bug bounty hunting

SecurityTrails Blog · Apr 08 · by Esteban Borges

How to Query Massive Port Scan Data with the SecurityTrails API™

Reading time: 6 minutes

The most important part of both bug bounty hunting and security research is the ability to find vulnerabilities quickly, before an attacker can take advantage of them.

A Linux-based server has around 65,535 ports available. While some ports are reserved for system-level services, most of the other ports can run a service running off of it, for example, an SSH server, FTP server, web server and so on. These services form a large part of your attack surface and are accessible to and from the public internet.

In most cases, databases and other critical services are bound to ports which are available only on localhost / 127.0.0.1, but in certain cases when data has to be accessed remotely these ports are made to bind onto publicly-accessible IP addresses.

Once it’s on the public internet, an open port is like a door—it can be opened or closed. The opening and closing of the port is often controlled by a firewall which allows whitelisted IP addresses to access the port, and denies non-whitelisted IP addresses from accessing the port.

If a firewall isn’t in place or misconfigured, the port simply remains open to anyone trying to access it and allows anyone to connect to it. Unfortunately, this leads to a risk of multiple security threats. For example, if you’re running an older version of a database software with a known authentication vulnerability, the lack or misconfiguration of a firewall allows attackers to exploit said vulnerability and steal data from your database.

Therefore, scanning for open ports on your own networks, or on third-party networks as part of any bug bounty programs becomes essential.

How to get massive port scan data for Bug Bounty Hunting

There are a lot of options when it comes to finding the best port scanners available. One of the most traditional ways is to use software like Nmap, but this comes with certain disadvantages, such as:

  • Scanning IP ranges can take a long time as 65k ports need to be probed for each IP in the range. For larger ranges like /24 and beyond it can take hours, if not days, at times.
  • Certain systems use automated firewall systems and applications like fail2ban which automatically ban port-scanning IP addresses, often leading to incomplete or incorrect results.
  • To speed up the scan and avoid blocks, the scan can be distributed across systems or different networks, while there are proper ways to do this, most of the people will increase the cost of performing the scan at the end.

To avoid all of the above issues and reduce cost, the easiest way to find any open ports is by fetching the data using the DSLv1 query language, which will give you results almost immediately.

To get this information using the DSLv1 query language, we first need the following information:

  • Your SecurityTrails API™ key”
    This can be found under your account at https://securitytrails.com/app/account/credentials
  • START_PORT and END_PORT
    The START_PORT and END_PORT values are used to signify the starting port number and ending port number you are targeting, for example, between 80 and 443
  • IP_RANGE/HERE
    This is the IP range with netmask you wish to target your port scan against, for example 34.102.136.1/24, 8.8.8.8/29, etc

In our example below, we fetched port scan data between the ports 1000 and 4000 and looked up the range 34.102.136.1/29:

curl --request POST \
   --url https://api.securitytrails.com/v1/ips/list \
   --header 'APIKEY: api_key_here' \
   --header 'Content-Type: application/json' \
   --data '{"query":"port between 1000 and 4000 AND ip = '\''34.102.136.1/29'\''"}'

Which then returned to us the results, including the PTR record of each IP address mentioned in the range in the query, the open ports, and a timestamp of when the last check was run:

Ports scan results

The result is provided in JSON format, which can be parsed easily to transfer the information into any application or workflow you have for the scanned results.

Other bug bounty hunting tricks to perform with our DSLv1

The DSLv1 feature also offers multiple powerful features allowing you to find PTR records and filter by keywords, for example, finding information with a substring of a hostname (e.g., “oracle”).

Searching for PTR Records with DSLv1

The next curl command searches the IP range 34.102.136.1/29 for IPs with PTR records containing the keyword “googleusercontent.com”:

curl --request POST \
   --url https://api.securitytrails.com/v1/ips/list \
   --header 'APIKEY: api_key_here' \
   --header 'Content-Type: application/json' \
   --data '{"query":"ptr_part = '\''googleusercontent.com'\'' AND ip = '\''34.102.136.1/29'\''"}'

And then lists them:

Searching for PTR Records

As you can see, this is another good way to use the DSLv1 query language, this time looking into PTR records that contain certain keywords.

Find all the open ports for IP addresses belonging to a certain ASN/network

Now let’s consider a slightly more advanced search, where we want to search for all the open ports seen on IPs which belong to 1, 2 or multiple networks or ASNs.

For this we combine the BGPView API with the SecurityTrails API™ PHP Wrapper.

Replace the following:

  • YOUR_API_KEY_HERE = Add your SecurityTrails API Key here
  • ASN_1, ASN_2, ASN_3 = With the AS-Numbers you wish to port scan
  • START_PORT_HERE = The start port you are looking at, for example 80
  • END_PORT_HERE = The end port you are looking at, for example 443
<?php

require 'securitytrails.php';
$securitytrails = new SecurityTrails("YOUR_API_KEY_HERE");
$asn = array("ASN_1", "ASN_2", "ASN_3");
$start_port = "START_PORT_HERE";
$end_port = "END_PORT_HERE";

for($i = 0; $i < sizeof($asn); $i++) {
   $url = "https://api.bgpview.io/asn/$asn[$i]/prefixes";
   $ch = curl_init();
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
   curl_setopt($ch, CURLOPT_URL,$url);
   $result = curl_exec($ch);
   curl_close($ch);

   $result = json_decode($result, true);

   if($result['status'] == "ok") {
      for($j = 0; $j < sizeof($result['data']['ipv4_prefixes']); $j++) {
         $ip_prefix = $result['data']['ipv4_prefixes'][$j]['prefix'];
         $query = "port between $start_port and $end_port AND ip = '$ip_prefix'";
         $output = (json_decode($securitytrails->searchWithDSL($query), true));
         var_dump($output);
       }
    }
}
?>

The above output will return the ports open between the START_PORT and END_PORT for every single IPv4 range present in the AS-numbers mentioned.

Going further with DSLv1

As seen in our examples, a lot is possible with DSLv1, and combining multiple APIs to feed into DSLv1 can make your workflows much simpler and as well as automate them. Check out more possibilities with DSLv1 query language at the following links:

Summary

Quite simply, finding massive port scan data has never been easier—because the DSLv1 feature now makes port data inspection possible, and nearly instant. Results provided in JSON add a significant advantage when you need to transfer them into another application in your workflow.

Also, combining tools such as BGPView into the DSLv1 feature provides unmatched benefits in speed and accuracy when looking into complete networks/ASNs port data.

Don’t miss this opportunity, grab our Bug Bounty Hunting Toolkit now.

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.