one-sentence command. By default, a web service is opened on port 8888 of localhost, and a token value for user authentication is generated.

jupyter notebook

At this point, when you enter http://localhost:8888 in your web browser to access Jupyter Notebook, the page will prompt you to enter a password or token.

We enter the token value obtained when the command line is started on the page to pass the authentication and use the product functions of Jupyter Notebook.

Some users need to access their Jupyter Notebook service through the Internet, and in order to avoid the trouble of entering a password or token, they will use the following command to expose the Jupyter Notebook service to the Internet IP without enabling authentication.

jupyter notebook --ip="*" --NotebookApp.token="" --NotebookApp.password=""

At this time, any user who knows the Internet IP of the Jupyter Notebook service can enter http://*.*.*.*:8888 in the web browser to access the Jupyter Notebook service without authentication. Review the code and files on the server. Note that in this case, the title of the page reads: "Home Page - Select or create a notebook".

3.2 JupyterLab

In this chapter, we introduce how to install, startup JupyterLab normally, startup JupyterLab without authentication, and the effect of the corresponding web browsing access.

For the installation method of JupyterLab, refer to its official website [7]. You only need to enter a sentence command on the command line, which is simple and convenient.

pip install jupyterlab

The normal way to startup JupyterLab is to enter a command. By default, a web service is opened on port 8888 of localhost, and a token value for user authentication is generated.

jupyter-lab

At this point, when you enter http://localhost:8888 in the web browser to access Jupyter Lab, the page will prompt you to enter a password or token.

We enter the token value obtained when the command line is started on the page to pass the authentication and use the product functions of JupyterLab.

Some users need to access their JupyterLab service through the Internet, and in order to avoid the trouble of entering a password or token, they will expose the JupyterLab service to the Internet IP through the following command, and do not enable authentication.

jupyter-lab --ip="*" --NotebookApp.token="" --NotebookApp.password=""

At this time, any user who knows the Internet IP of the JupyterLab service can enter http://...:8888 in the web browser to access the JupyterLab service without authentication, and can directly view the server code and documentation on. Note that the content of the page title in this case is: “JupyterLab”.

4. Find Jupyter servers without identity verification enabled

As mentioned in the previous section, the title content of the Jupyter Notebook service without authentication is “Home Page — Select or create a notebook”, and the title content of the JupyterLab service without authentication is “JupyterLab”.

We used the following keywords to search on ZoomEye, and found the Jupyter Notebook server IP address and port that can be directly viewed and used without authentication, with a total of 1362 results.

title="Home Page - Select or create a notebook"

We used the following keywords to search on ZoomEye, and found the JupyterLab server IP address and port that can be directly viewed and used without authentication, with a total of 2071 results.

title="JupyterLab"

5. Hazards of Jupyter Serving without identity verification enabled

When the user builds the Jupyter service, the identity verification is not enabled. Although it is convenient for daily use and does not need to enter a password; If sensitive information such as name/password, API key/secret is used by criminals, it may cause data leakage and asset loss.

Example 1:

As shown in the figure below, the code in the Jupyter server leaked: the key and secret of the user API of the bitFlyer cryptocurrency exchange, the username and password of the Gmail mailbox.

Criminals can use the key and secret of the bitFlyer cryptocurrency exchange API to create transactions and cancel transactions on the exchange, which may cause asset losses; use the username and password of Gmail mailboxes to log in to Gmail mailboxes, which may cause privacy Data leakage.

Leaked key and secret of bitFlyer cryptocurrency exchange API

Leaked Gmail username and password

Example 2:

As shown in the figure below, the code in the Jupyter server leaked: the ACCESS KEY ID and SECRET ACCESS KEY of the Amazon AWS account.

Criminals can use the ACCESS KEY ID and SECRET ACCESS KEY of the Amazon AWS account to obtain the account permissions of Amazon AWS, upload files to Amazon S3 cloud storage space, and even create new cloud servers on Amazon AWS.

