About 83% of data breaches involved external actors, with vulnerability exploit as the top attack vector, as shown in Verizon Data Breach Investigations Report 2023.
Passive vulnerability detection method
Netlas uses a passive vulnerability detection method. This means that Netlas assumes the presence of a vulnerability based on the software version only.
Penetration testers, bug bounty hunters, and other offensive cybersecurity professionals often use Netlas to identify vulnerable devices in the networks of interest. For this purpose, the Responses search tool includes a whole group of fields related to vulnerabilities in the mapping.
You can use these fields to search for services based on a specific vulnerability, criticality, or even the presence of a published exploit. For example, the following search will return services hosted on Google networks that are likely susceptible to critical vulnerabilities:
However, this method has two significant limitations that should be understood:
Netlas labels vulnerabilities only when the product and its version identified by response content. Therefore, using filters from the "cve" group, you will be able to find vulnerabilities only for a limited number of products.
Netlas labels vulnerabilities during the Internet scanning process. The scanning frequency for each IP address is determined. Therefore, using filters from the "cve" group for the most recent vulnerabilities, you will find only those devices that have been scanned since the vulnerability was published. However, a much larger number of devices may be vulnerable, as there has not been enough time since the vulnerability was disclosed for Netlas scanners to scan these devices.
Searching for vulnerable devices
Considering the disadvantages of using "cve" filters described above, many of our users take a different approach to search for vulnerabilities using Netlas. Typically, the workflow looks as follows:
1
The researcher monitors various sources of vulnerability information. These sources may include developer bulletins, websites aggregating vulnerability data (such as NIST NVD), social networks, and more. Selection criteria vary depending on hacking specialization.
2
Upon discovering an interesting vulnerability, researcher creates a search query for devices or software in Netlas, perform a search, and download the results along with contact information to be able to reach out to the system owner.
3
Depending on how the query is crafted, an additional step may be required. Often, it is necessary to identify specific software versions that are vulnerable. If the search query created on the previous step filters specific version, then the result is already achieved. However, sometimes it is impossible to determine the version from the information returned by the device. In such cases, the researcher needs to create an additional script to determine the software version. Netlas significantly helps narrow down the scope here. The researcher can run a verification script on the already-filtered list of IP addresses.
For example, let's consider CVE-2023-25135. The product affected by this vulnerability is vBulletin of certain versions. The Netlas search would look like this:
Netlas tags MS Exchange servers but does not determine the software version. In this case, the researcher have use third party tools to detect versions. For MS Exchange, there are several scripts available on GitHub from different developers that address this issue in various ways.
Search queries for the most critical vulnerabilities
To assist our users, the Netlas team periodically publishes ready-made search queries for the most critical vulnerabilities on social networks. By joining us on one of your chosen social networks, you can significantly save time on developing a search query.