IP Enrichment Documentation
This page will help you get started with IP Enrichment.
The IP enrichment API that allows users to submit an IP address and enrich it with detailed information about observed activity. Enrichment covers information such as certificates, malware command and control (C2), jarm signatures, HTTP data and any observed open directories.
The enrichment API can be accessed via GET
requests to https://api.hunt.io/v1/enrich/ip/{ip}
Details on submitting to the IP enrichment API can be found here.
Enrichment Databases
IP Enrichment will enrich a submitted IP address with the following Hunt databases.
Feature | Description |
---|---|
certificates | SSL certificates fields and related hashes to them |
malware | Malware details of Hunt signatures hits |
jarm | JARM hashes |
protocol | Protocol payloads detected on the IP |
http | Details about any HTTP data returned |
opendir | Open Directories detected on IP (any port, http protocol) |
Sample IPs
IP | Highlights |
---|---|
13.212.254.64 | Protocols/SSL/JARM |
18.117.190.112 | Honeypot |
172.66.45.33 | Phishing |
8.131.50.94 | Malware |
1.15.175.83 | Open Directory |
Certificate Enrichment
Certificate enrichment data contains information about SSL and TLS certificates observed on the enriched IP.
This includes detailed information regarding subjects, issuers, JA4X and other hashes.
An example of certificate enrichment via the IP enrichment API can be seen below. The example uses a Cobalt Strike IP of 120.24.23[.]212
, which is linked to a certificate with common Cobalt Strike values.
Example
[
{
"HashHexedSha256": "56A06A233BD30F693DE25EF12CC19E8B2C92D3EB97DD969A2578DF084C376478",
"UUIDHexed": "4CAD2CD861FC27659F3F2D0B3D900F1746EA56BC443C3A83E200B5269CBFE45B",
"HashHexedSha1": "FE1416BA041BAFB4D9BA736089253AF2C71A9C5F",
"HashHexedMd5": "C93DF8087725EC694FB59E7A77947161",
"JA4X": "2166164053c1_2166164053c1_30d204a01551",
"SeenFirst": "2022-09-14T08:04:33",
"SeenLast": "2024-09-08T23:14:58",
"Serial": "659754494",
"NotBefore": "2022-08-30T14:15:08",
"NotAfter": "2022-11-28T14:15:08",
"SubjectCommonName": "Major Cobalt Strike",
"SubjectCountry": [
"Earth"
],
"SubjectOrganization": [
"cobaltstrike"
],
"SubjectOrganizationalUnit": [
"AdvancedPenTesting"
],
"SubjectLocality": [
"Somewhere"
],
"SubjectProvince": [
"Cyberspace"
],
"SubjectStreetAddress": [],
"SubjectPostalCode": [],
"SubjectSubjectSerialNumber": "",
"IssuerCommonName": "Major Cobalt Strike",
"IssuerCountry": [
"Earth"
],
"IssuerOrganization": [
"cobaltstrike"
],
"IssuerOrganizationalUnit": [
"AdvancedPenTesting"
],
"IssuerLocality": [
"Somewhere"
],
"IssuerProvince": [
"Cyberspace"
],
"IssuerStreetAddress": [],
"IssuerPostalCode": [],
"IssuerSubjectSerialNumber": "",
"PolicyIdentifiers": "",
"SignatureAlgorithm": "SHA256-RSA",
"PrivateKey_BitLength": "256",
"PrivateKey_Type": "RSA",
"KeyUsage": "0",
"ExtKeyUsage": "[]",
"DNSNames": [],
"EmailAddresses": [],
"IPAddresses": [],
"URIs": [],
"IssuingCertificateURL": [],
"IsCA": "0",
"MaxPathLen": "0",
"MaxPathLenZero": "0",
"OCSPServer": [],
"Hostnames": ""
}
]
Fields
The following fields are available in the Certificate component of IP enrichment.
