Tool on Untrusted Network

TriOp update - version 1.5

Jan Kopriva — Wed, 11 Jan 2023 11:50:00 +0100

I’ve published version 1.5 of TriOp today. Besides the addition of several CVEs into the internal list of vulnerabilities, a new feature was also introduced, which enables automatic generation of Shodan queries for the current list of vulnerabilities from the CISA Known Exploited Vulnerabilities (KEV) Catalog.

As alway, you may download the latest version of TriOp from my GitHub.

TriOp update - version 1.4 (and Shodan Trends)

Jan Kopriva — Thu, 28 Oct 2021 14:00:00 +0200

I’ve published version 1.4 of TriOp today. The only change in this version is the addition of CVE-2021-31206 (vulnerability used in the ProxyShell attack) to the relevant search list.

One additional point that deserves a mention is that Shodan has recently opened access to a new service called Shodan Trends, which enables users to generate trend charts for (probably) arbitrary Shodan queries. Although these charts are based on monthly averages and are therefore not as precise as charts generated from data collected on a daily basis using TriOp, they can certainly provide one with an interesting look at long-term trends. If you therefore only require general information about trends related to one or more Shodan queries and don’t need a detailed view at how things change on a day-to-day basis, then this service might be a viable alternative to TriOp for you…

As alway, you may download the latest version of TriOp from my GitHub.

TriOp update - version 1.3

Jan Kopriva — Thu, 12 Aug 2021 17:25:00 +0200

I’ve published version 1.3 of TriOp today. The only change in this version is the addition of vulnerabilities used in the ProxyShell attack (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) to the relevant search list.

Chaining of the vulnerabilities in question may lead to an unauthenticated RCE, so one would hope that given the recent media attention that was given to them, most organizations would patch them quickly. However, so far, the daily increases in number of their detections on Shodan seem to paint a slightly less optimistic picture…

As alway, you may download the latest version of TriOp from my GitHub.

TriOp update - version 1.2

Jan Kopriva — Sun, 14 Mar 2021 14:00:00 +0100

I’ve published version 1.2 of TriOp today. A bug was present in the “add” mode in version 1.1, which resulted in incorrect behavior when parameterized queries were present in search files, and this update fixes it.
When using the “add” mode, it is now possible to specify a filter (–filter), which determines what parameter from the original search file will be added to every new query. If filter is ommited, no parameter will be appended to newly added queries.

As alway, you may download the latest version of TriOp from my GitHub.

TriOp update - version 1.1

Jan Kopriva — Mon, 08 Mar 2021 11:00:00 +0100

I’ve published version 1.1 of TriOp today. I’ve added CVEs for the recent Exchange vulnerabilities to the vulnerability search list, since Shodan is now capable of detecting systems affected by them. In response to a request from the CSIRT community, I’ve also added the option for use of arbitrary filter along with a list of parameters.
In version 1.0, it was only possible to generate composite searches based on list of countries, however in version 1.1, one may specify any filter (i.e. not just “country”) for use with the list of parameters.
Previously, one could specify a list of searches (-s/-S) and a list of countries (-c/-C) and TriOp would run each search for each specified country and even potentially output results for each country into a specific file (–country_names).
In the updated version, one may specify an arbitrary filter (–filter) and a list of parameters for that filter (-p/-P) along with a list of searches (-s/-S) and the result will be the same. The “one output file per parameter” option is available as well (–filter_names).
What I assume will be of most useful when it comes to this feature, will be the filter “net” – the following example shows how a command using it might look:

triop.py -s "port:80,port:443" --filter net -p "200.0.0.0/16,200.1.0.0/16"

in which case, the output might look similar to:

Current IP count for query port:80 net:"200.0.0.0/16" is 1643
Current IP count for query port:443 net:"200.0.0.0/16" is 1474
Current IP count for query port:80 net:"200.1.0.0/16" is 819
Current IP count for query port:443 net:"200.1.0.0/16" is 798

A country search could be done in the following manner:

triop.py -s "port:22,port:23" --filter country -p "CZ,DE"

and the output would be the same as with the use of the -c option:

Current IP count for query port:22 country:"CZ" is 83007
Current IP count for query port:23 country:"CZ" is 21143
Current IP count for query port:22 country:"DE" is 1467418
Current IP count for query port:23 country:"DE" is 31595

The original “country” options are still present but will be removed in future versions.

You may download the latest version of TriOp from my GitHub.

TriOp - Tool for quickly gathering statistical information from Shodan.io

Jan Kopriva — Tue, 26 Jan 2021 07:30:00 +0100

TriOp is a tool for quickly gathering information from Shodan.io about the number of IPs which satisfy large number of different queries. Generally, it may be useful to security researchers who wish to use data gathered from Shodan over time as a part of their research (e.g. to show how number of systems exposing remote access protocols to the internet changed as a reaction to new movement restrictions connected to the Covid-19 pandemic) and to CSIRTs, especially national ones, that wish to monitor their constituencies for changes and/or vulnerabilities, but lack the technical tooling that would enable them to periodically scan all of their external IP ranges.

In its most basic mode of operation, TriOp takes a list of searches as an input and displays number of systems, which Shodan sees, which satisfy the search. The outputs may be saved in a CSV, which enables you to monitor “counts” for the same set of searches over time.

TriOp also enables you to quickly generate list(s) of searches from parameters, which are relevant for you (e.g. if you provide a list of searches and a list of countries, the tool will generate a relevant search list for each of the countries).

All that is necessary to use TriOp is a valid API key, which comes with every Shodan.io account (even a free one), and to have Python 3 with the Shodan Python library installed.

The tool may be downloaded from my GitHub page and bellow you may find a short tutorial showing its use in greater detail.

Direct URL: https://www.youtube.com/watch?v=pp9lD58Dc-w