Leaked ACCESS KEY ID of Amazon AWS account

Leaked SECRET ACCESS KEY of Amazon AWS account

6. Conclusion

When using Jupyter, try not to expose its web services on the Internet, but open them for use in the local area network to avoid being accessed by unrelated people.

If there is a need to expose Jupyter’s web services to the Internet, you must set up a token or password login instead of disabling authentication for convenience. For specific operations, please refer to Jupyter’s official security advice blog: Please don’t disable authentication in Jupyter servers [8].

7. Reference

[1] ZoomEye cyberspace search engine
https://www.zoomeye.ai

[2] Jupyter Notebook
https://jupyter.org

[3] Jupyter Notebook introduction, installation and usage tutorial
https://zhuanlan.zhihu.com/p/33105153

[4] JupyterLab
https://jupyter.org

[5] Introduction to JupyterLab and common operations
https://support.huaweicloud.com/engineers-modelarts/modelarts_23_0209.html

[6] Installation method of Jupyter Notebook
https://jupyter.org/install

[7] Istallation method of JupyterLab
https://jupyter.org/install

[8] Please dont disable authentication in Jupyter servers
https://blog.jupyter.org/please-dont-disable-authentication-in-jupyter-servers-dd197206e7f6

Best Practices for Enhancing Attack Surface Management and Accelerating Vulnerability Response

StarkMan — Tue, 23 Sep 2025 06:39:53 +0000

Attack Surface Management (ASM) has become a cornerstone of modern cybersecurity. As enterprises expand across on-premise systems, cloud services, and third-party platforms, their external attack surface grows continuously. The mission of ASM is to maintain visibility into exposed assets, reduce blind spots, and respond swiftly to newly discovered risks. Rapid vulnerability response is tightly aligned with ASM: knowing exactly which internet-facing systems are vulnerable allows teams to prioritize remediation and protect business operations.

This article introduces several best practices for ASM and rapid vulnerability response, using Shodan and ZoomEye as practical examples. These two platforms highlight how cybersecurity search engines can be applied effectively in real-world scenarios.

Cybersecurity search engine platforms are among the most powerful tools for this task. They continuously discover and analyze exposed assets across the Internet, offering organizations data support from tactical monitoring to strategic risk management. For security service providers, these platforms are critical to delivering higher-value protection and actionable insights.

Key Value These Platforms Deliver:

Strengthen Attack Surface Management: Detect and control exposed internet assets in real time, enabling proactive risk mitigation.
Accelerate Vulnerability Response: Rapidly quantify affected assets during emerging vulnerabilities, ensuring critical issues are prioritized and remediated.

ASM Scenarios

Monitoring exposed remote access services Example: Track RDP endpoints tied to Microsoft organization.

Shodan best practice: port:3389 org:"microsoft"
ZoomEye best practice: port="3389" && org="microsoft"

Monitoring exposed directory listings Example: Detect misconfigured servers where files and sensitive data may be browsed directly.

Shodan best practice: http.title:"Index of /" org:"microsoft"
ZoomEye best practice: title="Index of /" && org="microsoft"

Rapid Vulnerability Response Scenarios

Identifying assets exposed to CVE-2025-53770. Example: Discover Microsoft-related assets vulnerable to this CVE, enabling teams to quickly quantify risk, prioritize remediation, and contain potential exploitation.

Shodan best practice: "MicrosoftSharePointTeamServices" org:"microsoft"
ZoomEye best practice: vul.cve="CVE-2025-53770" && org="microsoft"

Identifying assets exposed to CVE-2025-47812. Example: Locate Microsoft-related assets vulnerable to this CVE.

Shodan best practice: "Wing FTP Server" org:"microsoft"
ZoomEye best practice: vul.cve="CVE-2025-47812" && org="microsoft"

Conclusion

Cybersecurity search engine platforms are indispensable for organizations seeking to strengthen Attack Surface Management and accelerate vulnerability response. Shodan excels in quick discovery and broad monitoring, while ZoomEye delivers richer and more granular filters—covering certificates, CVEs, hashes, bug bounty tags, and time-based queries.

