When John Matherly released SHODAN, search engine which could collect data on web servers like HTTP port 80, FTP etc. It was considered a success, in the hackers point of view. And now there’s censys.


Censys was created by a group of scientists from the University of Michigan as an instrument to make Internet more secure. In fact, both Shodan and Censys are meant for security researches, but as the duo gains more and more attention, there certainly can be a lot of people who would try to use it for more nefarious purposes.
Censys is just like shodan but, more user friendly and works in a better and broader way. Censys is like a time saving buddy for the system lovers or the so called hackers.






Millions of devices like the home routers, ip cameras, mobile phones use same set of cryptographic keys for SSH secure shells or https. Which makes them vulnerable to hijacking. The vendors build and deploy their products. Typically, the vendors build their device’s firmware based on software development kits (SDKs) received from chip makers. They are too lazy to change the codes.


Censys conducts a daily scan on whole internet database almost everything. It scans all the IPv4 addresses which controls the majority internet traffic. It makes sure that it checks all the possible vulnerabilities. When researcher conducted the mass scan of 4 billion ip addresses the result was shocking.


“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan and inventor of ZMap. Censys uses mainly two tools.








The first step of collecting data is Zmap(20) it performs single packet host discovery and scans all the Ipv4 address space. Hosts found by ZMap seed pluggable application scanners, which perform a followup application layer handshake and produce structured JSON data describing a certain aspect of how a host is configured. Typically, application scanners only perform a single handshake and measure one aspect of how a service is configured. For example, they perform separate horizontal scans and use different pluggable scanners to measure how HTTPS hosts respond to a typical TLS handshake, whether hosts support SSLv3, and whether a host is vulnerable to the heart bleed attack. Since collecting all the data from a single scan may cause load on the host., it instead uses scheduled scans thereby aggregating the data collected from each scheduled scans.





It is a fast and more extensible application scanner. At this time, ZGrab supports application handshakes for HTTP, HTTP Proxy, HTTPS, SMTP(S), IMAP(S), POP3(S), FTP, CWMP, SSH, and Modbus, as well as StartTLS, Heartbleed, SSLv3, and specific cipher suite checks. On a dual-Xeon E5-2640 (6-cores at 2.5 GHz) system with an Intel X520 ethernet adapter, ZGrab can complete HTTPS handshakes with the full IPv4 address space in 6h20m, and a banner grab and StartTLS connection with all publicly accessible SMTP hosts in 3h9m, 1.86k and 1.32k hosts/second respectively. In simple words ZMap quickly identifies hosts and ZGrab produces structured data about each of those hosts. Zgrab can be used independently. It does on even on one host from simply reading and writing a data to initiating a handshake.


Censys exposes data back to the community, which ranges from researchers who need to quickly perform a simple query to those who want to perform in-depth analysis on raw data. In order to meet these disparate needs, they are exposing the data to researchers through several interfaces, which offer varying degrees of flexibility.


1) a web-based query and reporting interface,

2) a programmatic REST API,

3) Public Google BigQuery tables,

4) Raw downloadable scan results. They are planning to publish pre-defined dashboards that are accessible to users outside of the research community.

Neither Shodan nor Censys are likely to be used by some serious cyber criminals — the real big bad guys have had botnets for a while, which can serve the very same purpose yet yield more power. It took Shodan’s creator John Matherly only 5 hours to ping and map all the devices on the whole Internet, and a botnet utilising hundreds of computers would probably do that even faster.


But there are a lot of other people who already have tried to misuse Shodan and Censys to play bad tricks and pranks on other people. And while the problem with the IoT security is mostly for the manufacturers to solve, there are a few things that you can do about it to secure those connected things that actually belong to you.



August 25, 2016

iOS 9.3.5 is now out. Update like you’ve never updated before. #Trident

August 24, 2016

This translation toolset is a very neat asset to any penetration tester and especially useful for exploit development and Web Application Pen Testing.


Easy SMTP Mail Relay Test

Author: Martin Voelk,
August 23, 2016

This is a neat tool to test for open relays. Whilst most true open relays are not out there these days, internal relay is as dangerous? Why? Imagine Mr Tom Smith is the boss of Mr Jack Miller. Now Jack Miller sends an insulting email to Tom Smith which could terminate his work contract. Likewise a fake Smith to Miller mail could create serious disturbance. We come across those internal relay problems in many of our audits. Disable internal mail relaying!


Dangerous FTP dork

Author: Martin Voelk,
August 22, 2016

The following Google dork reveals open FTP directories spidered and indexed by Google. Shocking! As always, use responsibly but test for your own web site by adding the site operator

inurl:ftp -inurl:(http|https) inure:ftp -inurl:(http|https)




An unknown hacker or a group of hackers just claimed to have hacked into “Equation Group” — a cyber-attack group allegedly associated with the United States intelligence organization NSA — and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.


In what security experts say is either a one-of-a-kind breach or an elaborate hoax, an anonymous group has published what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency.


Screenshot from 2016-08-17 10:08:23



In a recently published blog post, the group calling itself Shadow Brokers claims the leaked set of exploits were obtained after members hacked Equation Group (the post has since been removed from Tumblr, but a cached version here was still available as this post was going live). Last year, Kaspersky Lab researchers described Equation Group as one of the world’s most advanced hacking groups, with ties to both the Stuxnet and Flame espionage malware platforms. The compressed data accompanying the Shadow Broker post is slightly bigger than 256 megabytes and purports to contain a series of hacking tools dating back to 2010. While it wasn’t immediately possible for outsiders to prove the posted data—mostly batch scripts and poorly coded python scripts—belonged to Equation Group, there was little doubt the data have origins with some advanced hacking group.

The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.


According to the leaked files, Chinese company ‘Topsec’ was also an Equation Group target.


The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like “BANANAGLEE” and “EPICBANANA.”


Screenshot from 2016-08-17 10:08:40 Screenshot from 2016-08-17 10:08:56 Screenshot from 2016-08-17 10:09:24


It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is. “I haven’t tested the exploits, but they definitely look like legitimate exploits,” Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.


While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.
At the same time, the Risk Based Security post cautioned that so-called false-flag operations—in which attackers manufacture evidence that falsely implicates others—is a regular occurrence in hacking campaigns, particularly those sponsored by nations. If the claims in the Shadow Brokers’ post are true, this may be one of the only publicly known times the NSA has been compromised. But even if the claims turn out to be exaggerated, the Shadow Brokers’ post is significant, if only for the amount of work and planning that went into the fabricating evidence to provoke one of the world’s most advanced hacking operations.




Help an abused puppy

Author: Martin Voelk,
July 16, 2016

Squid proxy server

Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.

The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.

“The attack enables cache poisoning of ANY unencrypted HTTP website,”.


Cache Poisoning issue in HTTP Request handling


Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers.


“The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker” before hitting a victim site. It’s not hard to stage the attack as “… attackers can readily obtain the necessary vantage point using techniques such as web ads.”

“For successful exploitation, an attacker must be able to send requests to some website (like through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:


GET HTTP/1.1 Host:
The cache module uses the host address from the request string ( to create the key; however, the verification module uses the Host header ( to check the communication between the host and the IP address. This is what makes the attack possible.





The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.


C51 Security researchers recommend enabling the host_verify_strict option which is disabled by default, and considering the Suricata intrusion detection system rules to detect exploitation attempts.





Researchers have discovered several vulnerabilities in the popular image processing suite ImageMagick, including a serious remote code execution flaw that has been exploited in the wild.

ImageMagick is a free and open-source software package that allows users to display, convert and edit image files. The ImageMagick library is used by many image-processing plugins, which means that the software is present in a large number of web applications.


The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.


While analyzing a flaw found by a researcher who uses the online moniker “Stewie,” Nikolay Ermishkin from the Mail.Ru security team discovered a remote code execution vulnerability (CVE-2016-3714) related to insuficient filtering of shell characters.

The vulnerability, dubbed “ImageTragick,” can be exploited by uploading a specially crafted file to a website that processes images using ImageMagick.


An attacker can create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. ImageMagick determines the file type based on so-called “magic bytes,” the first few bytes of a file that are specific to each file type. Once it detects that it’s not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.


An exploit for this vulnerability is publicly available and experts say it has already been leveraged in the wild.

ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers say the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which are expected to become available by this weekend.

In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.


Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in ‘/etc/ImageMagick’.
Other vulnerabilities found in ImageMagick can be exploited to move, read or delete files (CVE-2016-3716, CVE-2016-3717 and CVE-2016-3715), and for server-side request forgery, or SSRF, attacks (CVE-2016-3718).


Map Real Time Cyber Attacks

Author: Satish Arthar,
May 4, 2016

It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time.


A couple of notes about these graphics. Much of the data that powers these live maps is drawn from a mix of actual targets and “honeypots,” decoy systems that security firms deploy to gather data about the sources, methods and frequency of online attacks. Also, the organizations referenced in some of these maps as “attackers” typically are compromised systems within those organizations that are being used to relay attacks launched from someplace else.

The main method is by getting reports back from Intrusion Detection Systems. So each attack that hits an IDS is reported back you have the source of the attack – which may not be the instigator – just the ip registered as attacking you. and of course the target is known to the IDS as the IDS IS the target.The IDS could be software or hardware based.


FireEye Cyber Threat Map, While the FireEye Cyber Threat Map doesn’t technically operate in real time, it does generate a very interesting picture of how surreptitiously installed malware communicates with the server systems that are remotely controlling the malicious software.






My favorite – and perhaps the easiest way to lose track of half your workday (and bandwidth) comes from the folks at Norse Corp. Their map – IPViking – includes a wealth of data about each attack, such as the attacking organization name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.



Screenshot from 2016-05-04 14:45:27


Another live service with oodles of information about each attack comes from Arbor Networks’ Digital Attack map. Arbor says the map is powered by data fed from 270+ ISP customers worldwide who have agreed to share anonymous network traffic and attack statistics.



Screenshot from 2016-05-04 14:13:50



Kaspersky’s Cyberthreat Real-time Map is a lot of fun to play with, and probably looks the most like an interactive video game. Beneath the 3-D eye candy and kaleidoscopic map is anonymized data from Kaspersky’s various scanning services. As such, this fairly interactive map lets you customize its layout by filtering certain types of malicious threats, such as email malware, Web site attacks, vulnerability scans, etc.



Screenshot from 2016-05-04 21:12:33



The Cyberfeed, from Anubis Networks, takes the visitor on an automated tour of the world, using something akin to Google Earth and map data based on infections from the top known malware families. It’s a neat idea, but more of a malware infection map than an attack map, and not terribly interactive either. In this respect, it’s a lot like the threat map from Finnish security firm F-Secure, the Global Botnet Threat Activity Map from Trend Micro, and Team Cymru’s Internet Malicious Activity Map.



The Honeynet Project’s Honey Map is not super sexy but it does include a fair amount of useful information about real-time threats on honeypot systems, including links to malware analysis from Virustotal for each threat or attack.



Additionally, the guys at OpenDNS Labs have a decent attack tracker that includes some nifty data and graphics.


Speaking of attacks, some of you may have noticed that this site was unreachable for several hours over the last few days. That’s because it has been under fairly constant assault by the same criminals who attacked Sony and Microsoft’s gaming networks on Christmas Day. We are moving a few things around to prevent further such disruptions, so you may notice that some of the site’s features are a tad flaky or slow for a few days.


We made ths post becoz, we Cyber51 decided to build one of our own. When we started more focused on user experience and information accessibility. We were able to create a close to real time cyber attack monitoring system that is engaging, interactive, and insightful. Soon it may suprise you all with nice some functions.