Skip to content

Modules

General Data Format

All events generated by our scanning platform, delivered via our Data Streams or API Queries, have the following outline:

Details of the fields:

origin:
- client_id:
  - Your client ID. Optional, appears only on the client stream.
- job_id:
  - Job ID that event is part of. Optional, appears only on the client stream.
- type:
  - Event type, module that produced the event;
  - Please refer to the next section for details on each module type.
- module:
  - Either 'portscan' or 'grabber'. Category of the event. Portscan events merely indicate that a port was found open. Grabber events will contain more extracted data such as details of the ip/port/service;
- ip:
  - IP used by the scanner to perform the analysis;
- port:
  - Port used by the scanner to perform the analysis. Optional, only some modules will provide this information.
- ts:
  - Unix Timestamp in Milliseconds;
- country:
  - ISO code of the country the scanner that originated this event is located in;
target:
- ip:
  - Target Address used for connection;
- port:
  - Target Port used for connection;
- protocol:
  - Target Protocol used for connection;
result:
- data:
  - Varies according to each different module;
  - Please refer to the next section for details on each module type.

{
  "origin": {
    "client_id": "string",
    "job_id": "string",
    "country": "string",
    "type": "string",
    "module": "string",
    "ts": "int",
    "ip": "string",
    "port": "int"
  },
  "target": {
    "ip": "ip",
    "port": "int",
    "protocol": "string"
  },
  "result": {
    "data": {}
  }
}

Modules

Below are all the modules available for scanning on the platform. All modules support hostnames, IPv4 addresses and IPv6 addresses. These modules are the same modules that feed our Host database.

Service Identification

service-simple

The Service-Simple module attempts to connect to a remote server and identify service / product information by sending various payloads and analysing how the server responds. This module is much faster than the service module, since it doesn't perform any more actions than this. For more details, use the service module.

service

The Service module attempts to connect to a remote server and identify service / product information by sending various payloads and analysing how the server responds as well as extract other available service information such as headers or hostnames if available. For simple service identification, consider using the faster service-simple module.

malware-simple

The Malware-Simple module attempts to connect to a remote server and identify malware by sending various payloads and analysing how the server responds. It works similarly to the service-simple module except it is entirely focused at identifying malware instead of general service/product information.

The Banner module attempts to connect to a remote server, send a single payload and extract how the server responds. It works similarly to the service-simple module except it only uses a single probe, and does not do any analysis afterwards, returning the response as is. If no probe is configured, it just returns the banner.

Remote Desktop

rdp

The RDP module attempts to connect to an RDP server and take a screenshot of the display as well as extract the security level used, if any.

rdpeudp

The RDP: UDP Transport Extension module attempts to connect to an RDP server over UDP.

vnc

The VNC module attempts to connect to a VNC server and take a screenshot of the display as well as extract relevant information.

x11

The X11 module attempts to connect to a X11 server and take a screenshot of the display as well as extract relevant information.

Databases

cassandra

The Cassandra module attempts to connect to a Cassandra server via client driver connection and extract cluster metadata as well as a list of keyspaces and respective tables.

elasticsearch

The Elasticsearch module attempts to connect to an Elasticsearch server via REST API and extract cluster metadata and stats as well as a list of indices.

memcached

The Memcached module attempts to connect to a Memcached server via client driver connection and extract server stats.

mongodb

The MongoDB module attempts to connect to a MongoDB server via client driver connection and extract server metadata as well as a list of databases and respective collections.

redis

The Redis module attempts to connect to a Redis server via client driver connection and extract server metadata.

Message Queues

amqp

The AMQP module attempts to connect to an AMQP server and extract server properties.

mqtt

The MQTT module attempts to connect to a MQTT server and extract a few seconds of passing messages to determine active topics.

mqttinfo

The MQTTInfo module attempts to connect to a MQTT server and run a series of commands to test its capabilities / enabled features.

HTTP / Web

webv2

The Webv2 module attempts to connect to an HTTP server and extract HTTP headers, redirects, page title, favicon, HTML source code, the web technologies being used and take a screenshot of the web page. It combines and upgrades upon the functionality of http, https and web.

web-enrich

The web-enrich module attempts to connect to an HTTP server and extract HTTP headers, redirects, HTML source code, the web technologies and enrich data that the module webv2 couldn't find or doesn't look for.

Protocols

ssl-simple

The SSL-Simple module attempts to connect to an SSL-wrapped server and extract (and parse) certificate chains. Recommended if you are only interested in certificates, since it is much faster than the sslv2 module as it doesn't need to do any additional testing.

sslv2

The SSLv2 module attempts to connect to an SSL-wrapped server and extract (and parse) certificate chains, ciphers and vulnerabilities. It is an upgraded version of the ssl module, and includes extra updates and features not available previously.

jarm

The JARM module attempts to actively fingerprint an SSL/TLS server via a series of TLS Client Hello packets to extract specific responses that can be used to quickly identify default applications or malware.

Services

ssh

The SSH module attempts to connect to a SSH server and extract all the algorithms supported by the server.

rsync

The RSYNC module attempts to connect to an RSYNC server anonymously and list the available modules (list the contents at the root directory).

ftp

The FTP module attempts to connect to an FTP server anonymously and recursively list available directories.

smb

The SMB module attempts to connect to a server with SMB by opening a connection and extracting dialects and shares, if any.

snmp

The SNMP module attempts to connect to a SNMP server and extract version and OIDs.

telnet

The Telnet module attempts to connect to a server by opening a connection and extracting the initial payload, if any.

socks

The Socks module attempts to connect to a static target via a Socks (v4/v5) proxy, extract the termination node address and check whether the node belongs to the TOR network.

websocket

The Websocket module attempts to connect to a Websocket server and extract a banner.

Containers

kubernetes

The Kubernetes module attempts to connect to a Kubernetes server via REST API and extract a list of pods and their respective metadata.

Vulnerabilities

exchange-owa

The Exchange OWA module attempts to connect to an Exchange server and check whether it is vulnerable to exploitation (CVE-2021-26855).

bluekeep

The Bluekeep module attempts to determine if an RDP server is vulnerable to the Bluekeep vulnerability.

doublepulsar

The Doublepulsar module attempts to determine if an RDP or SMB server is vulnerable to the Doublepulsar vulnerability.