Author: Heige(a.k.a Superhei) of KnownSec 404 Team 12/10/2020
As the world’s leading search engine for cyberspace mapping, ZoomEye has been working hard! I would like to thank all the friends who support ZoomEye.
ZoomEye has always been committed to being more friendly and open to developers. For example, in August of this year, we announced the removal of API data output restrictions. Another example is the API-KEY authentication mode introduced to you today. Developers and users do not need to directly expose user names and The clear text password can be used to call the ZoomEye API interface more securely. Of course, we also provide one-click reset API-KEY function.
I am honored that more and more new excellent project developers are beginning to integrate and call the ZoomEye API, such as:
Of course, the ZoomEye API SDK project (https://github.com/knownsec/ZoomEye ) has been updated accordingly.
The installation command is as follows:
sudo pip3 install git+https://github.com/knownsec/ZoomEye.git
The calling example is as follows:
Python 3.7.5 (default, Nov 1 2019, 02:16:23)
[Clang 11.0.0 (clang-122.214.171.124)] on darwin
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import zoomeye
>>> zm = zoomeye.ZoomEye(api_key=”664***130-****-1E6fe-****-4FC03****d3")
>>> data = zm.dork_search(‘apache +country:cn’)
Just as we expect, we hope to join many excellent project developers to give full play to the capabilities of ZoomEye.
Visual graphical input query
I must admit that a lot of search syntax is hard to remember for many newcomers,So we designed a way to describe the search logic using select boxes, input boxes and smart association prompts to make it easier for newcomers to search.
We believe that cyberspace surveying and mapping needs to pay attention to dynamic data changes, and the time dimension of data is a very important core indicator. Before, we developed an API interface for historical data, and through historical data we showed some interesting cases of tracking APT attacks: https://paper.seebug.org/1220/ . Now we pay attention to the daily new data of ZoomEye, and continue to focus on target monitoring.
This function can continuously monitor data changes for the specified IP (including IP segment) and the target of the device dork, and provide data change trend graphs, new data downloads, email reminders, etc.
Continuously improve data acquisition capabilities
First of all, ZoomEye integrates and correlates the threat intelligence data of our own company (KnownSec) cloud security. The malicious attacking IP captured by KnownSec CDN defense will be marked on ZoomEye.
Then, we focused on optimizing the recognition of URL redirects in the HTTP protocol.Accurately obtaining the banner data in the redirect URL page is essential for us to identify device fingerprints, extract page titile and other information,So we have introduced the browser engine to dynamically recognize URL redirects including http 302 headers, html/js, etc.
In addition, we began to transform the WMAP engine scanned by our website, which will grab the complete html code data for display instead of obtaining the http response header information before.
Of course, this time we also continue to update our port protocol data support:
* Added CobaltStrike Beacon configuration information acquisition,
ZoomEye Dork : “CobaltStrike Beacon configurations”
* Added 264/tcp port scanning and support checkpoint related protocol detection
ZoomEye Dork : port:”264" +service:”checkpoint”
* Added 4899/tcp port scanning and support radmin related protocol detection
ZoomEye Dork : port:”4899" +service:”radmin”
Support bracket first logical operation
Previously, the logical operations supported by ZoomEye:
— — — — — — — — —
Space is actually interpreted as the logical OR operator, + means the logical AND operator, — means the logical NOT operator;
— — — — — — — — —
Now, we start to support () priority operation, which can satisfy more complex logical searches.
Finally, we secretly fixed a lot of bugs :)