ZeroTrace OSINT
Exposed Services
Public services, ports, banners, software versions, and CVEs for any internet-facing IP — without scanning it yourself.
The exposed-services tool tells you what services an IP is exposing to the public internet — open ports, software banners, software versions, and known CVEs against those versions — by querying public scan databases that have already crawled the internet.
You do not generate any traffic to the target. The tool reads existing public scan data.
What you get
For any IPv4:
| Field | What it tells you |
|---|---|
| Open ports | Ports the IP has been observed listening on |
| Hostnames | Hostnames associated with the IP across the scan history |
| Software / banner | What service is running on each port (Apache 2.4.57, OpenSSH 9.0p1, etc.) |
| CPE | Common Platform Enumeration string for each detected product |
| Tags | Public scan-database tags (cdn, proxy, cloud, vpn, database, etc.) |
| CVEs | Known vulnerabilities for the detected software versions |
| First seen / last seen | When the scan database first and last observed each port |
Ports grouped by service
The tool groups ports by service so you do not have to map port-numbers in your head:
- Web stack — 80, 443, 8080, 8443, etc.
- Mail — 25, 465, 587, 993, 995, 110, 143.
- Database — 3306, 5432, 1433, 6379, 27017, etc.
- Remote access — 22, 3389, 5900, 23, 21.
- DNS — 53.
- Other — anything outside the canonical list.
A pivot from any port lets you cross-reference the port reference utility for the canonical service mapping.
CVE enrichment
For each detected software version, the tool looks up known CVEs from the public NVD feed. Each CVE shows:
- CVE ID (
CVE-YYYY-NNNN). - CVSS score.
- Severity tier (low / medium / high / critical).
- Brief description.
- Publication date.
CVEs are signal for further investigation, not proof of exploitability — the tool does not test exploitation. A box running a vulnerable version may have been mitigated at the network layer, may not expose the vulnerable component to the internet, or may have been patched without the version string updating.
The CVE list is informational. Do not interpret it as a vulnerability scan of the target. Verify exploitability separately, with permission, before claiming a finding is exploitable.
Why "exposed" not "open"
The data comes from public scan databases. They scan continuously, but they do not scan everything every day. A port shown as "open" may have been closed since the last scan; a port not shown may be open but recently changed. The "first seen / last seen" timestamps tell you how fresh the data is.
For the most current view, combine with a controlled active scan via the Nmap command builder.
Pivots
| Click on... | Pivot to |
|---|---|
| The IP | IP geolocation, WHOIS, ASN lookup, reverse DNS, IP reputation |
| Hostname | DNS lookup, WHOIS, certificate transparency |
| CVE ID | (no pivot — copy and search externally) |
| Software / banner | (no pivot — informational) |
| "Open in Shodan" / "Open in Censys" | External browser link, rendered in the result for one-click cross-referencing |
Bulk exposed-services
Bulk paste runs the same lookup across many IPs. Aggregate table shows IP, port count, top services, CVE count — fast triage of an external-attack-surface inventory.
Sources
- Shodan public scan data (free tier, no API key required).
- NVD CVE feed for vulnerability enrichment.
- The "Open in Shodan / Censys" links go to the respective browsers — no scraping involved.
Every source is named on the result. Note that the tool deliberately does not scan the target itself — all data is read from the named public scan databases.