└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # BinaryEdge Cheatsheet - [app.binaryedge.io](https://app.binaryedge.io) 2 | 3 | Inspired by [Nate (@n0x08)](https://twitter.com/n0x08) cheatsheet, here is a version for BinaryEdge 4 | 5 | - [Queries - Hosts tab](#queries---hosts-tab) 6 | * [Basics](#basics) 7 | * [Firewalls, VPNs, and other services](#firewalls--vpns--and-other-services) 8 | * [Databases and caches](#databases-and-caches) 9 | * [Web searches](#web-searches) 10 | * [SSL Searches](#ssl-searches) 11 | * [Misc](#misc) 12 | - [Queries - Images tab](#queries---images-tab) 13 | 14 | # Queries - Hosts tab 15 | 16 | ## Basics 17 | **Port open** - Binaryedge uses modules, that means for example for RDP with 18 | 19 | ``` port:3389 ``` [⏩](https://app.binaryedge.io/services/query?query=port:3389&page=1) 20 | 21 | you will get type:rdp + type:service-simple + type:ssl because its the 3 modules we use on the world wide scans 22 | 23 | **Product** 24 | 25 | ```product:"OpenSSH" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22OpenSSH%22&page=1) 26 | 27 | **Search inside a banner** 28 | 29 | ```type:service-simple banner:"LANCOM Systems"``` [⏩](https://app.binaryedge.io/services/query?query=type:service-simple%20banner:%22LANCOM%20Systems%22&page=1) 30 | 31 | **Product version minor AND bigger than (between X and Y)** 32 | 33 | ``` product:"nginx" version:>1.10.3 version:<1.14.0 ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22nginx%22%20version:%3E1.10.3%20version:%3C1.14.0&page=1) 34 | 35 | **Product version minor AND bigger than (between X and Y) and on specific ASN** 36 | 37 | ``` product:"nginx" version:>1.10.3 version:<1.14.0 asn:"16509" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22nginx%22%20version:%3E1.10.3%20version:%3C1.14.0%20asn:%2216509%22&page=1) 38 | 39 | **Product version minor AND bigger than (between X and Y) and on specific country** 40 | 41 | ``` product:"nginx" version:>1.10.3 version:<1.14.0 country:"US"``` [⏩](https://app.binaryedge.io/services/query?query=product:%22nginx%22%20version:%3E1.10.3%20version:%3C1.14.0%20country:%22US%22&page=1) 42 | 43 | **Looking for ICS / SCADA in specific country** 44 | 45 | ``` tag:ics country:"US" ``` [⏩](https://app.binaryedge.io/services/query?query=tag:ics%20country:%22US%22&page=1) 46 | 47 | ## Firewalls, VPNs, and other services 48 | 49 | **Mobile Iron** 50 | 51 | ```web.favicon.md5:c3ee66d45636052a69bab53600f2f878```[⏩](https://app.binaryedge.io/services/query?query=web.favicon.md5:c3ee66d45636052a69bab53600f2f878) 52 | 53 | ```web.favicon.md5:8a185957a6b153314bab3668b57f18f4```[⏩](https://app.binaryedge.io/services/query?query=web.favicon.md5:8a185957a6b153314bab3668b57f18f4) 54 | 55 | ```web.path.keyword: "/mifs/user/login.jsp"```[⏩](https://app.binaryedge.io/services/query?query=web.path.keyword:%20%22%2Fmifs%2Fuser%2Flogin.jsp%22) 56 | 57 | 58 | **Citrix** 59 | 60 | ``` web.title:"Citrix" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Citrix%22&page=1) 61 | 62 | ``` web.title:"Netscaler" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Netscaler%22&page=1) 63 | 64 | ``` web.title:"Endpoint Management - Console - Logon" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Endpoint%20Management%20-%20Console%20-%20Logon%22&page=1) 65 | 66 | ``` "Citrix-TransactionId" ``` [⏩](https://app.binaryedge.io/services/query?query=%22Citrix-TransactionId%22&page=1) 67 | 68 | 69 | **Pulse VPN** 70 | 71 | ``` product:"Pulse Secure VPN gateway http config" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22Pulse%20Secure%20VPN%20gateway%20http%20config%22&page=1) 72 | 73 | **Palo Alto** 74 | 75 | ``` product:"Palo Alto GlobalProtect Gateway httpd" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22Palo%20Alto%20GlobalProtect%20Gateway%20httpd%22&page=1) 76 | 77 | **Juniper** 78 | 79 | ``` web.title:"Juniper"``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Juniper%22&page=1) 80 | 81 | **Cyberoam SSL VPN:** 82 | 83 | ``` type:ssl cyberoam ``` [⏩](https://app.binaryedge.io/services/query?query=type:ssl%20cyberoam&page=1) 84 | 85 | 86 | **Cisco** 87 | 88 | ``` product:"Cisco" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22Cisco%22&page=1) 89 | 90 | ``` web.title:"cisco" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22cisco%22&page=1) 91 | 92 | 93 | **F5** 94 | 95 | ``` web.title:"BIG-IP®- Redirect" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22BIG-IP%C2%AE-%20Redirect%22&page=1) 96 | 97 | ``` web.favicon.mmh3:1996866236 ``` [⏩](https://app.binaryedge.io/services/query?query=web.favicon.mmh3:1996866236&page=1) 98 | 99 | ``` web.body.content:"BIG-IP logout"``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22BIG-IP%20logout%22&page=1) 100 | 101 | ``` product:"BigIP" ``` [⏩](https://app.binaryedge.io/services/query?query=port:3389&page=1) 102 | 103 | ``` type:service-simple BIGipServerPool ``` [⏩](https://app.binaryedge.io/services/query?query=type:service-simple%20BIGipServerPool&page=1) 104 | 105 | ``` web.body.content:"LastMRH_Session" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22LastMRH_Session%22&page=1) 106 | 107 | ``` web.body.content:"MRHSession" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22MRHSession%22&page=1) 108 | 109 | **Gradle Server** 110 | 111 | ``` web.body.content:"Gradle Enterprise Server" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22Gradle%20Enterprise%20Server%22&page=1) 112 | 113 | ``` web.body.content:"Gradle Enterprise" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22Gradle%20Enterprise%22&page=1) 114 | 115 | ``` web.body.content:"Gradle" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22Gradle%22&page=1) 116 | 117 | **RDP Gateway** 118 | 119 | ``` web.body.content:"tdDomainUserNameLabel" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22tdDomainUserNameLabel%22&page=1) 120 | 121 | ``` web.path:"/RDWeb/" ``` [⏩](https://app.binaryedge.io/services/query?query=web.path:%22%2FRDWeb%2F%22&page=1) 122 | 123 | ``` TSWAFeatureCheckCookie ``` [⏩](https://app.binaryedge.io/services/query?query=TSWAFeatureCheckCookie&page=1) 124 | 125 | **Oracle E-Business Suite** 126 | 127 | ``` web.title:"E-Business Suite Home Page Redirect" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22E-Business%20Suite%20Home%20Page%20Redirect%22&page=1) 128 | 129 | ``` web.path:"/OA_HTML/" ``` [⏩](https://app.binaryedge.io/services/query?query=web.path:%22%2FOA_HTML%2F%22&page=1) 130 | 131 | **Polycom Phones** 132 | 133 | ``` type:ssl polycom ``` [⏩](https://app.binaryedge.io/services/query?query=type:ssl%20polycom&page=1) 134 | 135 | **Webmin** 136 | 137 | ``` web.title:"Webmin" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Webmin%22&page=1) 138 | 139 | **Team City** 140 | 141 | ``` web.title:"Log in to TeamCity" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Log%20in%20to%20TeamCity%22&page=1) 142 | 143 | ``` "TeamCity-Node-Id" ``` [⏩](https://app.binaryedge.io/services/query?query=%22TeamCity-Node-Id%22&page=1) 144 | 145 | **Barix Radio Encoder systems** 146 | 147 | ``` web.favicon.mmh3:2575496402 ``` [⏩](https://app.binaryedge.io/services/query?query=web.favicon.mmh3:2575496402&page=1) 148 | 149 | **Sonos** 150 | 151 | ``` product:"Sonos" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22Sonos%22&page=1) 152 | 153 | **TP Link Gigagbit:** 154 | 155 | ``` TP-LINK Gigabit ``` [⏩](https://app.binaryedge.io/services/query?query=TP-LINK%20Gigabit&page=1) 156 | 157 | ``` product:"Router Webserver" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22Router%20Webserver%22&page=1) 158 | 159 | **TP Link:** 160 | 161 | ``` product:"TP-Link" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22TP-Link%22&page=1) 162 | 163 | **Keenetic Smart Home:** 164 | 165 | ``` web.title:"Keenetic Web" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Keenetic%20Web%22&page=1) 166 | 167 | **Home Assistant Smart Home:** 168 | 169 | ``` web.title:"Home Assistant" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Home%20Assistant%22&page=1) 170 | 171 | **Fritz!BOX SOHO Router:** 172 | 173 | ``` web.title:"FRITZ!Box" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22FRITZ!Box%22&page=1) 174 | 175 | **CoSHIP SOHO:** 176 | 177 | ``` web.title:"EMTA" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22EMTA%22&page=1) 178 | 179 | **Broadband Routers:** 180 | 181 | ``` web.body.content:"Broadband Router" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22Broadband%20Router%22&page=1) 182 | 183 | **MoviStar FIOS Router:** 184 | 185 | ``` web.title:"movistar" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22movistar%22&page=1) 186 | 187 | **Blue Iris Video surveillance:** 188 | 189 | ``` web.title:"Blue Iris Login" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Blue%20Iris%20Login%22&page=1) 190 | 191 | **Cambrium Networks:** 192 | 193 | ``` web.title:"ePMP" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22ePMP%22&page=1) 194 | 195 | **Vmware ESXI:** 196 | 197 | ``` product:"VMware ESXi"``` [⏩](https://app.binaryedge.io/services/query?query=product:%22VMware%20ESXi%22&page=1) 198 | 199 | 200 | **Exposed Kubernetes k8s** 201 | 202 | ```type:kubernetes kubernetes.auth_required:false``` [⏩](https://app.binaryedge.io/services/query?query=type:kubernetes%20kubernetes.auth_required:false&page=1) 203 | 204 | **Server Backup Manager:** 205 | 206 | ``` web.title:"Server Backup Manager" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Server%20Backup%20Manager%22&page=1) 207 | 208 | **DrayTek Vigor router:** 209 | 210 | ``` web.title:"Vigor Login Page"``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Vigor%20Login%20Page%22&page=1) 211 | 212 | **APC Power (UPS)** 213 | 214 | ``` web.title:"APC | Log On"``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22APC%20%7C%20Log%20On%22&page=1) 215 | 216 | **Metasploit** 217 | 218 | ``` web.title:"metasploit" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22metasploit%22&page=1) 219 | 220 | **HP iLO3** 221 | 222 | ``` type:ssl ssl.cert.issuer.common_name:ilo3 ``` [⏩](https://app.binaryedge.io/services/query?query=type:ssl%20ssl.cert.issuer.common_name:ilo3&page=1) 223 | 224 | **Zyxel** 225 | 226 | ```type:ssl ssl.cert.issuer.common_name:zyxel``` [⏩](https://app.binaryedge.io/services/query?query=type:ssl%20ssl.cert.issuer.common_name:zyxel&page=1) 227 | 228 | **ZTE** 229 | 230 | ``` web.title:"F660" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22F660%22&page=1) 231 | 232 | **SonicWall:** 233 | 234 | ``` web.title:"Policy Jump" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Policy%20Jump%22&page=1) 235 | 236 | **Tilgin SOHO Router:** 237 | 238 | ``` web.title:myhome ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:myhome&page=1) 239 | 240 | **ActionTec** 241 | 242 | ``` web.title:"Advanced Setup - Security - Admin User Name" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Advanced%20Setup%20-%20Security%20-%20Admin%20User%20Name%22&page=1) 243 | 244 | **GPON** 245 | 246 | ``` web.title:"GPON" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22GPON%22&page=1) 247 | 248 | **Mikrotik** 249 | 250 | ``` web.title:"RouterOS" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22RouterOS%22&page=1) 251 | 252 | ``` product:"mikrotik" ``` [⏩](https://app.binaryedge.io/services/query?query=product:%22mikrotik%22&page=1) 253 | 254 | **Xiongmai NetSurveillance:** 255 | 256 | ``` web.title:"NETSurveillance