By combining both platforms, security teams gain continuous visibility into their attack surface, respond faster to emerging vulnerabilities, and deliver greater value to stakeholders. This dual-platform approach reduces exposure, enhances resilience, and keeps defenses aligned with the ever-changing digital threat landscape.

Shodan vs ZoomEye Query Syntax Comparison

StarkMan — Tue, 23 Sep 2025 06:17:30 +0000

This article provides a side-by-side comparison of the most common query operators in Shodan vs the latest syntax in ZoomEye.

When it comes to cyberspace search engines, Shodan and ZoomEye are two of the most widely used platforms.

Shodan is often described as “the search engine for the Internet of Things,” indexing banners and metadata from connected devices worldwide.
ZoomEye, is another powerful search engine for internet-wide scanning, particularly popular in the security research community.

Both platforms allow analysts, penetration testers, and defenders to search for exposed services, vulnerable hosts, and network fingerprints.
However, their query syntax is different — and mixing them up can lead to zero results or misleading queries.

1. Comparison Table

2. Example Queries

Find exposed RDP (3389) assets

Shodan:     port:3389
ZoomEye:    port=3389

Find RDP servers in the US

Shodan:     port:3389 country:US
ZoomEye:    port=3389 && country="US"

Search for Log4Shell exposure

Shodan:     (no direct CVE filter, need to search service/version)
ZoomEye:    vul.cve="CVE-2021–44228"

3. Practical Use Cases

Find Internet-exposed webcams

Shodan:     title:"webcamXP" port:8080
ZoomEye:    title="webcamXP" && port=8080`

Discover SSL certificates issued to a company

Shodan:     (limited - search by org or hostname)
ZoomEye:    ssl.cert.issuer.cn="DigiCert Inc"

Locate vulnerable Apache servers

Shodan:     product:Apache version:2.4.49
ZoomEye:    app="Apache httpd" && version="2.4.49"

Find industrial control systems (ICS) devices

Shodan:     port:502 modbus
ZoomEye:    port=502 && service="modbus"

4. Key Takeaways

Shodan is simpler and effective for quick searches.
ZoomEye provides richer filters (certificates, CVEs, hashes, bug bounty tags, time filters).
Always use the correct syntax style: filter:value for Shodan vs. field=value for ZoomEye.
Mastering both platforms gives analysts a stronger toolkit for reconnaissance, attack surface monitoring, and threat hunting.

5. Further Reading

Shodan official documentation: Search Query Fundamentals
ZoomEye latest syntax guide: A Complete Guide to the Latest ZoomEye Search Syntax

A Complete Guide to the Latest ZoomEye Search Syntax

StarkMan — Tue, 23 Sep 2025 06:03:48 +0000

ZoomEye, a leading cyberspace search engine, has updated its query syntax to provide more precise and flexible search capabilities. This guide consolidates the latest syntax rules from the official documentation, offering cybersecurity professionals a ready reference for asset discovery, attack surface mapping, and threat hunting.

Description

Search scope covers devices (IPv4, IPv6) and websites (domain names)
When entering a search string, the system will match the keywords in “global” mode, covering content from various protocols such as HTTP, SSH, FTP, etc. (e.g., HTTP/HTTPS protocol headers, body, SSL, title, and other protocol banners)
The search string is case-insensitive and will be matched after segmentation (the search results page provides a “segmentation” test function). Use == for precise matching and strict restriction of search syntax case sensitivity.
Please use quotation marks for search strings.

e.g., "Cisco System" or 'Cisco System'

If there are quotation marks in the search string, use \ for escape, 
e.g., "a\"b"

If there are brackets in the search string, use \ for escape,
e.g., portinfo\(\)

1. Search Logic Operations

Searchlogic: =
Description: Search for assets containing keywords
Example: title=“knownsec”
Search for websites with titles containing Knowsec’s assets

