Listen to this Post

Introduction:
The efficacy of a security scan often depends on where it originates. Netlas.io v1.8, the internet intelligence and attack surface management platform, has introduced a game-changing update: distributed scanner locations for the Private Scanner feature. This development allows cybersecurity professionals to run on-demand, non-intrusive scans of any digital asset from multiple geographic vantage points, providing an unparalleled view of how an organization’s infrastructure appears to different regions of the world.
Learning Objectives:
- Analyze Geo-Distributed Exposure: Learn how to configure and execute scans from different countries to identify region-specific open ports, services, and vulnerabilities.
- Master the Netlas CLI & API: Gain hands-on skills using the `netlas` command-line tool, Python SDK, and REST API for automated attack surface discovery and monitoring.
- Implement Continuous ASM: Build automated workflows to integrate geo-varied scanning into a continuous, proactive external attack surface management (EASM) program.
- Distributed Scanner Locations: Why Geography Matters in Reconnaissance
When an organization hosts content globally, its digital footprint can look drastically different from a scanner based in the US versus one in Singapore. Attackers leverage this discrepancy, and now defenders can too. The “Distributed Scanner Locations” feature in Netlas v1.8 enables you to select the geographic source of your scan. This allows you to test geo-fencing rules, verify CDN configurations, and uncover assets that may be exposed only to specific countries. The results are now included directly in your scan reports and accessible via the API, providing crucial context for threat intelligence and incident response.
Step‑by‑step guide: Performing a Geo-Distributed Scan via the Web UI
This guide walks you through conducting a scan from a specific country using the Netlas web interface to verify how your assets appear globally.
- Navigate to the Private Scanner section by clicking the “Scan” menu item in your Netlas.io dashboard.
- Click the “New Scan” button. In the targets field, paste a list of your assets. Netlas supports IP addresses, domains, and CIDR blocks (one per line). For example:
203.0.113.0/24 mail.yourcompany.com
- In the scan configuration, locate the new “Scanner Location” dropdown. Select a specific country from which to launch the scan.
- Choose your scan depth: “Scan top ports only” for a rapid assessment of common services, or “Scan all ports” for a comprehensive audit of all 65,536 TCP ports (Business tier and above).
- Initiate the scan by clicking the “Start Scan” button. Once complete, the report will contain a new “Location” field, specifying the geographic origin of that specific data point. You can then share these results read-only with team members for collaborative analysis.
-
Automating Reconnaissance: The Netlas CLI and API Workflow
For integration into security automation pipelines, Netlas offers a robust CLI tool and a REST API. All scan data, including location metadata, is fully accessible programmatically.
Step‑by‑step guide: Automating Queries and Scanning with the Netlas CLI
This guide provides essential commands to install, configure, and query the Netlas API using its command-line interface on both Linux and Windows systems.
- Installation: Use
pip, the Python package installer, to get the Netlas SDK and CLI tool.
– Linux/macOS:
pip install netlas
– Windows (as administrator):
py -m pip install netlas
The CLI tool is included in the SDK and becomes available immediately after installation.
- Authentication: Save your unique API key, found in your Netlas profile settings. This key is required for all CLI and API interactions.
netlas savekey "YOUR_API_KEY"
The tool will then automatically use this key for subsequent commands.
-
Basic Data Query: Execute a search query against the Netlas dataset. This example finds all responses where the HTTP status code is 200 and the server is nginx.
netlas query 'http.status_code:200 AND http.server:nginx' -d response
The `-d response` flag specifies the data type to query. Results are printed to stdout in YAML format by default.
-
Automate a Workflow with API: For advanced automation, use a script to query for exposed databases. Save the following as
netlas_scan.py:import netlas api_key = netlas.helpers.get_api_key() netlas_conn = netlas.Netlas(api_key=api_key) Query for MongoDB services exposed to the internet query = netlas_conn.query(query="service.name:mongodb AND geo.country:US") for response in query['items']: data = response['data'] print(f"Found MongoDB at {data['ip']}:{data['port']} [{data['geo']['country']}]")
Run the script: `python netlas_scan.py`.
