So one of the many ways of discovering and enumerating hosts on the Internet is through the well-known SHODAN search engine. Shodan's differential is that it lets you search through some service banners for specific keywords. One can add granularity to searches through various filters, allowing you to specify countries, cities, hostname, subnet, operating system, ports, etc.
Some of this search filters haven't become public so you'll need an API key to use such features which is given to you after payment. In fact, there's a nice anniversary promotion right now for $19. A full account will give full access to the API including SSL search filters (cipher type, key length, CA, ...), searching metasploit modules, exploit-db, exporting results and some more stuff.
Whatever the reason is you have to search for vulnerable hosts in the Internet, this is the appropiate kind of service for you. I've written a python script to implement Shodan's API. This allows fetching results from command line, which will always be handy for great a great deal of data (please yourself with: http://blog.commandlinekungfu.com/). If it's worth it, there's a copy of it at:
https://github.com/salcho/shodan_codeYou'll need the python shodan library which can be installed through easy_install, you'll also need to paste your API key in the SHODAN_KEY variable.
Of course Shodan is widely used to find default admin passwords on network devices, applications and services in many devices like IP cameras, routers, smartphones, tables and whatnot. Similarly, many vulnerabilities can be fingerprinted through this kind of search. Just like the metasploit guys say: Good exploits never die. And one of such exploits is the Glassfish authentication bypass through Verb Tampering vulnerability.
Found in 2011 by Core Security, many many hosts are still vulnerable today. One can find such hosts by using the shodan_code script, for example narrowing the search to specific countries or cities:
Output is written as JSON objects to a log file which can then be parsed in a variety of ways, say: command-line, scripting, sqlite, etc etc etc. I'm currently using some awk, sort, uniq combinations but a parser script should arrive soon enough. Objects logged include hostnames, raw banners, IP adresses, ports, geolocation, OS, ISP, registered organization, among others.
Once parsed that info, point missiles:
And that's it... Just another day at the office.
