Get Opendir Listing Stats

Get Opendir Listing Stats allows users to query and gather statistics within the hunt database of tracked open directories.

These statistics can be useful for analyzing the current state of exposed open directories, or can be used to craft additional queries to query specific types of open directories within Hunt.

How To Make a Request

Opendir listing stats can be obtained by performing a GET request to the following API.

https://api.hunt.io/v1/attackcapture/listing/stats

Requests can be made using any tool capable of performing GET requests and specifying an authorization token.

Examples are provided below for both curl and python.

Curl

curl --request GET \
     --url https://api.hunt.io/v1/attackcapture/listing/stats \
     --header 'accept: application/json' \
     --header 'token: <your-token>'

Python

import requests

url = "https://api.hunt.io/v1/attackcapture/listing/stats"

headers = {
    "accept": "application/json",
    "token": "<your-token>"
}

response = requests.get(url, headers=headers)

print(response.text)

Default Lookback and Timeframes

Requests will default to 90 days of lookback time when no days parameter is specified.

Users can include the days parameter to expand or reduce the lookback period.

For example, the below requests sets the days parameter to 180, which provides 6 months of lookback time.

curl --request GET \
     --url https://api.hunt.io/v1/attackcapture/listing/stats?days=180 \
     --header 'accept: application/json' \
     --header 'token: <your-token>'

Specific Lookback Periods and Exact Timeframes

The start_date and end_date parameters can be used to obtain open directory stats on a specific timeframe.

Dates are specified using a YYYY-MM-DDformat.

For example, we can obtain open directory stats for the date range of 2024-11-01 TO 2024-11-22 using a curl request.

curl --request GET \
     --url https://api.hunt.io/v1/attackcapture/listing/stats?start_date=2024-11-01&end_date=2024-11-22 \
     --header 'accept: application/json' \
     --header 'token: <your-token>'

Returned Data

Returned data will contain the following fields as a json object.

FieldDesc
hostnamesArray of hostnames where open directories were seen
portsArray of Ports and Number of Times that port has been observed
tagsTags used to classify files observed in open directories
mitre_tagsMitre Tactics of files observed in open directories
github_tagsGithub tags - where an directory file has been taken from github.

Returned Data Example

A subset of a successful request is provided below for reference. Note that this example has been snipped and typical responses will contain significantly more data.


{
  "hostnames": [
    "http://1.12.233.124:11111",
    "http://1.14.7.84:88",
    "http://1.83.169.103:9999",
    "http://154.44.26.68:8868",
    "http://154.64.60.137:80",
    
  ],
  "ports": [
    {
      "port": 80,
      "count": 582
    },
    {
      "port": 443,
      "count": 203
    },
    {
      "port": 8000,
      "count": 127
    },
    {
      "port": 8080,
      "count": 85
    },
    
  ],
  "tags": [
    {
      "name": "pentesting",
      "count": 124
    },
    {
      "name": "red-team",
      "count": 113
    },
    {
      "name": "adversarial-attacks",
      "count": 86
    },
    {
      "name": "C2",
      "count": 86
    },
  ],
  "mitre_tags": [
    {
      "name": "t1614.001",
      "description": "System Language Discovery",
      "count": 590
    },
    {
      "name": "t1082",
      "description": "System Information Discovery",
      "count": 551
    },
    {
      "name": "t1012",
      "description": "Query Registry",
      "count": 419
    },
  ],
  "github_tags": [
    {
      "name": "SharpCollection",
      "count": 35
    },
    {
      "name": "VNCDLL",
      "count": 20
    },
    {
      "name": "sqlmap",
      "count": 7
    },

  ]
}