Modules
General Data Format
All events generated by our scanning platform, delivered via our Data Streams or API Queries, have the following outline:
Details of the fields:
- origin:
- client_id:
- Your client ID. Optional, appears only on the client stream.
- job_id:
- Job ID that event is part of. Optional, appears only on the client stream.
- type:
- Event type, module that produced the event;
- Please refer to the next section for details on each module type.
- module:
- Either 'portscan' or 'grabber'. Category of the event. Portscan events merely indicate that a port was found open. Grabber events will contain more extracted data such as details of the ip/port/service;
- ip:
- IP used by the scanner to perform the analysis;
- port:
- Port used by the scanner to perform the analysis. Optional, only some modules will provide this information.
- ts:
- Unix Timestamp in Milliseconds;
- country:
- ISO code of the country the scanner that originated this event is located in;
- client_id:
- target:
- ip:
- Target Address used for connection;
- port:
- Target Port used for connection;
- protocol:
- Target Protocol used for connection;
- ip:
- result:
- data:
- Varies according to each different module;
- Please refer to the next section for details on each module type.
- data:
{
"origin": {
"client_id": "string",
"job_id": "string",
"country": "string",
"type": "string",
"module": "string",
"ts": "int",
"ip": "string",
"port": "int"
},
"target": {
"ip": "ip",
"port": "int",
"protocol": "string"
},
"result": {
"data": {}
}
}
Modules
Below are all the modules available for scanning on the platform. All modules support hostnames, IPv4 addresses and IPv6 addresses. These modules are the same modules that feed our Host database.
Service Identification
service-simple
The Service-Simple module attempts to connect to a remote server and identify service / product information by sending various payloads and analysing how the server responds. This module is much faster than the service module, since it doesn't perform any more actions than this. For more details, use the service module.
See More Info
service
The Service module attempts to connect to a remote server and identify service / product information by sending various payloads and analysing how the server responds as well as extract other available service information such as headers or hostnames if available. For simple service identification, consider using the faster service-simple module.
See More Info
malware-simple
The Malware-Simple module attempts to connect to a remote server and identify malware by sending various payloads and analysing how the server responds. It works similarly to the service-simple module except it is entirely focused at identifying malware instead of general service/product information.
See More Info
banner
The Banner module attempts to connect to a remote server, send a single payload and extract how the server responds. It works similarly to the service-simple module except it only uses a single probe, and does not do any analysis afterwards, returning the response as is. If no probe is configured, it just returns the banner.
See More Info
Remote Desktop
rdp
The RDP module attempts to connect to an RDP server and take a screenshot of the display as well as extract the security level used, if any.
See More Info
rdpeudp
The RDP: UDP Transport Extension module attempts to connect to an RDP server over UDP.
See More Info
vnc
The VNC module attempts to connect to a VNC server and take a screenshot of the display as well as extract relevant information.
See More Info
x11
The X11 module attempts to connect to a X11 server and take a screenshot of the display as well as extract relevant information.
See More Info
Databases
cassandra
The Cassandra module attempts to connect to a Cassandra server via client driver connection and extract cluster metadata as well as a list of keyspaces and respective tables.
See More Info
elasticsearch
The Elasticsearch module attempts to connect to an Elasticsearch server via REST API and extract cluster metadata and stats as well as a list of indices.
See More Info
memcached
The Memcached module attempts to connect to a Memcached server via client driver connection and extract server stats.
See More Info
mongodb
The MongoDB module attempts to connect to a MongoDB server via client driver connection and extract server metadata as well as a list of databases and respective collections.
See More Info
redis
The Redis module attempts to connect to a Redis server via client driver connection and extract server metadata.
See More Info
Message Queues
amqp
The AMQP module attempts to connect to an AMQP server and extract server properties.
See More Info
mqtt
The MQTT module attempts to connect to a MQTT server and extract a few seconds of passing messages to determine active topics.
See More Info
mqttinfo
The MQTTInfo module attempts to connect to a MQTT server and run a series of commands to test its capabilities / enabled features.
See More Info
HTTP / Web
webv2
The Webv2 module attempts to connect to an HTTP server and extract HTTP headers, redirects, page title, favicon, HTML source code, the web technologies being used and take a screenshot of the web page. It combines and upgrades upon the functionality of http, https and web.
See More Info
web-enrich
The web-enrich module attempts to connect to an HTTP server and extract HTTP headers, redirects, HTML source code, the web technologies and enrich data that the module webv2 couldn't find or doesn't look for.
See More Info
Protocols
ssl-simple
The SSL-Simple module attempts to connect to an SSL-wrapped server and extract (and parse) certificate chains. Recommended if you are only interested in certificates, since it is much faster than the sslv2 module as it doesn't need to do any additional testing.
See More Info
sslv2
The SSLv2 module attempts to connect to an SSL-wrapped server and extract (and parse) certificate chains, ciphers and vulnerabilities. It is an upgraded version of the ssl module, and includes extra updates and features not available previously.
See More Info
jarm
The JARM module attempts to actively fingerprint an SSL/TLS server via a series of TLS Client Hello packets to extract specific responses that can be used to quickly identify default applications or malware.
See More Info
Services
ssh
The SSH module attempts to connect to a SSH server and extract all the algorithms supported by the server.
See More Info
rsync
The RSYNC module attempts to connect to an RSYNC server anonymously and list the available modules (list the contents at the root directory).
See More Info
ftp
The FTP module attempts to connect to an FTP server anonymously and recursively list available directories.
See More Info
smb
The SMB module attempts to connect to a server with SMB by opening a connection and extracting dialects and shares, if any.
See More Info
snmp
The SNMP module attempts to connect to a SNMP server and extract version and OIDs.
See More Info
telnet
The Telnet module attempts to connect to a server by opening a connection and extracting the initial payload, if any.
See More Info
socks
The Socks module attempts to connect to a static target via a Socks (v4/v5) proxy, extract the termination node address and check whether the node belongs to the TOR network.
See More Info
websocket
The Websocket module attempts to connect to a Websocket server and extract a banner.
See More Info
Containers
kubernetes
The Kubernetes module attempts to connect to a Kubernetes server via REST API and extract a list of pods and their respective metadata.
See More Info
Vulnerabilities
exchange-owa
The Exchange OWA module attempts to connect to an Exchange server and check whether it is vulnerable to exploitation (CVE-2021-26855).
See More Info
bluekeep
The Bluekeep module attempts to determine if an RDP server is vulnerable to the Bluekeep vulnerability.
See More Info
doublepulsar
The Doublepulsar module attempts to determine if an RDP or SMB server is vulnerable to the Doublepulsar vulnerability.
See More Info