GitHub - aleprada/exposed-assets: A tool for gathering IT/OT exposed assets on the Internet and sending the results to a MISP instance for further Threat Intelligence analysis.

Exposed assets

This tool allows you to gather IT/OT exposed assets for Threat Intelligence analysis. The tool uses the official Python Shodan and ZoomEye libraries.

The usage of the tool is very simple. The tool needs a list of dorks (located at config ->config_files->dorks.txt) that will be used for searching in both search engines. In this case, the dorks provided are focused on ICS/SCADA and CCTV/IP-Cameras as well as other IT devices that might be used by adversaries at early stages of the kill-chain, such as RDPs or VNCs.

After gathering the results from the different search engines, the tool has the functionality of correlating(-a) the banner of each host with a list of keywords (config->config_files->alerts_keywords). In case of a match, the alerts can be shown on the screen (-v) and/or sent to a MISP instance(-m).

In order to avoid duplicated alerts on your MISP instance, the tool saves the alerts in a SQLite database for checking if the alerts was already sent to MISP.

Usage

Looking for IT/OT exposed assets.

python main.py -v

Output

[*] Gathering IT/OT exposed assets
	[*] Searching: hostname:rail
	[+] New device found.
		 IP: 158.XXX.XXX.XX port: 443
		 Device: None
		 City: Cambridge Country: United States ASN: AS46XXX
	[+] New device found.
		 IP: 157.XXX.XXX.XX port: 80
		 Device: None
		 City: London Country: United Kingdom ASN: AS21XXX
[*] Number of IT/OT exposed assets discovered: 2

Looking for relevant IT/OT exposed assets. This option correlates results with a keyword list.

python main.py -a

Output

[*] Gathering IT/OT exposed assets
	[*] Searching: hostname:rail
[*] Checking if IT/OT assets gathered contain any keyword of your list.
[*] Number of IT/OT exposed assets discovered: 5

Looking for relevant IT/OT exposed assets and showing the output. This option correlates results with a keyword list.

python main.py -a -v

Output

[*] Gathering IT/OT exposed assets
	[*] Searching: hostname:rail
[*] Checking if IT/OT assets gathered contain any keyword of your list.
	[+] New device found.
		 IP: 158.XXX.XXX.XX port: 443
		 Device: None
		 City: Cambridge Country: United States ASN: AS46XXX
[*] Number of IT/OT exposed assets discovered: 1

Looking for relevant IT/OT exposed assets and sending them to MISP. This option correlates results with a keyword list. Type also --proxy(-p) for using a proxy to send the alerts to MISP.

python main.py -a -m -v

Output

[*] Gathering IT/OT exposed assets
	[*] Searching: hostname:rail
[*] Checking if IT/OT assets gathered contain any keyword of your list.
	[+] New device found.
		 IP: 158.XXX.XXX.XX port: 443
		 Device: None
		 City: Cambridge Country: United States ASN: AS46XXX
[*] Sending alerts to MISP
	 [*] Event with ID 1654 has been successfully stored.
[*] Number of IT/OT exposed assets discovered: 1

ToDo List

Publish a list of Dorks related to ICS/SCADA Cameras.
Detect vulnerabilities (CVE) in ZoomEye.
Add other search engines (e.g. Censys)

Name		Name	Last commit message	Last commit date
Latest commit History 14 Commits
config		config
misp_alerts		misp_alerts
search_engines		search_engines
tests		tests
.gitignore		.gitignore
.travis.yml		.travis.yml
README.md		README.md
main.py		main.py
requirements.txt		requirements.txt
setup.py		setup.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

About

Releases

Packages

Languages

aleprada/exposed-assets

Folders and files

Latest commit

History

Repository files navigation

About

Topics

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages