├── CNAME
├── docs
    └── CNAME
├── icons
    ├── readme.md
    └── elasticsearch
    │   └── favicon.ico
├── www
    └── index.html
└── README.md


/CNAME:
--------------------------------------------------------------------------------
1 | odh.ethn.me


--------------------------------------------------------------------------------
/docs/CNAME:
--------------------------------------------------------------------------------
1 | odh.ethn.me


--------------------------------------------------------------------------------
/icons/readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/icons/elasticsearch/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ethrx/odh/HEAD/icons/elasticsearch/favicon.ico


--------------------------------------------------------------------------------
/www/index.html:
--------------------------------------------------------------------------------
1 | <html>
2 |   <head>
3 |     <title>ODH - Open Database Hunting</title>
4 |   </head>
5 |   <body>
6 |   </body>
7 | </html>
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # ODH - Open Database Hunting
  2 | Where do most data breaches originate? From an open webserver somewhere, hosting an unauthenticated database. How do people find them? They use services like Censys, Shodan, and more. 
  3 | 
  4 | Here's how to find all types of databases through each service.
  5 | 
  6 | - **[Databases](#databases)**
  7 |   - [ElasticSearch](#elasticsearch)
  8 |       - [Exfiltration](#exfiltration)
  9 |       - [Ports](#ports) 
 10 |       - [Identifiers](#identifiers)
 11 |   - [Redis](#redis)
 12 |       - [Exfiltration](#exfiltration-1)
 13 |       - [Ports](#ports-1)
 14 |   - [Amazon S3](#amazons3)
 15 |       - [Exfiltration](#exfiltration-2)
 16 |       - [Ports](#ports-2)
 17 |       - [Identifiers](#identifiers-1)
 18 |   - ~~[MongoDB](#mongodb)~~
 19 | - **[Services](#services)**
 20 |   - [Censys.io](#censysio)
 21 |       - [Queries](#queries)
 22 |   - ~~[BinaryEdge](#binaryedge)~~
 23 |   - ~~[Shodan](#shodan)~~
 24 | 
 25 | 
 26 | # Databases
 27 | Here's all the different types of databases you can find using the services I have mentioned. Note, some of these will require authentication or 3rd party software to access. There is not a 100% success rate.
 28 | ## ElasticSearch
 29 | ElasticSearch is a type of database, that does not have authentication by default. This is great for us, as most of these will be unsecured and easy to access.
 30 | 
 31 | ### Exfiltration
 32 | There is a very nice Chrome extension, called ElasticVue. This application allows you to browse an ElasticSearch database without making raw requests. It provides a nice GUI that I find very informative. 
 33 | [https://elasticvue.com/](https://elasticvue.com/)
 34 | 
 35 | ### Ports:
 36 | ```
 37 | Default: 9200/9201
 38 | Alternative: Any port that serves HTTP content
 39 | ```
 40 | ### Identifiers:
 41 | 
 42 | **JSON Raw**: 
 43 | ```
 44 | tagline: "You know, for search."
 45 | ```
 46 | 
 47 | **HTTP Title**:
 48 | ```
 49 | none
 50 | ```
 51 | 
 52 | **Favicon**: 
 53 | 
 54 | ![](icons/elasticsearch/favicon.ico "ElasticSearch Favicon")
 55 | 
 56 | ## Redis
 57 | Redis is commonly used as a caching service, database, and data storage server. It's quite complicated and most times you will only find data for websites. However, usually you can edit files in the cache right from the start. So even if you don't find sensitive information, you can edit stored HTML or data used in the website and elevate to stored XSS.
 58 | 
 59 | ### Exfiltration
 60 | You can use a few common CLIs, or my favourite program: Redis Desktop Manager.
 61 | This program is fantastic, as it simplifies the entirety of an extremely complicated application. It's open source, but you can also buy Microsoft Store versions to support the developers. You can find out more about it here:
 62 | [https://github.com/uglide/RedisDesktopManager](https://github.com/uglide/RedisDesktopManager)
 63 | 
 64 | ### Ports:
 65 | ```
 66 | Default: 6379
 67 | Alternative: unkn.
 68 | ```
 69 | ## Amazon S3
 70 | You've probably heard of Amazon S3. This service is mainly a static file hosting server, called buckets. However, many can store sensitive files. Sometimes, credentials are leaked that allow you to modify the contents of the bucket. 
 71 | 
 72 | ### Exfiltration
 73 | There is a command line application that you can use called `aws-cli`. This allows you to run various functions on these servers, such as listing, uploading, and modifiying files. 
 74 | (https://aws.amazon.com/cli/)[https://aws.amazon.com/cli/]
 75 | ### Ports:
 76 | ```
 77 | Default: 80/443/8080
 78 | Alternative: Any port that serves HTTP content
 79 | ```
 80 | ### Identifiers:
 81 | **CNAME**:
 82 | ```
 83 | [bucketname].s3.[region].amazonaws.com
 84 | ```
 85 | **HTML Raw**:
 86 | ```
 87 | <ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
 88 | ```
 89 | **HTTP Title**:
 90 | ```
 91 | bucket_name/none
 92 | ```
 93 | # Services
 94 | ## Censys.io
 95 | Censys is a very similar service to Shodan, however it gives us a major benifit over Shodan. Censys does have a paid license, however it does not limit search results like Shodan does. Censys allows you to view every page of results, no matter what. You do only get 250 searches per month, though I think that it more than enough.
 96 | https://censys.io
 97 | 
 98 | ### Queries
 99 | With Censys you have interesting options for querying and searching. They offer quite advanced search options, however in my experience they often give inaccurate results.
100 | 
101 | I am quite a fan of these search options:
102 | ```
103 | 443.https.tls.certificate.parsed.names:google.com
104 | ```
105 | This option allows you to filter by results with SSL certificates mentioning the domain `google.com`. This allows you to filter IPs belonging to this organization. 
106 | ```
107 | ports:9200 AND NOT 443.https.tls.certificate.parsed.names:*
108 | ```
109 | This query allows you to filter for ElasticSearch instances, that do not have a domain tied to them. This allows you to find hidden VPSes or networks hosting databases. Though sometimes you will come across personal results.
110 | 
111 | ## BinaryEdge
112 | \[TODO\]
113 | ## Shodan
114 | \[TODO\]
115 | 


--------------------------------------------------------------------------------