Featured reads
Security Research
Security research and analysis with Netlas.io
white paper
Fast one-shot passive recon script with Netlas.io
blog post
How to find online cameras with Netlas.io?
blog post
Threat hunting
Non-intrusive security assessment
OSINT investigations
Reputation scoring
Security analysis
Security of IoT and Industrial devices
Vulnerable devices search
Uncover shadow IT and phishing threats
Attack surface identification
3-4 times per year
Please, sign in to manage newsletter subscription
Important updates, sales and promos
1-2 posts per week
Newest CVE, featured search queries
updates and announcements
Swagger UI
Handy web tool for testing Netlas API
Official Python SDK and command line utility
Netlas SDK
Netlas Blog
In-depth features overview & case studies
Netlas Cookbook
An ultimate guide on how to make the most of Netlas.io
Scripts & Code Samples
Useful scripts to create you own automations
Featured queries
Search queries for IoT, routers, IP cameras & more
Netlas usage, API specification, SDK & CLI installation
Restricted mobile device support
For a better experience please use screens with a horizontal resolution of 1280 pixels or more
Reconnaissance, security assessment, security research,
and other cases
dev tools,
code samples,
and other resources

Restricted mobile device support
For a better experience please use screens with a horizontal resolution of 1280 pixels or more
Netlas For security RESEARCH

Vulnerable devices search
using Netlas.io

Cybersecurity research goes global with Netlas.io
About 83% of data breaches involved external actors, with vulnerability exploit as the top attack vector, as shown in Verizon Data Breach Investigations Report 2023.

Passive vulnerability detection method

Netlas uses a passive vulnerability detection method. This means that Netlas assumes the presence of a vulnerability based on the software version only.
Penetration testers, bug bounty hunters, and other offensive cybersecurity professionals often use Netlas to identify vulnerable devices in the networks of interest. For this purpose, the Responses search tool includes a whole group of fields related to vulnerabilities in the mapping.

You can use these fields to search for services based on a specific vulnerability, criticality, or even the presence of a published exploit. For example, the following search will return services hosted on Google networks that are likely susceptible to critical vulnerabilities:
However, this method has two significant limitations that should be understood:
  • Netlas labels vulnerabilities only when the product and its version identified by response content. Therefore, using filters from the "cve" group, you will be able to find vulnerabilities only for a limited number of products.
  • Netlas labels vulnerabilities during the Internet scanning process. The scanning frequency for each IP address is determined. Therefore, using filters from the "cve" group for the most recent vulnerabilities, you will find only those devices that have been scanned since the vulnerability was published. However, a much larger number of devices may be vulnerable, as there has not been enough time since the vulnerability was disclosed for Netlas scanners to scan these devices.

Searching for vulnerable devices

Considering the disadvantages of using "cve" filters described above, many of our users take a different approach to search for vulnerabilities using Netlas. Typically, the workflow looks as follows:
The researcher monitors various sources of vulnerability information. These sources may include developer bulletins, websites aggregating vulnerability data (such as NIST NVD), social networks, and more. Selection criteria vary depending on hacking specialization.
Upon discovering an interesting vulnerability, researcher creates a search query for devices or software in Netlas, perform a search, and download the results along with contact information to be able to reach out to the system owner.
Depending on how the query is crafted, an additional step may be required. Often, it is necessary to identify specific software versions that are vulnerable. If the search query created on the previous step filters specific version, then the result is already achieved. However, sometimes it is impossible to determine the version from the information returned by the device. In such cases, the researcher needs to create an additional script to determine the software version. Netlas significantly helps narrow down the scope here. The researcher can run a verification script on the already-filtered list of IP addresses.
For example, let's consider CVE-2023-25135. The product affected by this vulnerability is vBulletin of certain versions. The Netlas search would look like this:
This search takes into account the version, so there is no need for the development of additional tools.
Below is an example of a search that does not consider the version:
Netlas tags MS Exchange servers but does not determine the software version. In this case, the researcher have use third party tools to detect versions. For MS Exchange, there are several scripts available on GitHub from different developers that address this issue in various ways.

Search queries for the most critical vulnerabilities

To assist our users, the Netlas team periodically publishes ready-made search queries for the most critical vulnerabilities on social networks. By joining us on one of your chosen social networks, you can significantly save time on developing a search query.
Get your free Netlas.io account!
Sign up to get up to 50 requests/day for free.

Related articles