Search websites by keyword in title (Hi there Citrix!)

With all the Citrix and Pulse Secure troubles of lately we all want to be able to quickly find them. It turn out that most of these VPN servers actually explicitly state what they are in the website title. In the past weeks you might have seen several Censys or Shodan search queries to find Citrix or Pulse secure boxes on the internet.

Of course we immediately implemented this handy trick on ShadowTrackr and by now all websites we track have their title indexed. You can easily list all your Citrix servers with this query:

website.title:*netscaler*

After that just click export and either download or directly email the list to seurity operations and have them checked.

In beta: automated CVE checks on your software

Have you seen the software report on your assets? Well, it’s about to become more interesting. The software report shows you a list of all software that ShadowTrackr has detected on your systems. Such a list is useful to check if you’re running vulnerable or exploitable software.

But why check manually if automated vulnerability checks could be done ? That’s in beta now. We’re tracking all registered CVEs and match these against your software report. If CVEs are found they’re shown in the report and you can click them for more information.

The match is done based on information found in regular checks we run on your assets. We would never actively run a penetration test against your systems without a specific request and explicit prior approval.

Beta in this case means that we’re still figuring out the best way to do this. We don’t want to bury you in false positives. So, nothing is shown on your timeline, no alerts are sent and no mentions appear in the weekly (for now).

New search syntax with autocomplete

The last update of this year contains a bunch of bug fixes, server upgrades, better cloud tracking and renewed search and export options. Those last two are definitely worth discussing in more detail.

The search options have grown organically over time and ended up being messy. In the early days you could use grade:B to search for all TLS certificates with that grade (based on SSL Labs scores). Then came website security grades (based on Mozilla observatory scores) and grade: became ambiguous. The quick fix was splitting it in the rather ugly certgrade: and webgrade:. Since you could only search a few entities (certificates, hosts and websites) and fields, collisions were rare. It only happened with grade.

Now, as more entities and fields become searchable, collisions are more likely. To fix that, the search syntax is now redesigned based on Lucene search syntax. So, to search for all websites running on apache having a website security grade B you use:

website.grade:B AND website.software:apache

To search for all certificates with grade A that were issued by Comodo, you do:

certificate.grade:A AND certificate.issuer:Comodo

Much better right? And the search bar on every page now has autocomplete. It shows you which entities are searchable (currently: certificate, website, host, whois and dns) and which fields are available. It also autocompletes your known urls and ip addresses. You can use either the mouse or the up/down arrow keys and tab to complete your search text. Have a look a these search examples .

The other big change is in how we track things in the cloud. We see that more and more assets of our customers end up at big cloudproviders and CDNs. So far, we’d just list the name of the cloud instead of the ip. That was a bit incomplete to say the least, and now we track both the cloud and current ip. This allows for better scanning and better graphs, and opens up the way to new functionality.

Note that you might find some rediscovered cloud assets on your timeline. This is all part of the automatic migration and doesn’t cause any trouble. It can clutter your timeline though, so we’ll do our best to clean it up as much as possible. Still finding trouble? Please let us know and we’ll fix it for you.