Searchlogic: ==
Description: Accurate search, indicating a complete match of keywords (case sensitive), can search for data with empty values
Example: title==“knownsec”
Precise search, which means exact match of keywords (case sensitive), and can search for data with empty values Search for assets with the website title “Knownsec”

Searchlogic: ||
Description: Enter “||” in the search box to indicate the logical operation of “or”
Example: service=“ssh” || service=”http”
Search for SSH or HTTP data

Searchlogic: &&
Description: Enter “&&” in the search box to indicate the logical operation of “and”
Example: device=“router” && after=“2020–01–01”
Search for routers after Jan 1, 2020

Searchlogic: !=
Description: Enter “!=” in the search box to indicate the logical operation of “not”
Example: country=“US” && subdivisions!=“new york”
Search for data in united states excluding new york

Searchlogic: ()
Description: Enter “()” in the search box to indicate the logical operation of “priority processing”
Example: (country=“US” && port!=80) || (country=“US” && title!=“404 Not Found”)
Search excluding port 80 in US or “404 not found” in the US

Searchlogic: *
Description: Fuzzy search, use * for search
Example: title=“google*”
Fuzzy search, use * to search Search for assets containing google in the website title, and the title can end with any character

2. Geographical Search

Filter: country="CN"
Description: Search for country assets
Tips: Input country abbreviations or names, e.g. country=“china”

Filter: subdivisions="beijing"
Description: Search for assets in the specified administrative region
Tips: Input in English, e.g. subdivisions=“beijing”

Filter: city="changsha"
Description: Search for city assets
Tips: Input in English, e.g. city=“changsha”

3. Certificate Search

Filter: ssl="google"
Description: Search for assets with “google” string in ssl certificate
Tips: Often used to search for corresponding targets by product name and company name

> Filter: ssl.cert.fingerprint="F3C98F223D82CC41CF83D94671CCC6C69873FABF"
Description: Search for certificate-related fingerprint assets

Filter: ssl.cert.issuer.cn="pbx.wildix.com"
Description: Search for the common domain name of the user certificate issuer

Filter: ssl.cert.subject.cn="example.com"
Description: Search for the common domain name of the user certificate holder

Filter: ssl.jarm="29d29d15d29d29d00029d29d29d29dea0f89a2e5fb09e4d8e099befed92cfa"
Description: Search for assets related to Jarm Fingerprint content

Filter: ssl.ja3s=45094d08156d110d8ee97b204143db14
Description: Find assets related to specific JA3S fingerprints

4. IP or Domain Name Related Information Search

Filter: ip="8.8.8.8"
Description: Search for assets related to the specified IPv4 address

Filter: ip="2600:3c00::f03c:91ff:fefc:574a"
Description: Search for assets related to specified IPv6 address

Filter: cidr="52.2.254.36/24"
Description: Search for C-class assets of IP
Tips:

cidr=“52.2.254.36/16” is the B class of the IP
cidr=“52.2.254.36/8” is the A class of the IP

Filter: org="Stanford University"
Description: Search for assets of related organizations
Tips: Used to locate IP assets corresponding to universities, structures, and large Internet companies

Filter: isp="China Mobile"
Description: Search for assets of related network service providers
Tips: Can be supplemented with org data

Filter: asn=42893
Description: Search for IP assets related to corresponding ASN (Autonomous system number)

Filter: port=80
Description: Search for related port assets
Tips: Currently does not support simultaneous open multi-port target search

Filter: hostname="google.com"
Description: Search for assets of related IP “hostname”

Filter: domain="baidu.com"
Description: Search for domain-related assets
Tips: Used to search domain and subdomain data

Filter: banner="FTP"
Description: Search by protocol messages
Tips: Used for searching HTTP response header data

Filter: http.header="http"
Description: Search by HTTP response header
Tips: Used for searching HTTP response header data

Filter: http.header_hash="27f9973fe57298c3b63919259877a84d"
Description: Search by the hash values calculated from HTTP header.

