Rain Day Scan deep dive! What is a Rainy Day Scan? A Rainy Day Scan is what I like to call a specific Nmap scan listed on nmap.org; "If you find yourself really bored one rainy afternoon, try the command `nmap -Pn -sS -p 80 -iR 0 --open` to locate random web servers for browsing." What this command does is: nmap Start an Nmap Instance -Pn Specify a port number, in this case Port 80 which is the HTTP port number (Can be substituted for 443 for HTTPS, safer and more guarantee to not have a blank page but less interesting stuff) -iR Chooses random targets (that aren't in multicast, private or unallocated ranges). An argument of 0 means the scan is endless. If 100 is entered it scans only 100 addresses and ends the scan. --open Only shows hosts with an open port and for the ports specified (In our case 80). TLDR, it basically scans random IPv4 addresses and sees if there is a webpage hosted on it. Then I copypasta the number into the search bar and see what I get. Its often unconfigured NGIX pages, login screens, 404's, forbiddens, and other letdowns, but the real reward is finding obscure stuff. Its like finding an artefact lost to the ages. Isn't this illegal? Not at all! A standard HTTP request basically does the same thing by pinging a server and asking if there's an open port 80/443, this is just an automated random process. Web crawlers do this with an even larger net every second. Would you recommend doing one? Sure! But there's some precautions/considerations you need to know; * Do this on a virtual machine or computer you don't necessarily care about * Hide behind a VPN or proxy * Do NOT attempt to break into login screens * Walk in with an open mind and know not everything you find is going to be interesting =========================================================== Sep 27 2023 ----------------------------------------------------------- 121.37.229.88 -- "Graphene and composites research center of Shenzhen University", graphics are cool and kinda silly. 74.114.249.166 -- A retailer for "stampers". Say 'hi' to the Stamp Wizard, he's been stuck there since 2008 with nobody to talk to. 95.167.191.194 -- KLOT35, website for a Russian cable/internet company located in Cherepovets 195.231.20.193 -- Some Italian control page to view quarry traffic data. Locked behind a login screen. 89.161.253.157 -- Some weird Polish website; if I had to guess I'd say its like Polish Yahoo! or something. I have no idea why the homepage is like that. 173.230.150.50 -- Your average friendly corprate site that wants you to synergize, that's all but washed into the undertow (I swear I didn't target Asian ranges this was all random) 82.157.46.182 -- Chinese social media app? 52.68.203.32 -- Some Japanese knockoff of Redbubble 121.199.63.35 -- Some weird Chinese trucking site with a mascot 160.124.158.179 -- Gambling ad page, probably iframed into ad services in Japan =========================================================== Aug 31 2023 ----------------------------------------------------------- http://188.165.234.86/ -- Some French smart wallet service http://8.219.56.240/ -- An unconfigured NPS server, with a link to its documentation http://14.49.181.4/cgi-bin/luci/ -- The login page for the "TwerkingMachine" 77.68.32.39 -- Data23 login page, kinda creepy ----------------------------------------------------------- Aug 30 2023 ----------------------------------------------------------- 202.28.52.20 -- Thai education site https://193.84.86.52/ -- Some Bulgarian SIM registration site http://159.65.205.209/ -- Hi! http://125.206.176.235/index.html -- What appears to be the old/defunct site of Shoko Co. LTD , which has a domain name so this is probably still spinning on a rack somewhere without a domain. http://156.224.226.27/ -- Chinese soccer club?? http://217.19.54.51/ -- French(?) car insurance website, I think they forgot the CSS Got a 410 error on this, but the name resolution did show: Nmap scan report for clinched.11childbearing-barbie.198.hypnook.com (139.190.11.198) http://143.125.236.55/ -- Another defunct site without a domain name, wagara.org has an U2D site (Is it a common practice for Japanese companies to keep the old site live but without a name?) 67.7.132.139 -- Stanford free wifi http://13.75.119.98/ -- The saddest goddamn page I've ever seen ;-; https://toritos.us/Wandering_Bull/Welcome.html -- A 10+ year old blog about a trailer named "Myrtle"... protect this man at call costs https://web.archive.org/web/*/https://evencrown.com//* -- Page today is blank but looks like some sort of music group that probably disbanded