Netlas.io is an essential tool (similar to Shodan and Cencys), whether you work in penetration testing or open-source intelligence. You can save time by not spending hours looking for vulnerabilities and important information.
Using netlas.io as an offensive security tool within the context of penetration testing will be the main topic of this tutorial.
The initial phases of a penetration test—reconnaissance
#1 Visit Netlas and go to “Try it!”
#2 Like many other search engines, you can build a search query with search fields and search phrases separated by a colon (:). You can search by IP address, host, whois and many other fields. In addition, you can search by sub-fields by using the field name followed by the sub-field name, separated by a period.
field.subfield:value
So, if you were looking for IIS web servers, you could enter:
tag.name:iis
We were able to identify 17 million servers using IIS, as you can see in the graph below.
There are tabs like response, Whois, contacts, and domains. The tab “Domains” shows all the domains hosted at that IP address when we click on it.
We can also search by host using the following syntax:
host:www.hackthebox.com
#3 Vulnerability search
The site’s capability to search for vulnerabilities and CVEs is one of its best features. For instance, we could do the search to find all the websites with CVSS base score greater than 9;
cve.base_score:>9
If we wanted to find all the sites that support SMB, we could type the following:
smb:*
Keep in mind that there is a subfield called “smbv1_support” in the response field. The sites that have SMBv1 enabled, which is vulnerable, could be found using SMBv1 enabled (true) parameter.
smb.smbv1_support:true
You can see that it detected over 170,000 sites with vulnerable SMBv1.
We can also use the search to find websites with a known public exploit.
cve.has_exploit:*
According to this search, more than 90 million websites are potentially exploited to a known public vulnerability. You can see on the right of the screen the detected CVEs. Then, by selecting the CVE tab, all known vulnerabilities will be listed.
Search by CVE ID
cve.name:CVE-2017-0145
Of course, we are able to search hosts via any logical operator, regular expressions and wildcards. 🙂