Filter: http.header.server="Nginx"
Description: Search by server of the HTTP header
Tips: Used for searching the server data in HTTP response headers

Filter: http.header.version="1.2"
Description: Search by version number in the HTTP header

Filter: http.header.status_code="200"
Description: Search by HTTP response status code
Tips: Search for assets with HTTP response status code 200 or other status codes, such as 302, 404, etc.

Filter: http.body="document"
Description: Search by HTML body

Filter: http.body_hash="84a18166fde3ee7e7c974b8d1e7e21b4"
Description: Search by hash value calculated from HTML body

5. Fingerprint Search

Filter: app="Cisco ASA SSL VPN"
Description: Search for Cisco ASA-SSL-VPN devices
Tips: Entering keywords such as “Cisco” in the search box will display related app prompts

Filter: service="ssh"
Description: Search for assets related to the specified service protocol
Tips: Common service protocols include: http, ftp, ssh, telnet, etc. (other services can be found in the domain name sidebar aggregation display of search results)

Filter: device="router"
Description: Search for router-related device types
Tips: Common types include router, switch, storage-misc, etc. (other types can be found in the domain name sidebar aggregation display of search results)

Filter: os="RouterOS"
Description: Search for related operating systems
Tips: Common systems include Linux, Windows, RouterOS, IOS, JUNOS, etc. (other systems can be found in the domain name sidebar aggregation display of search results)

Filter: title="Cisco"
Description: Search for data with “Cisco” in the title of the HTML content

Filter: industry="government"
Description: Search for assets related to the specified industry type
Tips: Common industry types include technology, energy, finance, manufacturing, etc. (other types can be supplemented with org data)

Filter: product="Cisco"
Description: Search for assets with “Cisco” in the component information
Tips: Support mainstream asset component search

Filter: protocol="TCP"
Description: Search for assets with the transmission protocol as TCP
Tips: Common transmission protocols include TCP, UDP, TCP6, SCTP

Filter: is_honeypot="True"
Description: Filter for honeypot assets

6. Time-based Search

Filter: after="2020–01–01" && port="50050"
Description: Search for assets with an update time after Jan 1, 2020 and a port 50050
Tips: Time filters need to be combined with other filters

Filter: before="2020–01–01" && port="50050"
Description: Search for assets with an update time before Jan 1, 2020 and a port 50050
Tips: Time filters need to be combined with other filters

7. Dig Search

Filter: dig="baidu.com 220.181.38.148"
Description: Search for assets with related dig content

8. Vulnerability Search

Filter: vul.cve="CVE-2021–44228"
Description: Search for assets with cve related content

9. Iconhash Search

Filter: iconhash="f3418a443e7d841097c714d69ec4bcb8"
Description: Analyze the target data by MD5 and search for assets with related content based on the icon
Tips: Search for assets with the “google” icon

Filter: iconhash="1941681276"
Description: Analyze the target data by MMH3 and search for assets with related content based on the icon
Tips: Search for assets with the “amazon” icon

10. Filehash Search

Filter: filehash="0b5ce08db7fb8fffe4e14d05588d49d9"
Description: Search for assets with related content based on the parsed file data
Tips: Search for assets parsed with “Gitlab”

11. BugBounty Related

Filter: is_bugbounty=true
Description: Filter for bug bounty assets collected by ZoomEye

Filter: bugbounty.source=all
Description: Bugbounty Data sources
Tips: “hackerone”, “bugcrowd”, “intigriti”, “yeswehack”, “openbugbounty”, “all”

Filter: is_changed=true
Description: Asset changed within 7 days
Tips: Including both new and updated assets

Filter: is_new=true
Description: Asset newly discovered within the last 7 days

Conclusion

The new ZoomEye query syntax brings much more flexibility and precision compared to earlier versions. By mastering these filters — ranging from certificates, ports, banners, IP ranges, to CVEs and bug bounty assets — analysts can perform deep reconnaissance and attack surface monitoring more effectively.