WEB"``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22NETSurveillance%20WEB%22&page=1) 257 | 258 | **WatchGuard:** 259 | 260 | ```type:ssl ssl.cert.issuer.common_name:"Fireware web CA"``` [⏩](https://app.binaryedge.io/services/query?query=type:ssl%20ssl.cert.issuer.common_name:%22Fireware%20web%20CA%22&page=1) 261 | 262 | **FosCAM IP Cameras:** 263 | 264 | ``` web.title:"IPCam Client" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22IPCam%20Client%22&page=1) 265 | 266 | **3CX VOIP:** 267 | 268 | ``` web.title:"3CX Phone System Management Console" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%223CX%20Phone%20System%20Management%20Console%22&page=1) 269 | 270 | 271 | ## Databases and caches 272 | The < > signs work on anything that is an integer (for example when looking for versions, see Redis) 273 | 274 | Verifying if the latest dataleak on the news was found via Binaryedge - replace leak by the word (maybe company name, tends to work well) 275 | 276 | ``` tag:database leak ``` [⏩](https://app.binaryedge.io/services/query?query=tag:database%20leak&page=1) 277 | 278 | **MongoDB - looking for non-empty mongoDB** 279 | 280 | ``` type:mongodb mongodb.totalSize:>1``` [⏩](https://app.binaryedge.io/services/query?query=type:mongodb%20mongodb.totalSize:%3E1&page=1) 281 | 282 | **MongoDB - searching for hacked mongoDB** 283 | 284 | ``` type:mongodb mongodb.names:hack``` [⏩](https://app.binaryedge.io/services/query?query=type:mongodb%20mongodb.names:hack&page=1) 285 | 286 | ``` type:mongodb mongodb.names:READ_ME_TO_RECOVER_YOUR_DATA``` [⏩](https://app.binaryedge.io/services/query?query=type:mongodb%20mongodb.names:READ_ME_TO_RECOVER_YOUR_DATA&page=1) 287 | 288 | **Redis - look for a version behind X** 289 | 290 | ``` type:redis redis.redis_version:<5.0.5 ``` [⏩](https://app.binaryedge.io/services/query?query=type:redis%20redis.redis_version:%3C5.0.5&page=1) 291 | 292 | **Elasticsearch - searching for hacked elastic** 293 | 294 | ``` type:elasticsearch elasticsearch.indices:contact_us_or_your_data_will_be_leaked``` [⏩](https://app.binaryedge.io/services/query?query=type:elasticsearch%20elasticsearch.indices:contact_us_or_your_data_will_be_leaked&page=1) 295 | 296 | **Elasticsearch - searching elastic with an indice named customer potentially leaking PII** 297 | 298 | ``` type:elasticsearch elasticsearch.indices:customer``` [⏩](https://app.binaryedge.io/services/query?query=type:elasticsearch%20elasticsearch.indices:customer&page=1) 299 | 300 | **Elasticsearch - only big ones** 301 | 302 | ``` type:elasticsearch elasticsearch.docs:>100000``` [⏩](https://app.binaryedge.io/services/query?query=type:elasticsearch%20elasticsearch.docs:%3E100000&page=1) 303 | 304 | **Cassandra - Search for specific table names** 305 | 306 | ``` type:cassandra cassandra.table_names:user ``` [⏩](https://app.binaryedge.io/services/query?query=type:cassandra%20cassandra.table_names:user&page=1) 307 | 308 | **Cassandra - Search for specific keyspace name** 309 | 310 | ``` type:cassandra cassandra.keyspace_names:user ``` [⏩](https://app.binaryedge.io/services/query?query=type:cassandra%20cassandra.keyspace_names:user&page=1) 311 | 312 | **RethinkDB - search on table names for users** 313 | 314 | ``` type:rethinkdb rethinkdb.table_names:users ``` [⏩](https://app.binaryedge.io/services/query?query=type:rethinkdb%20rethinkdb.table_names:users&page=1) 315 | 316 | **memcached exposed** 317 | 318 | ``` type:memcached ``` [⏩](https://app.binaryedge.io/services/query?query=type:memcached&page=1) 319 | 320 | **MQTT brokers exposed to the internet with no auth and exposing topics** 321 | 322 | ``` type:mqtt mqtt.auth:false mqtt.num_topics:>0 ``` [⏩](https://app.binaryedge.io/services/query?query=type:mqtt%20mqtt.auth:false%20mqtt.num_topics:%3E0&page=1) 323 | 324 | ## Web searches 325 | 326 | **Web - Searching for a specific