toolsnewsupdate

SecurityTrails Blog · Jul 12 · SecurityTrails team

New Features: Endpoints for Reverse DNS and Open Ports

We have added two new endpoints that are available in the SecurityTrails Professional Plan or higher. The endpoints allow you to get information on Reverse DNS PTR records and Open TCP ports.

To be able to provide this data, we are using scans from Rapid7 Labs Open Data. A big thanks to Derek Abdine and his team for gathering these scans. We are supplementing it with our own data and loading into our API to make it fast and easy for you to run queries.

You can buy SecurityTrails API access directly from the the pricing page or upgrade from your console.

Here are descriptions and examples of the new API endpoints:

Search IPs

documentation

With this endpoint, you can search ports that are open by IP address like 13.248.22.1. a block of IPs like 52.94.38.0/24 or search partial reverse DNS PTR records.

An example of the later would be querying all IPs that have the last part of the PTR set to “amazon.com”

curl --request POST \
  --url https://api.securitytrails.com/v1/ips/list \
  --header 'apikey: **your_api_key**' \
  --header 'content-type: application/json' \
  --data '{
    "query": "ptr_part = '\''amazon.com'\''"
}'

The result includes the IP, reverse DNS record for every IP and all open ports found on each individual IP:

{
    "ptr": "pdx-b-orca.amazon.com",
    "ports": [
        443
    ],
    "ip": "52.94.120.58"
},
{
    "ptr": "pdx-c-orca.amazon.com",
    "ports": [
        443
    ],
    "ip": "52.94.120.70"
},

For open ports we are currently checking the following popular ports: FTP 21, FTPs 990, HTTP 80, HTTPS 443, Redis 6379, SSH 22, CouchDB 5984, ElasticSearch 9200, Memcached 11211. The data is updated every couple of weeks right now. We will be working to make that more frequent and cover more ports.

We are currently covering about 1.2 billion PTR records.

IP Statistics

documentation

For summary analysis of larger IP or PTR queries, we are also offering a statistics endpoint ( similar to our Domain Statistics endpoint). Our engineers developed an algorithm to group similar repetitive reverse DNS records which allows a quick analysis of large groups of PTRs. Included in the response is the count of open ports by port number. This is a great way to do large scale reconacense or to determine what services are open across a large number of IPs.

"top_ptr_patterns": [
    {
        "key": "x-x.amazon.com",
        "count": 6787
    },
    {
        "key": "x-x-x-x.amazon.com",
        "count": 3254
    },
    {
        "key": "smtp-out-x-x.amazon.com",
        "count": 662
    },
    {
        "key": "freeip.amazon.com",
        "count": 220
    },
    {
        "key": "ns-x.amazon.com",
        "count": 47
    },
],
"ports": [
    {
        "key": 22,
        "count": 5
    },
    {
        "key": 21,
        "count": 2
    }
],

Thanks to all customers for submitting their feedback - we are listening and will continue to implement features that allow you to easily access large scale security data.


Are you looking to enrich your security data with IP related information? We can help you — schedule a demo with us today to find out how SecurityTrails can support you.