ZoomEye continues to evolve, so staying updated with syntax changes is crucial for maximizing its potential in security research and threat intelligence operations.

Top 5 Domain and IP Intelligence Tools in OSINT

StarkMan — Tue, 23 Sep 2025 05:49:09 +0000

Open Source Intelligence (OSINT) has become a cornerstone for cybersecurity professionals, researchers, and investigative journalists. By collecting and analyzing publicly available information, OSINT tools enable deeper insights into threats, infrastructure, and digital footprints.

Within the wide landscape of OSINT tools, one critical category is Domain and IP Intelligence. These tools specialize in gathering data about domains, IP addresses, SSL certificates, and related digital assets. They are essential for uncovering suspicious infrastructure, tracking malicious activities, and monitoring organizational exposure.

Below are the Top 5 Domain/IP Intelligence tools worth highlighting.

WhoisXML API

Website: https://whoisxmlapi.com

Description: WhoisXML API provides one of the largest databases for domain and IP WHOIS information, along with DNS and threat intelligence feeds. It helps trace domain ownership, monitor registration changes, and correlate IP infrastructure.

Best for: Investigating domain ownership and history.

Who is it for: Cybersecurity teams, threat hunters, fraud investigators, and brand protection specialists.

Top features:

Comprehensive WHOIS and DNS data
Historical WHOIS records
Threat intelligence feeds with malicious domains/IPs
API integrations for automation

DomainTools

Website: https://www.domaintools.com

Description: DomainTools is a widely recognized platform for domain and IP profiling, offering advanced pivoting capabilities to map connections across infrastructure. It is especially strong in attribution and tracking adversary infrastructure.

Best for: Infrastructure mapping and threat attribution.

Who is it for: Threat intelligence analysts, SOC teams, law enforcement.

Top features:

Reverse WHOIS and IP lookups
Domain history and registration tracking
Risk scoring for domains
Iris Investigate platform for pivot analysis

SecurityTrails

Website: https://securitytrails.com

Description: SecurityTrails focuses on domain and IP data enrichment, offering a detailed view of DNS records, subdomains, and historical infrastructure data. It provides both web-based access and robust APIs.

Best for: Asset discovery and external attack surface management.

Who is it for: Red teams, penetration testers, ASM providers, enterprise security teams.

Top features:

Current and historical DNS records
Subdomain enumeration
Reverse IP and domain lookups
API-friendly integrations for automation

ThreatMiner

Website: https://www.threatminer.org

Description: ThreatMiner is a free OSINT resource designed for security researchers. It aggregates threat-related intelligence around domains, IPs, hashes, and reports, linking them together for context.

Best for: Quick, free enrichment of suspicious indicators.

Who is it for: Security researchers, independent analysts, malware hunters.

Top features:

Domain and IP reputation data
Links between domains, IPs, and malware reports
Searchable malware hashes and reports
Simple interface with free access

CIRCL Passive DNS (Ail framework / Passive DNS project)

Website: https://www.circl.lu/services/passive-dns/

Description: CIRCL’s Passive DNS is a community-driven intelligence project that stores DNS query/response pairs observed from large networks. It enables researchers to see domain-IP relationships over time.

Best for: Identifying malicious infrastructure and mapping related domains.

Who is it for: Threat hunters, academic researchers, incident response teams.

Top features:

Historical DNS resolutions
Domain-to-IP and IP-to-domain mapping
Community-driven, open-source ethos
Supports automated querying through API

Conclusion

Domain and IP Intelligence is a critical pillar of OSINT. The five tools above — WhoisXML API, DomainTools, SecurityTrails, ThreatMiner, and CIRCL Passive DNS — cover the spectrum from commercial-grade enterprise platforms to open and community-driven resources. Depending on your needs, whether for professional threat intelligence or independent security research, these tools provide the visibility necessary to uncover hidden relationships, track malicious infrastructure, and strengthen your overall intelligence capabilities.