- Building a Geo-Specific Attack Surface Map Using the Discovery Tool
Combining Netlas’s Discovery Tool with the new distributed scanner locations creates a powerful workflow for mapping an organization’s true global attack surface.
Step‑by‑step guide: Creating and Scanning a Geo-Specific Attack Surface
- Go to the Discovery Tool in Netlas to build an inventory of all assets associated with your organization, such as domain names, subdomains, IP addresses, and CIDR ranges. The Discovery Tool can use OSINT and DNS enumeration to build this inventory.
- Once your asset inventory is created, click the “Scan” button in the bottom-left corner of the Discovery Tool interface.
- This action will prompt you to configure a new Private Scanner job. A critical part of this configuration is selecting the Scanner Location.
- Initiate the scan. The scanner will then check every asset in your discovered inventory from the chosen geographic location.
- After the scan is complete, you can use the Datastore API to pull all results for offline analysis, or use filters to identify assets that are only visible from that specific country.
-
Mastering Netlas Search Query Language for Advanced Threat Hunting
To get the most value from the data collected by your distributed scans, you must master the Netlas search query language, which is based on Apache Lucene syntax.
Step‑by‑step guide: Key Search Queries for Geo-Specific Intelligence
This guide provides verified search queries you can run via the Netlas CLI or web UI to uncover region-specific risks.
- Find all assets with an open RDP port (3389) located in Germany:
port:3389 AND geo.country:DE
This query helps hunt for exposed remote desktop services within a specific nation.
-
Discover databases that are potentially exposed only to a specific region:
service.name:mysql AND geo.country:SG
This is crucial for identifying misconfigured databases that might not be visible from scans originating elsewhere.
-
Find all IP addresses from a specific cloud provider in a specific city:
host:.amazonaws.com AND geo.city:"Singapore"
Use exact match (
:) or CIDR notation (ip:"52.74.0.0/16") to pinpoint cloud assets in a geographic area. -
Discover all hosts that have a specific favicon hash, which is a technique often used to identify a specific application across different IP addresses:
http.favicon.hash:-1651738090
The `http.favicon.hash` field is a powerful fingerprinting tool.
- Hardening Global Web Applications Based on Scan Findings
The primary use case for geographically-distributed scanning is identifying and mitigating region-specific exposure. Based on Netlas v1.8 scans, security teams can take targeted action.
Step‑by‑step guide: Hardening Windows Server & Linux Web App Exposures
- On a Windows Server (when an exposed RDP port is found only from scans originating in a specific country):
1. Log into the server as an administrator.
2. Open Windows Defender Firewall with Advanced Security.
- Create a new inbound rule for Port 3389 (RDP) .
- Under the Scope tab, specify the allowed IP addresses or ranges. Deny the rule for the country identified in your Netlas scan.
- Apply the rule and ensure it is enforced.
- On a Linux Server (e.g., Ubuntu) running Nginx (when an admin panel is exposed only regionally):
- Edit your Nginx configuration file for the vulnerable site, typically located at
/etc/nginx/sites-available/your-site. - Add a `location` block with an
allow/denydirective based on the country identified in your Netlas scan. For complex geo-blocking, you can use thegeoip_module.
3. Restart Nginx to apply changes:
sudo nginx -t Test the configuration sudo systemctl restart nginx
4. Re-run a Netlas scan from the same location to verify that the resource is no longer visible.
What Undercode Say:
- Key Takeaway 1: The move to distributed scanner locations in Netlas v1.8 represents a strategic evolution in ASM. It acknowledges that the internet is not a monolith and that a global view is a prerequisite for global defense.
- Key Takeaway 2: By integrating this feature into automated workflows via the CLI and API, security teams can shift from periodic, point-in-time scanning to continuous, geography-aware monitoring, making their exposure management as dynamic as the threats they face.
Expected Output:
This analysis predicts that by 2027, geo-distributed scanning will become a baseline feature for all major ASM platforms. Organizations will be required to maintain a “geo-exposure score” as a key metric in their security posture, and regulatory frameworks may begin to mandate region-specific scanning for compliance in sectors like finance and healthcare. The ability to see your network as others see it, from anywhere they might be, will no longer be a feature—it will be a necessity for due diligence.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Netlas V18 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


