Show HN: Osint tool that finds exposed files on domains (search.cerast-intelligence.com)

1 points by PatchRequest ↗ HN
hey guys, wanted to show one of my side projects i just made public.

the idea is basically another osint tool for pentesters and bug bounty hunters. it watches certificate transparency logs and checks newly-seen domains for exposed stuff like .env files, open .git dirs, config files, db dumps and so on, and puts whatever it finds into a searchable db. you just search a domain (or part of one) and see what's exposed.

it's read-only and free. one thing i've been thinking about adding is a way to register for certain keywords and get notified when something new shows up for that search.

would love to hear if you have other ideas for useful features, and also ideas for how to reduce abuse of the data, since that's the part i'm least sure about.

https://search.cerast-intelligence.com/

24 comments

[ 1.1 ms ] story [ 35.5 ms ] thread
searching for .gov reveals 0 matches... doubt
I manually blacklisted .gov from being crawled on my side. felt like it wasn't worth the potential trouble
Meanwhile you crawl anybody else?

.gov isn't magically any more able to take you to court than a private org

Its interesting and not interesting at the same time based on some of the search results

Almost all of them seem like home projects being deployed with ease in mind than security. The common thread seems to be the fact that most of them are phishing website, not sure if thats a business model to target here?

There's an astounding amount of .DS_Store showing up - I hadn't realised how common it apparently is for people to accidentally upload this.
It’s a terrible design from Apple to expose this metadata like this, it’s one of my biggest pet peeves.
KDE does something similar (but not as bad?) with .directory files.
So is this the crawler that has been constantly hammering all my applications searching for these files from the very second I first issue a TLS cert for them? Thanks to you I've had to put fail2ban on all my public-facing web servers...

How about you be a good netizen and make it so people can request to be scanned and don't proactively do it, let alone constantly keep hammering them with requests?

I need to protect against the malicious good guys, the shodans of the world. Peeping inside your windows and trying your front door handles. Querying every string imaginable and port pinging all 65536 of them.

And I need to protect against the actual criminals already inside my house looking for something to steal. Scouting out the easy target to setup their ransomwares.

Lots of crawlers do this. I have never seen a webserver that does not get a variety of these from obviously different sources. Even just an ssh port will get a lot of malicious login attempts.
In the early days of the web you could do a search on google like

  path:/etc/passwd
Sometimes there were even shadow passwd files with the hashes exposed on the web. Crazy days.
I remember seeing examples like this in security courses.

It was always surprising how many servers accidentally exposed sensitive files.

i thought it was still possible!

Luckily security has come a long way, but as shown by the project of OP, we are not quite there yet.

Nice tool. I’d like to understand what kinds of businesses the customers using this website are in.
Is this just re-skinned leakix.net? One of my honeypots for them is showing the same results.
Awesome tool, fast and right to the point!
CT logs are funny, not enough people know about them. Whenever I speak to people they're shocked to know that "internal" subdomains get exposed through them.
Wildcard certs were somewhat useful for hiding this. Not sure that's still true.