Field | Value |
---|---|
HashHexedSha256 | SHA256 Hash of Certificate Content |
UUIDHexed | Certificate UUID in Hex Format |
HashHexedSha1 | SHA1 Hash of Certificate Content |
HashHexedMd5 | MD5 Hash of Certificate Content |
JA4X | 2166164053c1_2166164053c1_30d204a01551 |
SeenFirst | TImestamp When Certificate was First Observed |
SeenLast | TImestamp When Certificate was Last Observed |
Serial | Serial Number of The Certificate |
NotBefore | 2024-03-11T08:16:35 |
NotAfter | 2024-06-09T08:16:35 |
SubjectCommonName | Common Name of Certificate Subject |
SubjectCountry | Country of Certificate Subject |
SubjectOrganization | Organization of Certificate Subject |
SubjectOrganizationalUnit | Organizational Unit of Certificate Subject |
SubjectLocality | Locality of Certificate Subject |
SubjectProvince | Province of Certificate Subject |
SubjectStreetAddress | Street Address of Certificate Subject |
SubjectPostalCode | Postal Code of Certificate Subject |
SubjectSerialNumber | Serial Number of Certificate Subject |
IssuerCommonName | Common Name of Certificate Issuer |
IssuerCountry | Country of Issuer |
IssuerOrganization | Organization of Issuer |
IssuerOrganizationalUnit | Organizational Unit of Issuer |
IssuerLocality | Locality of Issuer |
IssuerProvince | Province of Issuer |
IssuerStreetAddress | Street Address of Issuer |
IssuerPostalCode | Postal Code of Issuer |
IssuerSerialNumber | Serial Number of Issuer |
PolicyIdentifiers |
Malware Enrichment
IP Enrichment returns Command and Control (C2) servers associated with the submitted IP address.
The output returns the name, port, date and confidence of the Malware C2 associated.
Example
[
{
"MalwareName": "Cobalt Strike",
"IP": "120.24.23.212",
"Port": 80,
"Confidence": 100,
"MalwareSubsystem": "C2",
"SeenFirst": "2024-08-28T09:03:55",
"SeenLast": "2024-09-02T05:29:27"
},
{
"MalwareName": "Cobalt Strike",
"IP": "120.24.23.212",
"Port": 50050,
"Confidence": 80,
"MalwareSubsystem": "Team Server",
"SeenFirst": "2024-08-11T08:20:31",
"SeenLast": "2024-09-02T05:10:21"
},
{
"MalwareName": "Cobalt Strike",
"IP": "120.24.23.212",
"Port": 81,
"Confidence": 100,
"MalwareSubsystem": "C2",
"SeenFirst": "2024-09-03T21:01:11",
"SeenLast": "2024-09-04T01:28:14"
}
]
Fields
The following fields are available in the Malware component of IP enrichment.
Field | Description |
---|---|
MalwareName | Name of the Associated Malware Family |
IP | IP of the Command and Control Server |
Port | Port where Malware C2 was Observed |
Confidence | Hunt Confidence Level |
MalwareSubsystem | Subcategory of the Malware Type |
SeenFirst | Time that the C2 was first seen |
SeenLast | Time that the C2 was last seen |
Protocol Enrichment
IP Enrichment returns information about ports and protocols observed on the requested IP address.
This includes information on the running service, port and dates when the protocol was first and last observed on the submitted IP.
Below is a subset of the returned protocol data for 120.24.23[.]212
. The data shows protocol information for observed ports 22,50050
.
[
{
"IP": "120.24.23.212",
"Port": 22,
"Fingerprint": [
"ssh"
],
"SeenFirst": "2024-07-08T12:33:53",
"SeenLast": "2024-08-21T12:31:44",
"AllFingerprints": [
"ssh"
]
},
{
"IP": "120.24.23.212",
"Port": 50050,
"Fingerprint": [
"tls"
],
"SeenFirst": "2024-08-05T09:07:28",
"SeenLast": "2024-08-15T09:02:09",
"AllFingerprints": [
"unknown",
"tls"
]
}
]
Fields
The following fields are available in the Protocol component of IP enrichment.
Field | Description |
---|---|
IP | IP where protocol was observed |
Port | Port where protocol was observed |
Fingerprint | Primary Protocol observed on the port |
SeenFirst | Time that the protocol was first seen |
SeenLast | Time that the protocol was last seen |
AllFingerprints | Other matching protocols and fingerprints |
SSH Enrichment
If an SSH service was observed on the submitted IP, associated information will be returned in the SSH component of the returned json data.
