Use-cases
1 External tenants
Enrolled organizations can utilize the SNER service to expand the visibility of their respective infrastructure's Internet attack surface. External users can access available data through the API.
1.1 Setup shell
Get API token in web interface on user profile page (user > profile > apikey generate). Setup shell environment for calling API:
export APIKEY=""
export URL="https://sner-hub.flab.cesnet.cz"
alias snerapi='curl -s -H "X-API-KEY: $APIKEY"'
1.2 Get information about single host
Any service SHOULD NOT be visible from public Internet on core IdP or Directory controllers.
{
"address": "203.0.113.50",
"hostname": "dc1.example.org",
"services": [
{
"info": "extrainfo: Anonymous bind OK",
"notes": [
{
"data": "[\"cpe:/a:openldap:openldap\"]",
"xtype": "cpe"
},
{
"data": "{\"product\": \"OpenLDAP\", \"version\": \"2.2.X - 2.3.X\"}"
"xtype": "nmap.banner_dict"
}
],
"port": 636,
"proto": "tcp",
"state": "open:syn-ack"
}
]
}
1.3 Get information about range of addresses
Check services exposed on department network segment.
[
{
"address": "203.0.113.3",
"hostname": "dhcp-wk1.dept.example.org",
"services": [
{
"info": "product: OpenSSH version: 8.4p1 Debian 5+deb11u1 extrainfo: protocol 2.0 ostype: Linux",
"port": 443,
"proto": "tcp",
"state": "open:syn-ack"
},
{
"port": 22,
"proto": "tcp",
"state": "open:syn-ack"
}
]
},
{
"address": "203.0.113.1",
"hostname": "gw.dept.example.org",
"services": [
{
"port": 179,
"proto": "tcp",
"state": "open:syn-ack"
}
]
}
]
1.4 Get information about specific services
Backup infrastructure SHOULD NOT be accessible from public Internet. For detailed information about filter syntax, please see the full specification.
snerapi -XPOST \
"$URL/api/v2/public/storage/servicelist" \
--json '{"filter": "Service.port==\"445\" AND Service.state ilike \"open:%\""}' | jq
[
{
"address": "2001:db8::71",
"info": "product: Samba smbd version: 3.X - 4.X extrainfo: workgroup: UCN hostname: BACKUP-EXAMPLE",
"port": 445,
"proto": "tcp",
"state": "open:syn-ack"
}
]
1.5 Search for endpoints exposing specific product
List of popular database engine exposed to public Internet.
[
{
"host_address": "203.0.113.30",
"host_hostname": "serverx.example.org",
"service_port": 3306,
"service_proto": "tcp",
"product": "mariadb",
"version": "10.3.38",
"extra": {
"full_version": "5.5.5-10.3.38-MariaDB-1:10.3.38+maria~ubu2004-log"
}
}
]
1.6 Breakdown of exposed products on respective hosts
snerapi -XPOST \
"$URL/api/v2/public/storage/versioninfo" | jq -s \
'.[] | map({product,host_address}) | group_by(.product) | map({product: .[0].product, host_address: map(.host_address)})'
[
{
"product": "mariadb",
"host_address": [
"203.0.113.30"
]
},
{
"product": "zookeeper",
"host_address": [
"203.0.113.30",
"2001:db8::30"
]
}
]
1.7 Get detected vulnerabilities with filtering
snerapi -XPOST \
"$URL/api/v2/public/storage/vulnlist" \
--json '{"filter": "Vuln.severity not_in [\"info\", \"low\"]"}' | jq
[
{
"address": "203.0.113.30",
"data": "{\"template-id\": \"ftp-anonymous-login\", ... }",
"descr": "## Description\n\nAnonymous FTP access allows anyone to ...",
"hostname": "example.scanned.test",
"name": "FTP Anonymous Login",
"port": 21,
"proto": "tcp",
"refs": [
"URL-https://tools.ietf.org/html/rfc2577"
],
"severity": "medium",
"xtype": "nuclei.ftp-anonymous-login"
}
]
2 CESNET SOC
SOC team members can use the following systems, which will enable them to obtain various information useful for the fulfillment of their missions.
- SNER
- Database of IP services running in monitored realm.
- Cvesearch
- Local instance to perform searches for known vulnerabilities.
2.1 Vulnerability scanning
Use Sner UI Storage Vuln view (or corresponding API), to find
vulnerabilities with filter Vuln.severity not_in ["info", "low"].
- General vulnerability scan (nuclei)
- SSL/TLS scanning with testssl (experimental; note.xtype testssl)
- Source port scanning (experimental; note.xtype sportmap)
2.2 Service version detection
Use Sner UI Storage Versioninfo view (or corresponding API).
2.3 CPE-CVE corelation
- Remotely exploitable vulnerabilities
- Vulnsearch > Filter
Vulnsearch.attack_vector ilike "%NETWORK%". - Vulnerabilities with public exploits
- Vulnsearch > Filter
Vulnsearch.data astext_ilike "%exploit-db%".
2.4 Host view
Analyze data for specific host in Sner web UI (menu: sner > storage > hosts).
2.5 Hosts with extensive number of services
Analyze data in hosts list view, sort view by number of services (menu: sner > storage > hosts, sort by cnt_s).
2.6 Specific services or combinations
Search and analyze hosts with specific services or combination of services.
- webserver + database
- web servers don't typically expose internal database if properly configured
- hostname + database
- purpose of server/service can be inferred from hostname, high-profile targets should expose only minimal set of services, (eg. authentication service).
- debugging or management interfaces
- any service used for debuging (eg. JDWP, JMX) or remote management (iDrac, BMC) should not be exposed for public access
2.7 External linking
Storage host lookup route can be used for linking from external sites (NERD).