Hunting Cobalt Strike C2 with Shodan

Michael Koczwara
2 min readSep 7, 2021
Cobalt Strike C2 Hunting

Four techniques:

  • Default certificate.
  • Hash + 50050 port (FP filtering is required).
  • JARM (FP filtering is required).
  • ASN/ISP scanning (this one is handy for subnet pivoting).

You can read my Twitter thread where I explained the logic behind each technique.

Short summary and results:

Default certificate

ssl.cert.serial:146473198

725 hits

ssl.cert.serial:146473198

Hash + 50050 port

hash:-2007783223 port:”50050"

1357 hits

hash + 50050 port

JARM (TLS fingerprinting)

I used this one for demo:

ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2

1519 hits

Michael Koczwara