From the vulnerability reports to ZoomEye dork

About ZoomEye

ZoomEye is a Cyberspace Search Engine recording information of devices, websites, services and components etc. It’s first released in 2013 , developed by knownsec 404 team.

The WebSite : https://www.zoomeye.org

When you get a vulnerability report , You may want to know how many devices are affected by this vulnerability? Or you need to find some devices to research and test the vulnerability. Then you can use the ZoomEye.

ZoomEye Search Operators

ZoomEye is Search Engine like Google, So It also has its own search operators. The fingerprints of most devices (also known as dork) are based on unique keywords. Using keyword combination operations is very helpful to find device fingerprints.

the ZoomEye keyword logical operators:

+ → and
Space symbol → or
- → not

You can use single or double quotes to represent a keyword character,and also use the backslash escape character. like : “a=\”b”

Demo :

“[R2] Multiple NUUO NVRMini2 Vulnerabilities” the vulnerability reports by Tenable https://www.tenable.com/security/research/tra-2018-25 or http://www.seebug.org/vuldb/ssvid-97538

First we use the keyword is “NUUO” base on the brand name.

https://www.zoomeye.org/searchResult?q=%22NUUO%22

from the “Product” can get the NUUO device fingerprints like : “NUUO IP Surveillance rtpsd”, use the dork: app:”NUUO IP Surveillance rtpsd”

https://www.zoomeye.org/searchResult?q=%22NUUO%22%20%2Bapp:%22NUUO%20IP%20Surveillance%20rtpsd%22&t=all

can get the NUUO rtpsd servers devices.

But the Vulnerabilities is base on the WEBServer not the rtpsd. so form the “Service” to choose “http” :

https://www.zoomeye.org/searchResult?q=%20%22NUUO%22%20%2Bservice:%22http%22&t=all

[ps: “NUUO” +service:”http” is the keyword logical and operators]

Now we should pay attention to this banner information of http.Usually the Title is one of the information that needs to be focused on.Simply look at a few banners, Get two different Title:

<title>NUUO Web Remote Client</title>
<title>Network Video Recorder Login</title>

visit and test the IP:Port , we make sure “<title>Network Video Recorder Login</title>” is The “NUUO NVRMini2” device and “<title>NUUO Web Remote Client</title>” is not.

Then use keyword logical not operators :

“NUUO” +service:”http” -”<title>NUUO Web Remote Client</title>” -”<title>Network Video Recorder Login</title>”

https://www.zoomeye.org/searchResult?q=%22NUUO%22%20%2Bservice%3A%22http%22%20-%22%3Ctitle%3ENUUO%20Web%20Remote%20Client%3C%2Ftitle%3E%22%20-%22%3Ctitle%3ENetwork%20Video%20Recorder%20Login%3C%2Ftitle%3E%22%20-%22%3Ctitle%3ENUUO%20Network%20Video%20Recorder%20Login%3C%2Ftitle%3E%22

We have another different title here :

<title>NUUO Network Video Recorder Login</title>

also are the “NUUO NVRMini2” devices. Now we have get two different title:

<title>Network Video Recorder Login</title>
<title>NUUO Network Video Recorder Login</title>

test keyword logical not operators again to make sure there are no other new titles :

“NUUO” +service:”http” -”<title>NUUO Web Remote Client</title>” -”<title>Network Video Recorder Login</title>” -”<title>NUUO Network Video Recorder Login</title>”

https://www.zoomeye.org/searchResult?q=%22NUUO%22%20%2Bservice%3A%22http%22%20-%22%3Ctitle%3ENUUO%20Web%20Remote%20Client%3C%2Ftitle%3E%22%20-%22%3Ctitle%3ENetwork%20Video%20Recorder%20Login%3C%2Ftitle%3E%22%20-%22%3Ctitle%3ENUUO%20Network%20Video%20Recorder%20Login%3C%2Ftitle%3E%22

So We finally found two or two titles, Both are the “NUUO NVRMini2” devices:

<title>Network Video Recorder Login</title>
<title>NUUO Network Video Recorder Login</title>

so we use the keyword logical or operators:

“<title>Network Video Recorder Login</title>” “<title>NUUO Network Video Recorder Login</title>”

hxxps://www.zoomeye.org/searchResult?q=%22%3Ctitle%3ENetwork%20Video%20Recorder%20Login%3C%2Ftitle%3E%22%20%20%22%3Ctitle%3ENUUO%20Network%20Video%20Recorder%20Login%3C%2Ftitle%3E%22

Of course, we can combine these two keywords to one :

“Network Video Recorder Login</title>”

https://www.zoomeye.org/searchResult?q=%22Network%20Video%20Recorder%20Login%3C%2Ftitle%3E%22

So this is the final ZoomEye dork about “[R2] Multiple NUUO NVRMini2 Vulnerabilities” the vulnerability reports.

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store