Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • SMAP
  • Filtering results to gain further insight

Was this helpful?

  1. Techniques
  2. Intelligence Gathering

Passive nmap (smap)

Port scanning without touching your target

PreviousO365 email enumerationNextLarge IP list handling

Last updated 2 years ago

Was this helpful?

SMAP

Smap is a useful tool that queries , a free API offered by Shodan. Its additional value is derived from the fact it can output data in nmap based formats, which can be ingested by other tools existing import options (E.g; Witnessme).

A slight issue exists in that every IP scanned is a separate GET request, so for scanning large ranges you quickly hit rate limiting resulting in unexpected output.

This can be bypassed by rotating your IPs. An easy way to do it is to set up an AWS API gateway pointing to the internetdb API, and patching out the URL within the smap binary.

  1. API Gateway

For this you can utilise fireprox, a handy tool for quickly spinning up API gateways.

python3 fire.py --command create --url https://internetdb.shodan.io/

2. Smap patching

Modify the smap binary to use your API gateway - this URL is within `shodan.go`.

shodan.go
func Query(ip string) []byte {
	url := "https://<randomstring>.execute-api.eu-west-2.amazonaws.com/fireprox/" + ip
	req, err := http.NewRequest("GET", url, nil)
	resp, err := client.Do(req)

3. Scan without rate limits

Filtering results to gain further insight

Often it can be challenging to filter useful information out of 1000s of IPs; one method I've found useful is categorising IPs into files based on the available ports. The following code will create a series of files for each open port filled with the IPs that have that port open.

I find it makes unusual ports stand out a little easier, as one method for flagging up interesting targets.

grep -Po '(\d*)(?=/open)' output.gnmap | sort -u > openport.list;
for PORT in $(cat openport.list); do  awk -v port="${PORT}" "/${PORT}\/open/ {print \$2}" output.gnmap >> Live_${PORT}; done;

Or as a oneliner:

cat ip-ranges.gnmap| grep -Po '(\d*)(?=/open)' | sort -u | while read PORT ; do cat ip-ranges.gnmap | awk -v port="${PORT}" "/${PORT}\/open/ {print \$2}" >> Live_${PORT}; done
https://internetdb.shodan.io/
LogoGitHub - s0md3v/Smap: a drop-in replacement for Nmap powered by shodan.ioGitHub