header (this one is for a few pre programmed extracted headers full list here https://docs.binaryedge.io/search-web-headers/ if it doesnt work, go to option two)** 327 | 328 | ``` _exists_:web.headers.x_runtime ``` [⏩](https://app.binaryedge.io/services/query?query=_exists_:web.headers.x_runtime&page=1) 329 | 330 | **Web - Searching for a specific header (option 2) or body content** 331 | 332 | ``` web.body.content:"Index of" ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.content:%22Index%20of%22&page=1) 333 | 334 | **Web - Searching for a specific HTTP title** 335 | 336 | ``` web.title:"Admin" ``` [⏩](https://app.binaryedge.io/services/query?query=web.title:%22Admin%22&page=1) 337 | 338 | **Web - if you found something using the web searches above just use the favicon or body hashes to find how many exist** 339 | 340 | ``` web.favicon.mmh3:2294504639 ``` [⏩](https://app.binaryedge.io/services/query?query=web.favicon.mmh3:2294504639&page=1) 341 | 342 | ``` web.favicon.md5:5b6aae267f5115817162d44721d17b49 ``` [⏩](https://app.binaryedge.io/services/query?query=web.favicon.md5:5b6aae267f5115817162d44721d17b49&page=1) 343 | 344 | ``` web.body.sha256:c980258c50bc0b5137ddea75bc41eb3c0634153d3fbe05b0fd3aeab9673944da ``` [⏩](https://app.binaryedge.io/services/query?query=web.body.sha256:c980258c50bc0b5137ddea75bc41eb3c0634153d3fbe05b0fd3aeab9673944da&page=1) 345 | 346 | ## SSL Searches 347 | 348 | **Find expired SSL Certificates** 349 | 350 | ``` ssl.cert.self_signed:true ``` [⏩](https://app.binaryedge.io/services/query?query=ssl.cert.self_signed:true&page=1) 351 | 352 | **Look for a specific SSL cert using sha1 fingerprint** 353 | 354 | ``` ssl.cert.sha1_fingerprint:"e4:62:89:cc:d2:d7:08:ec:37:dc:1c:2e:a8:9b:7f:e5:5d:26:0d:c7" ``` [⏩](https://app.binaryedge.io/services/query?query=ssl.cert.sha1_fingerprint:%22e4:62:89:cc:d2:d7:08:ec:37:dc:1c:2e:a8:9b:7f:e5:5d:26:0d:c7%22&page=1) 355 | 356 | 357 | **Look for a JA3 of the SSL cert** 358 | 359 | ``` ssl.server_info.ja3_digest:e35df3e00ca4ef31d42b34bebaa2f86e ``` [⏩](https://app.binaryedge.io/services/query?query=ssl.server_info.ja3_digest:e35df3e00ca4ef31d42b34bebaa2f86e&page=1) 360 | 361 | 362 | ## Misc 363 | 364 | **RDP only with screenshot** 365 | 366 | ``` type:rdp has_screenshot:true ``` [⏩](https://app.binaryedge.io/services/query?query=type:rdp%20has_screenshot:true&page=1) 367 | 368 | **Bluekeep** - machines vulnerable to bluekeep 369 | 370 | ``` type:bluekeep``` [⏩](https://app.binaryedge.io/services/query?query=type:bluekeep&page=1) 371 | 372 | **FTP** look for the word games in content of open ftp with anonymous user 373 | 374 | ``` type:ftp ftp.user:anonymous ftp.names:"games" ``` [⏩](https://app.binaryedge.io/services/query?query=type:ftp%20ftp.user:anonymous%20ftp.names:%22games%22&page=1) 375 | 376 | **RSYNC** - look for the word Linux on the content of open rsync servers 377 | 378 | ``` type:rsync rsync.banner:linux``` [⏩](https://app.binaryedge.io/services/query?query=type:rsync%20rsync.banner:linux&page=1) 379 | 380 | # Queries - Images tab 381 | 382 | Looking for RDNS 383 | 384 | ```rdns_parent:verizon.com``` [⏩](https://app.binaryedge.io/services/images?query=rdns_parent:uminho.pt&page=1) 385 | 386 | Looking for VNC in the United states 387 | 388 | ```tags:"vnc" country:US``` [⏩](https://app.binaryedge.io/services/images?query=tags:%22vnc%22%20country:US&page=1) 389 | 390 | Looking for hacked machines - this uses our OCR system 391 | 392 | ```hacked``` [⏩](https://app.binaryedge.io/services/images?query=hacked&page=1) 393 | 394 | Looking for RDP in a specific ASN 395 | 396 | ``` asn:"16276" tags:"rdp" ``` [⏩](https://app.binaryedge.io/services/images?query=asn:%2216276%22%20tags:%22rdp%22&page=1) 397 | 398 | --------------------------------------------------------------------------------