Show HN: Osint tool that finds exposed files on domains

(search.cerast-intelligence.com)

40 points | by PatchRequest 13 hours ago ago

14 comments

  • technion 10 hours ago ago

    There's an astounding amount of .DS_Store showing up - I hadn't realised how common it apparently is for people to accidentally upload this.

    • stingraycharles 10 hours ago ago

      It’s a terrible design from Apple to expose this metadata like this, it’s one of my biggest pet peeves.

  • Elliott-Diy 4 hours ago ago

    Is this just re-skinned leakix.net? One of my honeypots for them is showing the same results.

    • PatchRequest 4 hours ago ago

      Nope, i crawl everything myself.

  • sandeepkd 11 hours ago ago

    Its interesting and not interesting at the same time based on some of the search results

    Almost all of them seem like home projects being deployed with ease in mind than security. The common thread seems to be the fact that most of them are phishing website, not sure if thats a business model to target here?

  • keepamovin 8 hours ago ago

    In the early days of the web you could do a search on google like

      path:/etc/passwd
    
    Sometimes there were even shadow passwd files with the hashes exposed on the web. Crazy days.
  • Avery29 8 hours ago ago

    Nice tool. I’d like to understand what kinds of businesses the customers using this website are in.

  • phoronixrly 9 hours ago ago

    So is this the crawler that has been constantly hammering all my applications searching for these files from the very second I first issue a TLS cert for them? Thanks to you I've had to put fail2ban on all my public-facing web servers...

    How about you be a good netizen and make it so people can request to be scanned and don't proactively do it, let alone constantly keep hammering them with requests?

    • bblb 6 hours ago ago

      I need to protect against the malicious good guys, the shodans of the world. Peeping inside your windows and trying your front door handles. Querying every string imaginable and port pinging all 65536 of them.

      And I need to protect against the actual criminals already inside my house looking for something to steal. Scouting out the easy target to setup their ransomwares.

  • cvadict 11 hours ago ago

    searching for .gov reveals 0 matches... doubt

    • PatchRequest 4 hours ago ago

      I manually blacklisted .gov from being crawled on my side. felt like it wasn't worth the potential trouble

    • sandeepkd 11 hours ago ago

      My guess is that they ran selective search on the domains which get registered with any registrar, thats the trigger to start the search. .gov domains are not managed by your typical registrar which is selling the domain registration information to all these downstream partners/scavengers (for lack of better word)

      • jadamson 11 hours ago ago

        The OP says it's using CT logs, not new domain registrations. The approach you have in mind would not include subdomains and would be less likely to coincide with a new server being configured.

        • sandeepkd 10 hours ago ago

          Yes CT is explicitly stated source which is why I qualified it with "Guess" for domain registration. There were couple reasons for that -

          1. Quite a few websites in the search results where just on HTTP

          2. The .gov sites do use public certificate authorities like digicert, verisign, amazon & letencrypt so they would have been captured unless they are removed explicitly

          And yes the domain registration would not include subdomains