In cybersecurity, identifying internet-facing infrastructure and rapidly building configuration profiles is fundamental to effective defense. There are multiple ways to capture this information, and ZoomEye provides a powerful capability that allows analysts to easily discover exposed services and configurations.
With a single well-crafted dork query, we can enumerate exposed architectures, technology stacks, operating systems, and service configurations.
This article introduces how to leverage ports, service banners, icon hashes (iconhash), and other metadata to quickly fingerprint infrastructure and help security teams gain visibility into exposure risks.
1. Exposure Surface & Configuration Profiling of Infrastructure
1.1 Core Indicators of Asset Exposure
When we perform searches on ZoomEye, we are not simply querying IPs or ports. Instead, we leverage service banners, icon hashes (iconhash), SSL/TLS certificate fields, and other metadata to accurately identify service implementations and system configurations. Common indicators include:
Port Numbers: Many services run on well-known ports—for example, HTTP on port 80, HTTPS on 443, SSH on 22, and so on. Exposed ports provide initial insight into the type of service running.
Service Banners: When a service starts, it typically returns a recognizable banner string that may include software version, operating system, hardware architecture, or framework information. These banners enable precise fingerprinting of the technology stack.
Icon Hash (iconhash): By hashing a site’s favicon or icon file, we can identify the CMS, framework, or platform it is built on. CMS platforms such as WordPress, Joomla, and Drupal exhibit distinct favicon fingerprints, making it possible to mass-enumerate sites with similar templates or deployment origins.
SSL/TLS Certificates: Certificate fields such as subject and issuer often reveal important attributes of the service or domain, including certificate owner, issuing CA, organization name, and other metadata relevant to configuration profiling.
1.2 ZoomEye Query Examples: Rapid Identification of Architecture & Technology Stack
With a single dork query, ZoomEye can quickly reveal publicly exposed services and their underlying technology stack. Below are several common query examples that demonstrate how to identify these components:
Query: Identify Exposed HTTP Services and Version Information
(port=80 || port=443) && banner="Apache"
Explanation:
This query enumerates HTTP services exposed on ports 80 or 443 where the service banner contains the string "Apache", indicating that the target is likely running Apache HTTP Server.
Query: Identify Exposed WordPress Sites
title="WordPress" || iconhash="000bf649cc8f6bf27cfb04d1bcdcd3c7"
Explanation:
- title="WordPress" identifies sites that explicitly return a WordPress page title.
- iconhash matches sites sharing the same favicon fingerprint, which often correlates with specific CMS platforms or themes.
- This method enables large-scale enumeration of exposed Content Management Systems (CMS).
Query: Identify Exposed Jenkins CI/CD Systems
title="Jenkins" || banner="Jenkins CI"
Explanation:
This query detects exposed Jenkins services either through the page title or the banner string. Jenkins is widely used for Continuous Integration / Continuous Delivery (CI/CD), and publicly exposed instances can introduce significant security risks.
Query: Find Exposed MySQL Databases
port=3306 && banner="MySQL"
Explanation:
This query identifies MySQL services exposed on the default port 3306, where the banner confirms a MySQL database instance. Exposing database interfaces directly to the internet represents a high-risk security issue.
2. Building an Infrastructure Exposure Profile
Using ZoomEye and other reconnaissance tools, we can rapidly construct a configuration profile of an organization’s public-facing infrastructure. This process typically involves the following steps:
2.1 Collecting Service Information
ZoomEye queries allow us to gather key details such as:
Service Types:
By analyzing open ports and service banners, we can determine which services are running—such as web servers, databases, and development tools.Version Information:
Many banners expose software version numbers, enabling analysts to assess whether known vulnerabilities may be present.Technology Stack Identification:
Specific indicators—such as service banners and icon hashes—provide insight into the underlying technology stack (e.g., Nginx, Apache, Tomcat, MySQL).
2.2 Segmentation by Organization or Geographic Region
Assets can also be filtered by Autonomous System (AS) number or geographic attributes (e.g., country=CN) to analyze exposure for a specific country, network provider, or organization.
Example Query: Identify Exposed Jenkins Instances in China
title="Jenkins" && country=CN
This enumerates all publicly exposed Jenkins CI systems located in China, supporting targeted monitoring of a region’s attack surface.
2.3 Risk Assessment
Because exposed services may contain known vulnerabilities, risk assessment is a crucial part of configuration profiling. Several approaches include:
Version-to-CVE Mapping:
By correlating exposed service versions with entries in the CVE (Common Vulnerabilities and Exposures) database, analysts can determine whether high-risk vulnerabilities are present.Default Configuration Review:
Many systems are deployed with insecure defaults, such as default credentials, unnecessary services enabled, or lack of SSL/TLS encryption.Cross-Service Correlation:
By combining multiple query conditions—e.g., exposed MySQL plus phpMyAdmin, or Jenkins plus GitLab—we can identify compounded attack surfaces and multi-vector risk scenarios.
3. Conclusion
ZoomEye enables analysts to efficiently discover internet-exposed services and identify their underlying technology stacks through indicators such as open ports, service banners, and icon hashes. Leveraging this information, security teams can construct an accurate exposure and configuration profile of their infrastructure, assess associated risks, and implement appropriate defensive measures.
Recommended Practices:
Regular Exposure Surface Monitoring:
Periodically use ZoomEye or similar reconnaissance tools to review the current state of publicly exposed services and detect newly surfaced assets.Vulnerability Identification & Hardening:
Use version information, configuration metadata, and publicly available intelligence to quickly identify known vulnerabilities and apply timely security hardening measures.
Top comments (0)