[
{
"IP": "120.24.23.212",
"Port": 22,
"SeenFirst": "2024-07-08T12:16:26",
"SeenLast": "2024-09-09T06:13:31",
"Keys": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,C91B37580192204F6403219C45BBAB57E8C8A7C82EC38806CA6E248C8B34FC1E,B7BAEEB13B6375CF66E57C1FF8E8137AF54671D32E6F454B0DB63B0A9098AAAF"
}
]
Fields
The following fields are available in the SSH
component of IP enrichment.
Field | Description |
---|---|
IP | IP where SSH was observed |
Port | Port where SSH was observed |
SeenFirst | Time that SSH was first seen |
SeenLast | Time that SSH was last seen |
Keys | SSH keys of the SSH service |
HTTP Enrichment
IP enrichment returns data on HTTP services observed on a submitted IP.
This will show information regarding the associated HTTP service, including ports, body hashes and header values.
Fields
The following fields are available in the HTTP
component of IP enrichment.
Field | Value |
---|---|
IP | IP where HTTP was observed |
Port | Port where HTTP was observed |
SeenFirst | Time that HTTP was first seen |
SeenLast | Time that HTTP was last seen |
BodySHA256 | SHA256 of HTTP body |
HeaderRaw | Raw Header of HTTP response |
OpenDir Enrichment
If an open directory has been observed on the submitted IP, then this will be displayed in the opendir
component of the returned data.
This contains information about the port where the open directory was observed, and dates when the open directory was first or last seen.
Example
[
{
"IP": "13.212.254.64",
"Hostname": "http://13.212.254.64:8000",
"SeenFirst": "2024-04-27T11:42:09",
"SeenLast": "2024-05-07T09:40:19"
}
]
Fields
The following fields are available in the opendir
component of IP enrichment.
Field | Description |
---|---|
IP | IP Address of The Open Directory |
Hostname | Hostname and Port Number of the Open Directory |
SeenFirst | Time that Open Directory was First Seen |
SeenLast | Time that Open Directory was Last Seen |
HoneyPot Enrichment
If a submitted IP has been observed scanning the Hunt honeypots, then this information will be displayed in the honeypots
component of the returned data.
The data shows ports where the activity occurred, the types of scanning that took place, and also links any associated threat actors and timeframes via the SeenFirst
and SeenLast
fields.
Example
[
{
"Ports": [
37215
],
"Tags": [
"HTTP crawler",
"Port scanner",
"CVE-2017-17215 exploit"
],
"Actor": "0",
"SeenFirst": "2023-11-02T01:01:54",
"SeenLast": "2023-12-06T09:03:45"
}
]
Fields
The following fields are available in the honeypot
component of IP enrichment.
Field | Description |
---|---|
Ports | Port Where Honeypot was Observed |
Tags | Associated Scanning Activity |
Actor | Associated Threat Actor ID |
SeenFirst | Date that Honeypot was First Seen |
SeenLast | Date that Honeypot was Last Seen |
Phishing Enrichment
IP's linked to Phishing activity are displayed in the phishing
component of the IP enrichment output.
This will return data where an IP has been associated with phishing pages. URL data, HTTP Titles and Signatures are returned.
[
{
"URL": "http://linkedln-c3de3165fd-aead92fdea-ba798b.pages.dev/",
"SeenFirst": "2024-08-27T05:10:47",
"SeenLast": "2024-08-27T05:10:47",
"Status": "200",
"Title": "LinkedIn 로그인 | LinkedIn",
"MatchedSignatures": [
"new-injection",
"url-email-getting",
"LinkedIn"
]
},
{
"URL": "https://july-13th.pages.dev/?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36",
"SeenFirst": "2024-06-25T06:08:20",
"SeenLast": "2024-06-25T06:08:20",
"Status": "200",
"Title": "Webmail Portal Login",
"MatchedSignatures": [
"new-injection",
"js-dot-download"
]
}
]
Fields
The following fields are available in the phishing
component of IP enrichment.
Field | Description |
---|---|
URL | URL of Phishing Page |
SeenFirst | Time that Phishing Page was First Seen |
SeenLast | Time that Phishing Page was Last Seen |
Status | HTTP Status Code of Phishing page |
Title | HTTP Title of Phishing Page |
MatchedSignatures | Signatures that matched on Phishing Page |
Updated 20 days ago