montysecurity
commented
5 months ago Same thing here as with RisePro. Happy to add it, just trying to understand how you came up with the Shodan search for the favicon hash.
Closed corumir closed 5 months ago
montysecurity
commented
5 months ago Same thing here as with RisePro. Happy to add it, just trying to understand how you came up with the Shodan search for the favicon hash.
corumir
commented
5 months ago Sorry about that. Same problem as the other suggestion.
My sample set here for Scarab has the following header (examples): HTTP/1.1 200 OK Connection: close Content-Length: 7932 Accept-Ranges: bytes Access-Control-Allow-Headers: X-Requested-With,X-Token-Auth,Cache-Control,Content-Type,Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin: Content-Type: text/html Date: Wed, 17 Apr 2024 23:47:00 GMT Etag: "661fab25-1efc" Last-Modified: Wed, 17 Apr 2024 10:57:41 GMT Server: nginx/1.25.4 Vary: Accept-Encoding HTTP/1.1 200 OK Connection: close Content-Length: 7932 Accept-Ranges: bytes Access-Control-Allow-Headers: X-Requested-With,X-Token-Auth,Cache-Control,Content-Type,Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin: Content-Type: text/html Date: Wed, 21 Feb 2024 13:20:55 GMT Etag: "65d2f090-1efc" Last-Modified: Mon, 19 Feb 2024 06:09:20 GMT Server: nginx/1.25.4 Vary: Accept-Encoding HTTP/1.1 200 OK Connection: close Content-Length: 7932 Accept-Ranges: bytes Access-Control-Allow-Headers: X-Requested-With,X-Token-Auth,Cache-Control,Content-Type,Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin: Content-Type: text/html Date: Fri, 19 Jan 2024 21:41:39 GMT Etag: "65aa4c41-1efc" Last-Modified: Fri, 19 Jan 2024 10:17:37 GMT Server: nginx/1.25.3 Vary: Accept-Encoding HTTP/1.1 200 OK Connection: close Content-Length: 7932 Accept-Ranges: bytes Access-Control-Allow-Headers: X-Requested-With,X-Token-Auth,Cache-Control,Content-Type,Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin: Content-Type: text/html Date: Mon, 25 Dec 2023 12:00:07 GMT Etag: "65880fe0-1efc" Last-Modified: Sun, 24 Dec 2023 11:02:56 GMT Server: nginx/1.25.3 Vary: Accept-Encoding
The pages I have observed universally have "Scarab Botnet PANEL", so that could be used as a parameter, though I get no hits in Shodan currently. Content length was consistently 7932. The etag looks like a variation of a weak hashing algorithm followed by ("-") a version number or modification timestamp. Its the only static part of the Etag and each request I found had a slightly different content output, signal the first part might be a custom hash of the content or something similar. The favicon hash I derived from Fofa, but while consistent in their system I did not see that universally in other scanners I reivewed. Perhaps the following are the best to consider a match, though I'm sure we could work the Etag values to find something else over time:
title:"Scarab Botnet PANEL" "Content-Length: 7932"
montysecurity
commented
5 months ago Sorry for the back and forth on this. I am working on adding Censys support. Can you supply the Censys queries too please?
corumir
commented
5 months ago No worries.
For censys: services.software.product:Scarab
montysecurity
commented
5 months ago Added these. Thank you!
While I did not find any current Scarab Botnet hits in Shodan, I did cross match hits in Censys to see if it was still active and "out there"
Scarab Botnet https://www.shodan.io/search?query=http.favicon.hash%3A-1309140882
Scarab Botnet http.favicon.hash:-1309140882
The Scarab Botnet Panels I could observe had identical Etag values, e.g., "65534a4e-1efc", and some interesting header data that can also be used as an additional check.
"Access-Control-Allow-Headers: X-Requested-With,X-Token-Auth,Cache-Control,Content-Type,Authorization" "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" "Etag: "65aa4c41-1efc"'