GreyNoise for Situational Awareness, Threat Intel, Vulnerability Awareness and Exploit Research
by Ken Nevers
Threat intel on an IP can be a bit cumbersome at times, but an awesome tool like GreyNoise, founded by Andrew Morris can help you get a better idea of what type of host you are dealing with, what it might be doing and where it is located. According to their website the primary use-cases for GreyNoise are:
Distinguish between targeted and opportunistic/wide-spread attacks in your SIEM, reducing false positives and pointless alerts
Identify compromised devices in your network or in someone else’s network
Find whether or not attackers are scanning the Internet for a given set of ports/services
Filter known-good scanners (like Shodan) from your logs
Identify emerging opportunistic threats
GreyNoise.io is a supercool service that lurks behind the scenes of the web with a ton of listeners just gobbling up data. It indexes and catalogs data when devices scan the internet for ports, services, HTTP requests and such. The service grabs all of this stuff and gives us as researcher an easy way to filter it all out.(you will need to register for an API key first).
Pop a list of IPs into a txt file | bash loop for automation = lazy win
If your comfort zone isn’t terminal based, and you aren’t a linux person (which is so wrong on many levels but I digress…) then the website interface is pretty slick too and allows for all sorts of queries. The web interface is beautiful, responsive and comes with a handy query cheatsheet page to help you to get started. Here is the main landing page which updates and looks like a hacker’s stock ticker or something.
Say you want to know all compromised devices that include .gov in their reverse DNS records, because…yeah.
So a simple query such as the following will do this for you:
Lets see if that tiny company from Redmond,CA has any potentially compromised devices with:
and searching for potential low-hanging fruit will return this (you can figure out this query yourself)….looks like they might be Mongolia’s first AND last E-commerce and TriplePlay service soon.
One of my personal favorites is the interesting query, this will populate the results with tons of current and aptly named ‘interesting’ results.
I often use these query results to find more info about newer vulnerabilities that I might have missed which are being used at this very moment. Lets see what that pesky little Russian XP box is up to…wow a ton of mischief!
An awesome feature here is that all of the “References” link to external sites for further information. For example, I didn’t know what this Grandstream exploit was but through the magic of GreyNoise I now not only do, but have a direct link to the exploit PoC…
GreyNoise is an awesome subscription based service that I urge you do check out for yourself.
Take care, stay safe and stay curious,
Please email me at [email protected] with any questions and/or post a comment here.
The post has been originally published at: