Hunting Cobalt Strike C2 with Shodan
2 min readSep 7, 2021
Four techniques:
- Default certificate.
- Hash + 50050 port (FP filtering is required).
- JARM (FP filtering is required).
- ASN/ISP scanning (this one is handy for subnet pivoting).
You can read my Twitter thread where I explained the logic behind each technique.
Short summary and results:
Default certificate
ssl.cert.serial:146473198
725 hits
Hash + 50050 port
hash:-2007783223 port:”50050"
