The mysterious EASM and where they live. How are you? / Hebrew

The mysterious EASM and where they live. How are you? / Hebrew

The full text of the study has been published here.

In the first part, we reviewed EASM’s main capabilities and their geographic coverage. Next, we will compare the information search and analysis functions provided by different systems.

1.4 Definition of products

An important functionality of ASM-class systems is the ability to precisely define the different software and the technology stack that that software uses. To compare systems according to this criterion, the following was performed:

  • several types of software are selected;

  • several representatives of each type of software were chosen (the selection was based on the fact that the software is widespread on the territory of the Russian Federation, the list of critical software vulnerabilities is regularly updated, and these vulnerabilities are quite often successfully exploited by attackers);

  • for each selected software, queries were generated that allow you to find this software using several search methods. The text of the requests can be viewed in the extended table.

1.4.1 Simple search

The simplest search method for obtaining information about the studied systems is a full-text search for all data contained in the database with scan results. The most frequent implementation of this search method is the search for the occurrence of the requested text in the saved banners of responses of network services and in the body of HTML pages. Such a search does not differ in particular accuracy and is only suitable for determining the order of the number of network services that use the searched software and familiarization with the structure of the collected data.

Table 6 presents the products, as well as the number of unique entries in the database that each of the services found. Search requests in each of the ASM services are in the extended table.


  • In, you cannot search without specifying fields, so the search was performed using the “web.body” field.

  • In the results obtained from Censys and, the number of unique nodes is shown in parentheses.

1.4.2 Search using tags

For the convenience of users, ASM services can mark some scanned resources with certain labels/tags. The algorithm by which services identify products is often unknown, but a search using such code words can show more relevant results.

Table 7 presents the products, as well as the number of unique entries in the database found by each of the services. Queries made using the appropriate tags for searching in each of the ASM services can be viewed in the extended table.

1.4.3 Advanced search

The most accurate search method is the search by unique features of the software. To obtain these indications, it is necessary to analyze several results for different resources. In the case of web applications, such indications can be the hash code of the favicon.ico file or the specific content of the HTTP header. The results of such a search are the most accurate and, most often, more complete.

Table 8 presents the products, as well as the number of unique entries in the database found by each of the services. Requests made using some specific features of their search in each of the ASM services can be viewed in the extended table.

1.5 Handling Vulnerabilities

In addition to identifying open ports and software on the node under investigation, it is possible to obtain specific versions of software, as well as versions of operating systems. In addition, the collection of used technologies and meta-information is possible. In turn, a set of certain signs can be a reason to believe that the service under investigation is prone to vulnerability. Thus, the ability of the ASM system to correctly identify vulnerabilities is an undeniable advantage of this system over others.

1.5.1 General information

Table 9 presents information about the format of vulnerability processing by various ASM systems.

Figure 2. Shodan system infographic for vuln field

Figure 3. Shodan system infographic for the vuln.verified field

Figure 4. Netlas system infographic for field

1.5.2 How much ASMs “lie”.

Obviously, when assessing the level of security of a node, quality is much more important than quantity. A study was conducted that shows how accurate the identification of vulnerabilities in ASM systems is.

From all vulnerabilities marked by the Shodan system as vuln_verified=True, critical ones that have been actively exploited in the last few years and identified on nodes in the Russian Federation were selected.

The CISA (Cybersecurity & Infrastructure Security Agency) “Known Exploited Vulnerabilities Catalog” resource was chosen as the source of such vulnerabilities. In order to check whether a node is really vulnerable, active network checks were used, which are not harmful, but at the same time identify the vulnerability with a high degree of confidence.

For each such Shodan vulnerability, queries like “country:RUvuln:{CVE-….-….} vuln_verified=True” were performed. For the results returned by the service, a corresponding active check was launched. After that, the number of results before and after its launch was counted. The results are presented in Table 10.

A similar experiment was conducted for Netlas.

In Criminal IP, information about the vulnerability of a network service is reflected in the vulnerability field. At the time of the research, no vulnerability from the list prepared by us for this experiment was detected in the vulnerability field.

Thus, it can be concluded that the quality of vulnerability detection in modern ASMs leaves much to be desired. A large number of false positives does not allow to focus on the elimination of the most pressing problems.

See you soon in the final part 3! Subscribe to our Habr so you don’t miss an update.

Author: Maksym Pushkin, specialist in CyberOK expertise development.


  1. on product-,versions,-according to the


If you look events in Mykolaiv –

Related posts