The Hunter Behind the Hacker

StarkMan — Mon, 22 Sep 2025 10:12:17 +0000

0x01. Executive Summary

During cyberattacks, adversaries often rely on Command-and-Control (C2) servers, loader servers, or even their own "workstations" for staging and data transfer. In some cases, these systems inadvertently expose themselves by enabling web servers with directory browsing or file download functionality.

Our analysis revealed multiple Cobalt Strike controllers and attacker-operated machines that publicly exposed malicious binaries, exploitation scripts, payloads, and scan results. In certain instances, external actors had already traversed these directories and downloaded entire toolkits — indicating the presence of "hunters" actively targeting hacker workstations to steal their tools and intelligence.

0x02. Background

While hackers seek to compromise and exfiltrate data from their victims, they are equally vulnerable to counter-exploitation. For example, a hacker may unknowingly download a scanning tool laced with a backdoor, thereby falling under the control of a more sophisticated operator.

This report explores how publicly exposed web servers — commonly used by attackers for quick malware distribution and data transfer — can be discovered through cyberspace search engines like ZoomEye. We demonstrate how such exposure enables security researchers (or rival actors) to become “hunters behind the hackers,” intercepting the very tools meant for malicious campaigns.

Many attackers prefer lightweight methods for distributing malware, such as spinning up a temporary HTTP service and instructing compromised hosts to fetch files via curl or wget. Languages like Python make this trivial with a one-line command: python3 -m http.server

While efficient, this practice leaves attackers themselves exposed. Any party identifying the server can collect the tools, exploits, and even stolen data stored there.

0x03. Methodology: Using ZoomEye to Locate Hacker Workstations

To systematically discover attacker-operated machines, we leveraged ZoomEye to search for web servers exposing directory listings. By combining title fingerprints with keywords frequently associated with exploitation frameworks, we could identify attacker "workstations" with high confidence.

Example queries in ZoomEye:

Vulnerability exploits:

(title="Index of /" || title="Directory List" || title="Directory listing for /") && "exp"

log4j exploitation tools:

(title="Index of /" || title="Directory List" || title="Directory listing for /") && "log4j"

Cobalt Strike:

(title="Index of /" || title="Directory List" || title="Directory listing for /") && "cobaltstrike"

Metasploit:

(title="Index of /" || title="Directory List" || title="Directory listing for /") && "Metasploit"

Exploits with CVE identifiers:

(title="Index of /" || title="Directory List" || title="Directory listing for /") && "cve"

Payloads and test binaries:

(title="Index of /" || title="Directory List" || title="Directory listing for /") && "payload"
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "calc.exe"

One such exposed host revealed a toolkit containing:

Cobalt Strike payloads
Exploits for CVE-2019–7609
General-purpose payload code
Exploits for Apache James Server RCE
Multiple CVE-tagged exploitation tools
General-purpose exploit code

Such findings highlight how attacker workstations can unintentionally serve as open repositories of offensive tradecraft.

0x04. Evidence of Existing "Hunters"

Our investigation also uncovered indications that attackers themselves are being systematically targeted. For example, one workstation hosted at 83.136.*.*:8000 contained a nohup.out log file that recorded inbound requests.

Analysis of this log revealed multiple suspicious IP addresses, including 34.140.*.*, which performed recursive downloads across all directories. These were not search engine crawlers but deliberate actors — likely “hunters” — collecting every accessible file.

Three additional IP addresses exhibited identical behavior, strongly suggesting the existence of a broader ecosystem of hunters scanning the internet for attacker workstations and harvesting their contents.

0x05. Conclusion

Hackers may operate solo — limited by their own skills and blind spots — or within teams where narrowly defined roles leave critical gaps in security awareness. These structural weaknesses make their infrastructure vulnerable to discovery and exploitation.

By using tools like ZoomEye, defenders and rival threat actors alike can identify attacker workstations, capture their toolkits, and gain valuable insights into adversary tradecraft.

