What is Netlas
Netlas.io website is a powerful OSINT and research search engine for all hardware connected to the internet. While Google and Bing target web sites, Netlas targets all the other hardware and software out there. Want to find a ftp server running in North Koria or a glassfish server in Ireland? Follow along with my write-up and see if Netlas can take the mighty Shodan off its perch.
Let’s get started.
Netlas Account
First thing you need to do with Netlas is create an account. They are running in Alpha at the moment and they allow almost full access during the Alpha period. Be aware that the Alpha period of any software can be a lot different when the final version is release. They also have some rewards for researchers utilizing achievements. Go on over to the site and make the most of this level of access, it wont be like this for long.
NetlasCoin
Netlas uses something called NetlasCoin to place a value on searches. As a user you have a fixed amount of NetlasCoins and one coin is used up for each search result. “Ha!” you say. “What happens if I search for something like “FTP” and there are millions of results. Well luckily the devs have thought about that. They limit each search page to 20 results. So you use 20 NetlasCoins for each search page. I guess this is how they will eventually monetize the service. Also you can download your search results in either json or CSV. When you select to download you get an option to select the amount of results you want in the download file. Each Result will consume 1 NetlasCoin. When I tried CSV was not working but JSON was fine.
Searching
Netlas is a search tool but not like most others. You have to build on your queries to get the exact results you want. Lets take a look at a few searches.
You want to find all ftp servers
port:21
You want to find all ftp servers in Ireland
port:23 AND geo.country:"IE"
A quick look at the excellent looking Dark Mode interface and we can see we get 16,000 results for port 21 in Ireland.
If you take a look at the response field it has also some results. In order to focus our search a bit more we can also search in this field. In this case we can see that the banner returns some information about the software. Let’s expand our search to look for a particular version of ftp server.
port:21 AND geo.country:"IE" AND ftp.banner:"vsftpd"
Now we have a much more manageable number. We can continue to narrow this down as we can use the Banner query again and again to narrow our search even further.
Advanced Searching
Netlas also makes use of wildcards. For example if we want to find all Logitech Media Servers in the UK we can input.
(http.headers.server:”Logitech Media Server” ) AND geo.country:(“GB”)
However; maybe have to know exactly what protocol that is used for “Logitech Media Server” So instead we can use wildcards to find it for us. The below query has the same results as the above.
(\*.headers.server:"Logitech Media Server" ) AND geo.country:("GB")
Searching with tags
When searching software or entries in the banner field we can also use tags. For example our above search for “Logitech Media Server” can also be done with a tag.
(tag.name.keyword:("logitech_media_server") AND geo.country:("GB"))
However the tags section of the documentation does not seem to be documented yet(At least that I could find). I hope this can be done soon as its seems a valuable feature.
Custom Search Filter.
When searching for IPs or Port in Netlas a lot of results can be found. On the right hand side of the search results you can select checkboxes to apply filters to narrow your search. This is a very useful way of quickly visualizing the data and narrowing the focus. Tags seem to have limited use when there is a high amount of results but as you narrow it down they become much more useful.
The options are endless here, I would advise to take a look at the help section and start to learn the search syntax.
Searching Netlas for a CVE
Also the interface gives you a great way to search all those devices out there for particular CVE you may be interested in.
cve.name.keyword:("CVE-2018-5225")
Or even you can search CVE ratings.
(cve.base_score:>9.8)
Interface
I really like the interface. Seems to default to a “dark mode” which looks great. The dev team manage to fit so much useful information on to the screen that relevant information can be read at a glance. At the moment the page seems to developed for PC screens and optimization for phones/tables has yet to come.
Conclusion
I really like this service and I like the interface. I like the speed and most of all I like the way the queries are done. As it’s in Alpha stage I would expect some bugs and I found a few which I gave some feedback on. However that shouldn’t put you off from creating an account and get searching.
Be First to Comment