Stop Guessing What’s Public: Automating Attack Surface Discovery

The "Forgotten Server" Problem

Every developer has been there. You spin up a temporary staging instance to test a deployment script, or you launch a quick Redis container to debug a caching issue. You intend to tear it down in an hour, but then a Slack notification hits, a meeting starts, and that instance stays live.

Six months later, that "temporary" server is an unpatched entry point into your infrastructure.

You can't secure what you don't know exists. While internal asset trackers are great, they often miss what the outside world can actually see. This is where internet-wide search engines come in.

In this guide, we’ll look at how to use ScanSearch to programmatically audit your public-facing infrastructure and identify services you might have forgotten were exposed.

What is ScanSearch?

ScanSearch is an internet-wide search engine designed to index network devices, services, and vulnerabilities across the entire IPv4 space. Think of it as a specialized crawler that doesn't look for web content, but for open ports, SSL certificates, service banners, and misconfigurations.

For a developer or DevOps engineer, it’s a tool for External Attack Surface Management (EASM). Instead of manually running nmap against your IP ranges (which is slow and can be blocked), you query a pre-indexed database of the entire internet.

The Goal: Finding Exposed Databases

Let’s build a practical Python script. We want to find any instances associated with a specific organization or IP range that are running services they shouldn't be—specifically, we'll look for exposed database ports (like MongoDB on 27017 or Redis on 6379) that might be leaking data.

Prerequisites

To follow along, you'll need:

• Python 3.x installed.
• The requests library.
• Access to the ScanSearch platform to retrieve your API credentials.

Writing the Audit Script

We’ll write a script that queries the ScanSearch API for a specific network range and flags any service that isn't on our "allowlist" (like 80 or 443).

import requests
import json

# Configuration
API_KEY = "YOUR_SCANSEARCH_API_KEY"
BASE_URL = "https://scansearch.net/api/v1" # Hypothetical API endpoint
TARGET_NET = "192.168.1.0/24"  # Replace with your actual public CIDR
ALLOWED_PORTS = [80, 443]

def fetch_exposed_services(net_range):
    """
    Queries ScanSearch for all indexed services in a specific CIDR.
    """
    headers = {
        "Authorization": f"Bearer {API_KEY}",
        "Content-Type": "application/json"
    }

    # We search for the net range using the 'net' filter
    query = f"net:{net_range}"

    try:
        response = requests.get(
            f"{BASE_URL}/search",
            params={"q": query},
            headers=headers
        )
        response.raise_for_status()
        return response.json().get('results', [])
    except Exception as e:
        print(f"Error fetching data: {e}")
        return []

def audit_infrastructure():
    print(f"--- Starting Audit for {TARGET_NET} ---")
    results = fetch_exposed_services(TARGET_NET)

    flagged_count = 0

    for entry in results:
        ip = entry.get('ip')
        port = entry.get('port')
        service = entry.get('service', 'Unknown')

        if port not in ALLOWED_PORTS:
            print(f"[!] ALERT: Unexpected service found!")
            print(f"    IP: {ip}")
            print(f"    Port: {port}")
            print(f"    Service: {service}")
            print(f"    Banner: {entry.get('banner', 'N/A')[:50]}...")
            flagged_count += 1

    if flagged_count == 0:
        print("No unexpected services found. Infrastructure looks clean.")
    else:
        print(f"Audit complete. {flagged_count} issues found.")

if __name__ == "__main__":
    audit_infrastructure()

Why This Matters

When you run the script above, ScanSearch doesn't just tell you a port is open; it gives you the banner data. If you have an Nginx server running, it will tell you the version. If you have an expired SSL certificate, it will flag it.

Common things to look for in your results:

1. Old Headers: Are you still running X-Powered-By: PHP/5.4? That’s a signal to attackers.
2. Dev Endpoints: Finding /swagger-ui.html or /_ast (Airflow) exposed to the public internet is a major risk.
3. Vulnerabilities: ScanSearch indexes known vulnerabilities associated with specific service versions. You can refine your search to net:1.2.3.4/24 has_vulnerability:true to prioritize your patching schedule.

Beyond Simple Port Scanning

One of the most powerful ways to use ScanSearch is to find "shadow" assets that aren't even in your known IP range. You can search by organization name or SSL certificate common names.

For example, searching for ssl.cert.subject.cn:"*.yourcompany.com" might reveal a marketing microsite hosted on a random VPS that your security team never knew existed. These are often the weakest links because they fall outside your standard patch management cycle.

Integrating into your Workflow

Security shouldn't be a one-time event. You can take the script above and:

• Run it as a Cron Job: Get a weekly report of any new ports that appeared on your infrastructure.
• CI/CD Integration: Add a step in your deployment pipeline to verify that a newly deployed service is visible (or invisible) as expected.
• Slack Alerts: Instead of printing to the console, send a webhook to your team's security channel whenever a high-risk port (like 3389 for RDP or 22 for SSH) is detected on a production IP.

Conclusion

Visibility is the foundation of security. Tools like ScanSearch provide a "hacker's eye view" of your infrastructure, allowing you to find and fix holes before someone else does. By automating these checks, you move from reactive firefighting to a proactive security posture.

Next time you spin up a "temporary" instance, you'll know exactly when you've forgotten to turn it off.