In short, not all hackers are skilled defenders. Many become prey to higher-level hunters. This dynamic illustrates the constant evolution of offense and defense in cyberspace — where the question is no longer just who gets hacked, but who hunts the hacker.

Top 5 Technical Asset Discovery Tools in OSINT

StarkMan — Tue, 16 Sep 2025 07:08:37 +0000

Open Source Intelligence (OSINT) is a vital component of cybersecurity research and threat hunting. It enables security professionals, investigators, and researchers to gather intelligence from publicly available sources. Within OSINT, there are several subcategories of tools, each designed to serve specific investigative needs.

One of the most important categories is Technical Asset Discovery, also known as Network Scanning and Fingerprinting. These tools focus on identifying exposed hosts, open ports, running services, and digital infrastructure across the internet. By mapping the “attack surface,” they provide the foundation for vulnerability analysis, red teaming, and defensive security strategies.

Below are the Top 5 tools in this category.

Shodan

Website:

https://www.shodan.io

Description:

Shodan is often called the “search engine for connected devices.” It continuously scans the internet, indexing banners, ports, and metadata from exposed hosts and services.

Best for:

Discovering exposed services and IoT devices.

Who is it for:

Security researchers, penetration testers, attack surface management teams.

Top features:

Searchable database of IPs, ports, and banners
Filters by organization, location, or technology
Alerts for newly exposed assets
API support for automation

Censys

Website:

https://censys.io

Description:

Censys provides in-depth internet-wide scanning and a structured database of services, certificates, and hosts. Known for its data quality and research focus, it allows detailed queries about protocols and SSL/TLS certificates.

Best for:

Infrastructure analysis and compliance monitoring.

Who is it for:

Academic researchers, enterprise security teams, digital forensics experts.

Top features:

Comprehensive SSL/TLS certificate data
Query-based search with structured filters
Internet-wide scanning results updated regularly
API and data exports for analysis

ZoomEye

Website:

https://www.zoomeye.ai

Description:

ZoomEye, developed in China, is a global cyberspace search engine. It indexes services and websites through port scanning and banner grabbing, with a large dataset useful for both attack and defense research.

Best for:

Threat hunting and adversary infrastructure discovery.

Who is it for:

Red teamers, OSINT analysts, security vendors in APAC.

Top features:

Search by IP, domain, port, service, or banner string
Geolocation filters for regional investigations
Dataset focused on both web and non-web services
API support with flexible query syntax

BinaryEdge

Website:

https://www.binaryedge.io

Description:

BinaryEdge focuses on internet-wide scanning for cyber risk management. It provides data feeds on exposed services, vulnerabilities, and cloud assets, often used by enterprises for monitoring their digital footprint.

Best for:

Attack surface monitoring and enterprise risk management.

Who is it for:

Enterprises, MSSPs, financial institutions.

Top features:

Exposure data for services and cloud assets
Customizable feeds for integration into SIEM/SOAR
Insights on vulnerable infrastructure
Subscription models for continuous monitoring

Netlas

Website:

https://netlas.io

Description:

Netlas is a modern network intelligence platform offering fast and customizable queries across internet assets. It combines banner data, certificates, and metadata to support both reconnaissance and defensive monitoring.

Best for:

Flexible asset discovery and OSINT investigations.

Who is it for:

Security analysts, penetration testers, threat hunters.

Top features:

Real-time search engine for internet-connected assets
SSL/TLS certificate and service metadata queries
JSON-based results for automation workflows
Strong focus on speed and modern interface

Conclusion

Technical Asset Discovery tools are the backbone of OSINT investigations into the digital attack surface. Platforms like Shodan, Censys, ZoomEye, BinaryEdge, and Netlas empower security teams to identify exposed infrastructure, monitor changes, and anticipate threats. Whether for academic research, enterprise defense, or offensive security testing, these tools are indispensable in modern cybersecurity practice.