GreyNoise for Situational Awareness, Threat Intel, Vulnerability Awareness and Exploit Research

GreyNoise for Situational Awareness, Threat Intel, Vulnerability Awareness and Exploit Research

by Ken Nevers

Threat intel on an IP can be a bit cumbersome at times, but an awesome tool like GreyNoise, founded by Andrew Morris can help you get a better idea of what type of host you are dealing with, what it might be doing and where it is located.  According to their website the primary use-cases for GreyNoise are:

  • Distinguish between targeted and opportunistic/wide-spread attacks in your SIEM, reducing false positives and pointless alerts

  • Identify compromised devices in your network or in someone else’s network

  • Find whether or not attackers are scanning the Internet for a given set of ports/services

  • Filter known-good scanners (like Shodan) from your logs

  • Identify emerging opportunistic threats is a supercool service that lurks behind the scenes of the web with a ton of listeners just gobbling up data. It indexes and catalogs data when devices scan the internet for ports, services, HTTP requests and such. The service grabs all of this stuff and gives us as researcher an easy way to filter it all out.(you will need to register for an API key first).

ProTip: They are researcher/school/conference friendly so email them at [email protected] ask for access. e.g.) GreyNoise from the command line, FTW

Pop a list of IPs into a txt file | bash loop for automation = lazy win

If your comfort zone isn’t terminal based, and you aren’t a linux person (which is so wrong on many levels but I digress…) then the website interface is pretty slick too and allows for all sorts of queries. The web interface is beautiful, responsive and comes with a handy query cheatsheet page to help you to get started. Here is the main landing page which updates and looks like a hacker’s stock ticker or something.

Say you want to know all compromised devices that include .gov in their reverse DNS records, because…yeah.

So a simple query such as the following will do this for you:
classification:malicious metadata.rdns:*.gov*

Lets see if that tiny company from Redmond,CA has any potentially compromised devices with:

metadata.organization:Microsoft classification:malicious

uh oh….

and searching for potential low-hanging fruit will return this (you can figure out this query yourself)….looks like they might be Mongolia’s first AND last E-commerce and TriplePlay service soon.

One of my personal favorites is the interesting query, this will populate the results with tons of current and aptly named ‘interesting’ results.

I often use these query results to find more info about newer vulnerabilities that I might have missed which are being used at this very moment. Lets see what that pesky little Russian XP box is up to…wow a ton of mischief!

An awesome feature here is that all of the “References” link to external sites for further information.  For example, I didn’t know what this Grandstream exploit was but through the magic of GreyNoise I now not only do, but have a direct link to the exploit PoC… 🙂

GreyNoise is an awesome subscription based service that I urge you do check out for yourself.

Take care, stay safe and stay curious,


Please email me at [email protected] with any questions and/or post a comment here.

The post has been originally published at:

June 26, 2020
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013