- 14 Tem 2024
- 333
- 6
- 297
Lampyre OSINT and Data Analysis
hi THT members, today we learn about threat intelligence tool, which is called Lampyre and we will conduct different kind of operations with it,
like gathering intel about target network infrastructure and we will do mass hunting against exposed and vulnerable databases.
Lampyre is the tool which is aimed to help in the fields like Cyber Threat Intelligence and Open Source Intelligence Gathering (OSINT)
It helps us to obtain data without any authentication on services like shodan, vt, netlas..etc. and with all information which is obtained in the process of
investigation or hunting, it gives to us ability to visualize it and analyze them with graphical UI (User Interface)
In fact we should to keep in our mind that, the main process of intelligence gathering about targets and mass hunting doesn't depend on
using single tool and waiting for significant result. It depends on combining various types of techniques, strategies, tools and
methodologies which the choice of threat intelligencer to use them according to their experience and the goal.
hi THT members, today we learn about threat intelligence tool, which is called Lampyre and we will conduct different kind of operations with it,
like gathering intel about target network infrastructure and we will do mass hunting against exposed and vulnerable databases.
Lampyre is the tool which is aimed to help in the fields like Cyber Threat Intelligence and Open Source Intelligence Gathering (OSINT)
It helps us to obtain data without any authentication on services like shodan, vt, netlas..etc. and with all information which is obtained in the process of
investigation or hunting, it gives to us ability to visualize it and analyze them with graphical UI (User Interface)
In fact we should to keep in our mind that, the main process of intelligence gathering about targets and mass hunting doesn't depend on
using single tool and waiting for significant result. It depends on combining various types of techniques, strategies, tools and
methodologies which the choice of threat intelligencer to use them according to their experience and the goal.
Process of Gathering Intel:
1. After registering an account on lampyre website:
https://lampyre.io/
and downloading lampyre desktop client we can start out testing process:from here we will choose Online mode.
2. Next we will click on "Quick start (Standard mode)"
3. Now we can start with the data analysis and investigation process. We choose tesla and mit domains as an example, so we can see different results.
As noted that, as our starting point we can take either companies name or their domain name. Firstly we search for
subdomains and we can use
crt.sh
, vt
, threatcrowd
as an example.4. After data has been obtained, we can visualize it using Schema option:
we select ThreatCrowd search result ---> Schema ---> Threatcrowd report ---> Run
for other results like
crt.sh
, vt
we will do same as we did using threatcrowd
and we will click "Run" option.furthermore, we searched with "shodan infrastructure" and "shodan organisations" with some of ip addresses that we obtained using nslookup search.
you can select ip --> right-click --> To requests and choose necessary search engines like we mentioned above.
as an example above we can continuously obtain more data about target as we search using different requests.
On the right side of the window we can filter the results, and make analysis for either single network or for several of them.
We can further make analysis about organization email, domain..etc.
Exposed & Vulnerable DB Analysis
Now we will process with analysis databases which are either exposed or vulnerable.
Exposed databases often the result of the default configurations that has not been changed and this thing will bring up the critical damages to organizations.
Here I wrote MySQL as an example but we can search for other databases like MongoDB, Elasticsearch, CassandraDB..etc. but important to note that only for these three database
Explore DB oprtion is available, which means Explore DB will help to identify exposed databases. For other databses we can continue with other options like identification vulnerabilites..etc.
If you ask why these there databases are only available for Explore DB, because MongoDB, Elasticsearch, Cassandra databases by default does not configured with authorization enabled option.
It means publicily exposed database are can be accessed by anyone and without requesting authorization login password requests.
Furthermore, we can use the Infrastructure + CVE which enables to us to identify and analysis the databases which are vulnerable.
From here we can select options like Infrastructure, Network and Infrastructure + CVE in order to obtain visualization of the different kind of MySQL databases
for the date from
20.12.2024
to 10.01.2025
when we run above visualization we can see following results:
As you can see in the result of our analysis 0 number of exposed db but several kind of vulnerable databases have been identified.
How we can secure databases in order to avoid different kind of critical damages that may happen to them, the main rules are:
- Apply Network Segmentation, configure firewall which will restrict all ip addresses and allow only ip addresses which are in their trusted list
- Authentication, enable authentication and with using strong passwords (not generated and not default passwords)
- change default unsafe configurations
- Restricted Privileges, only specified and necessary privileges should be applied and given to the users
- Make necessary updates and apply patches
- Monitor logs and suspicious activity in order to detect anykind of malicious activity before their further actions
- Make regular Checks