(Shallow) Dive Into Network Entities

Slide 1

Slide 1 text

(Shallow) Dive Into Network Entities @ninoseki

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Entities in VTI -

Slide 4

Slide 4 text

Entities in VTI

Slide 5

Slide 5 text

SSL Certiﬁcate

Slide 6

Slide 6 text

SSL Certiﬁcate

Slide 7

Slide 7 text

SSL Certiﬁcate

Slide 8

Slide 8 text

SSL Certiﬁcate - Shodan & Censys

Slide 9

Slide 9 text

SSL Certiﬁcate - VT

Slide 10

Slide 10 text

SSL Certiﬁcate - VT

Slide 11

Slide 11 text

SSL Certiﬁcate - VT

Slide 12

Slide 12 text

SSL Certificate - Tips - SSL search modifiers - ssl_issuer - Focus on IPs that contain a given string or fulltext pattern within their SSL certificate issuer field. - ssl_serial - Focus on IPs that share a given SSL certificate serial field. - ssl_subject - Focus on IPs that contain a given string or fulltext pattern within their subject field. - ssl_thumbprint - Focus on IPs sharing a given SSL certificate thumbprint field. - Can use them with the domain entity too

Slide 13

Slide 13 text

Domain Name

Slide 14

Slide 14 text

Domain Name - DomainTools (https://www.domaintools.com/resources/user-guides/an-introductory-guide-to-ﬂexible-search-with-dnsdb-scout/)

Slide 15

Slide 15 text

Domain Name - VT

Slide 16

Slide 16 text

Domain Name - Tips - Cannot use anchors (“^” and “&”) with domain_regex modiﬁer - fuzzy_domain is an alternative modiﬁer to use

Slide 17

Slide 17 text

HTTP Header

Slide 18

Slide 18 text

HTTP Header - Havoc C2 (https://twitter.com/MichalKoczwara/status/1655994079526649861)

Slide 19

Slide 19 text

HTTP Header - Censys

Slide 20

Slide 20 text

HTTP Header - VT

Slide 21

Slide 21 text

HTTP Header - Tips - header search modiﬁer to search header keys - header_value search modiﬁer to search header values

Slide 22

Slide 22 text

How to Dive Deep Into VT

Slide 23

Slide 23 text

Read The Official Docs - URL search modifiers - https://support.virustotal.com/hc/en-us/articles/360002832977-URL-search-modifiers - Domain search modifiers - https://support.virustotal.com/hc/en-us/articles/360005830378-Domain-search-modifiers - IP address search modifiers - https://support.virustotal.com/hc/en-us/articles/360005866297-IP-address-search-modifiers - Etc.

Slide 24

Slide 24 text

Dig The Official Docs - Also I recommend to read the oﬃcial API docs - URLs: https://developers.virustotal.com/reference/url-object - Domains: https://developers.virustotal.com/reference/domains-1 - IP addresses: https://developers.virustotal.com/reference/ip-object - Because they have hidden gem(s)

Slide 25

Slide 25 text

Dig The Official Docs

Slide 26

Slide 26 text

Dig The Official Docs

Slide 27

Slide 27 text

Wrap-Up

Slide 28

Slide 28 text

Wrap-Up - VT has almost equivalent search capabilities to Shodan/Censys/DomainTools - I’d not say they have 100% compatibility but.

Slide 29

Slide 29 text

Wrap-Up - Read the docs & dig them deeper