Modules¶
General Data Format¶
All events generated by our scanning platform, delivered via our Data Streams or API Queries, have the following outline:
Details of the fields:
- origin:
- client_id:
- Your client ID. Optional, appears only on the client stream.
- job_id:
- Job ID that event is part of. Optional, appears only on the client stream.
- type:
- Event type, module that produced the event;
- Please refer to the next section for details on each module type.
- module:
- Either 'portscan' or 'grabber'. Category of the event. Portscan events merely indicate that a port was found open. Grabber events will contain more extracted data such as details of the ip/port/service;
- ip:
- IP used by the scanner to perform the analysis;
- port:
- Port used by the scanner to perform the analysis. Optional, only some modules will provide this information.
- ts:
- Unix Timestamp in Milliseconds;
- country:
- ISO code of the country the scanner that originated this event is located in;
- client_id:
- target:
- ip:
- Target Address used for connection;
- port:
- Target Port used for connection;
- protocol:
- Target Protocol used for connection;
- ip:
- result:
- data:
- Varies according to each different module;
- Please refer to the next section for details on each module type.
- data:
{
"origin": {
"client_id": "string",
"job_id": "string",
"country": "string",
"type": "string",
"module": "string",
"ts": "int",
"ip": "string",
"port": "int"
},
"target": {
"ip": "ip",
"port": "int",
"protocol": "string"
},
"result": {
"data": {}
}
}
Modules¶
Below are all the modules available for scanning on the platform. All modules support hostnames, IPv4 addresses and IPv6 addresses. These modules are the same modules that feed our Host database.
Service Identification¶
service-simple¶
The Service-Simple module attempts to connect to a remote server and identify service / product information by sending various payloads and analysing how the server responds. This module is much faster than the service module, since it doesn't perform any more actions than this. For more details, use the service module.
See More Info
service¶
The Service module attempts to connect to a remote server and identify service / product information by sending various payloads and analysing how the server responds as well as extract other available service information such as headers or hostnames if available. For simple service identification, consider using the faster service-simple module.
See More Info
malware-simple¶
The Malware-Simple module attempts to connect to a remote server and identify malware by sending various payloads and analysing how the server responds. It works similarly to the service-simple module except it is entirely focused at identifying malware instead of general service/product information.
See More Info
banner¶
The Banner module attempts to connect to a remote server, send a single payload and extract how the server responds. It works similarly to the service-simple module except it only uses a single probe, and does not do any analysis afterwards, returning the response as is. If no probe is configured, it just returns the banner.
See More Info
Remote Desktop¶
rdp¶
The RDP module attempts to connect to an RDP server and take a screenshot of the display as well as extract the security level used, if any.
See More Info
rdpeudp¶
The RDP: UDP Transport Extension module attempts to connect to an RDP server over UDP.
See More Info
vnc¶
The VNC module attempts to connect to a VNC server and take a screenshot of the display as well as extract relevant information.
See More Info
x11¶
The X11 module attempts to connect to a X11 server and take a screenshot of the display as well as extract relevant information.
See More Info
Databases¶
cassandra¶
The Cassandra module attempts to connect to a Cassandra server via client driver connection and extract cluster metadata as well as a list of keyspaces and respective tables.
See More Info
elasticsearch¶
The Elasticsearch module attempts to connect to an Elasticsearch server via REST API and extract cluster metadata and stats as well as a list of indices.
See More Info
memcached¶
The Memcached module attempts to connect to a Memcached server via client driver connection and extract server stats.
See More Info
mongodb¶
The MongoDB module attempts to connect to a MongoDB server via client driver connection and extract server metadata as well as a list of databases and respective collections.
See More Info
redis¶
The Redis module attempts to connect to a Redis server via client driver connection and extract server metadata.
See More Info
Message Queues¶
amqp¶
The AMQP module attempts to connect to an AMQP server and extract server properties.
See More Info
mqtt¶
The MQTT module attempts to connect to a MQTT server and extract a few seconds of passing messages to determine active topics.
See More Info
mqttinfo¶
The MQTTInfo module attempts to connect to a MQTT server and run a series of commands to test its capabilities / enabled features.
See More Info
HTTP / Web¶
webv2¶
The Webv2 module attempts to connect to an HTTP server and extract HTTP headers, redirects, page title, favicon, HTML source code, the web technologies being used and take a screenshot of the web page.
See More Info
web-enrich¶
The web-enrich module attempts to connect to an HTTP server and extract HTTP headers, redirects, HTML source code, the web technologies and enrich data that the module webv2 couldn't find or doesn't look for.
See More Info
Protocols¶
ssl-simple¶
The SSL-Simple module attempts to connect to an SSL-wrapped server and extract (and parse) certificate chains.
See More Info
sslv2 (deprecated)¶
See More Info
jarm¶
The JARM module attempts to actively fingerprint an SSL/TLS server via a series of TLS Client Hello packets to extract specific responses that can be used to quickly identify default applications or malware.
See More Info
Services¶
ssh¶
The SSH module attempts to connect to a SSH server and extract all the algorithms supported by the server.
See More Info
rsync¶
The RSYNC module attempts to connect to an RSYNC server anonymously and list the available modules (list the contents at the root directory).
See More Info
ftp¶
The FTP module attempts to connect to an FTP server anonymously and recursively list available directories.
See More Info
smb¶
The SMB module attempts to connect to a server with SMB by opening a connection and extracting dialects and shares, if any.
See More Info
snmp¶
The SNMP module attempts to connect to a SNMP server and extract version and OIDs.
See More Info
telnet¶
The Telnet module attempts to connect to a server by opening a connection and extracting the initial payload, if any.
See More Info
socks¶
The Socks module attempts to connect to a static target via a Socks (v4/v5) proxy, extract the termination node address and check whether the node belongs to the TOR network.
See More Info
websocket¶
The Websocket module attempts to connect to a Websocket server and extract a banner.
See More Info
Containers¶
kubernetes¶
The Kubernetes module attempts to connect to a Kubernetes server via REST API and extract a list of pods and their respective metadata.
See More Info
Vulnerabilities¶
exchange-owa¶
The Exchange OWA module attempts to connect to an Exchange server and check whether it is vulnerable to exploitation, and retrieves metadata.
See More Info
bluekeep¶
The Bluekeep module attempts to determine if an RDP server is vulnerable to the Bluekeep vulnerability.
See More Info
doublepulsar (deprecated)¶
See More Info
vmware¶
The VMware module attempts to connect to an VMware server, retrieves, and parses, metadata.
See More Info