HoneyLabs
Lookup
Explore
CVEsPayloadsCampaignsAEI IndexPortsUser-agents
Integrations
OverviewMCPFeedsAPI / Enrich
DocsBlog
Dashboard
iAnonymous lookups: 10/min, 60/hr per source IP. Sign in (free) to lift the limit, run heavier queries, and get an API key for MCP / HTTP.

Threat lookup.

Search by IP, CIDR, ASN, or domain (partial OK). Free, no account. Or skim the live data below and click into any value to drill in.

tryport:445proto:rdpport:102 AND NOT proto:httpcountry:NL AND NOT tag:scannerua:zgrab
query syntax

field:value pairs combined with AND, OR, NOT and parentheses. Case-insensitive keywords.

port:445 · country:NL · asn:14061 · cidr:80.82.77.0/24 · proto:rdp · cve:CVE-2017-0144 · ja4:… · ja4h:… · ja3:… · hassh:… · domain:example.com · path:/wp-login.php · ua:zgrab · tag:scanner · header:x-forwarded-for · banner:SSH-2.0 · has:cert

Anonymous visitors can run single-field pivots; boolean and text queries need a free account. The examples above are pre-authorized for everyone.

your IP
216.73.216.101 not observed

Or explore candidate campaign clusters, fingerprints carried by many IPs across only a handful of networks.

21.0M
events total
160.3K
24h
6.0K
last hour
8.1K
unique IPs / 24h
31.9K
ports targeted / 24h
93
countries / 24h
๐Ÿ‡บ๐Ÿ‡ธ US
top country
22 / SSH
top port
last event 13s ago ยท cached 5 min

Most active right now

top 10, last 7 days ยท click for full report
34.145.99.7373.99.145.34.bc.googleusercontent.com ๐Ÿ‡บ๐Ÿ‡ธUS Google LLC 34567 3001 83.5K 35.240.178.5656.178.240.35.bc.googleusercontent.com ๐Ÿ‡ธ๐Ÿ‡ฌSG Google LLC 27017/MongoDB 82.9K 34.65.98.115115.98.65.34.bc.googleusercontent.com ๐Ÿ‡จ๐Ÿ‡ญCH Google LLC 83 67.8K 34.130.62.231231.62.130.34.bc.googleusercontent.com ๐Ÿ‡จ๐Ÿ‡ฆCA Google LLC 9042/Cassandra 66.4K 34.131.191.159159.191.131.34.bc.googleusercontent.com ๐Ÿ‡ฎ๐Ÿ‡ณIN Google LLC 8300 55.1K 34.162.180.107107.180.162.34.bc.googleusercontent.com ๐Ÿ‡บ๐Ÿ‡ธUS Google LLC 9003 53.6K 34.100.199.11.199.100.34.bc.googleusercontent.com ๐Ÿ‡ฎ๐Ÿ‡ณIN Google LLC 2000 53.6K 34.21.154.212212.154.21.34.bc.googleusercontent.com ๐Ÿ‡ธ๐Ÿ‡ฌSG Google LLC 8230 48.2K 103.158.206.141 ๐Ÿ‡ง๐Ÿ‡ฉBD MS Bhola Dot Net 30 34 39 38 33 48.1K 35.234.81.6666.81.234.35.bc.googleusercontent.com ๐Ÿ‡ฉ๐Ÿ‡ชDE Google LLC 8091 47.1K

CVEs being scanned right now

24h ยท top 8 of 42 ยท 6 actively exploited ยท KEV = on CISA actively-exploited list
medium
CVE-2019-12461find peers โ†’

WebPort 1.19.1 - Cross-Site Scripting

9.6K
429 src IPs
medium
CVE-2015-1880find peers โ†’

Fortinet FortiOS <=5.2.3 - Cross-Site Scripting

2.3K
182 src IPs
medium
CVE-2018-10141find peers โ†’

Palo Alto Networks PAN-OS GlobalProtect <8.1.4 - Cross-Site Scripting

2.1K
4 src IPs
medium
CVE-2021-40868find peers โ†’

Cloudron 6.2 Cross-Site Scripting

490
149 src IPs
medium
CVE-2021-28169find peers โ†’

Eclipse Jetty ConcatServlet - Information Disclosure

354
162 src IPs
critical
CVE-2017-5983find peers โ†’

JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)

280
147 src IPs
critical
CVE-2018-1207find peers โ†’

Dell iDRAC7/8 Devices - Remote Code Injection

279
154 src IPs
critical
CVE-2020-35476find peers โ†’

OpenTSDB <=2.4.0 - Remote Code Execution

118
56 src IPs
Show all 42 CVEs being probed in the last 7 days โ†’

Most-seen fingerprints

copy any to your detection rules

SSH HASSH

24h ยท click to find peers
16443846184eafde36765c9bab2f43971.2K / 14 IPs98ddc5604ef6a1006a2b49a58759fbe6634 / 5 IPs5bd26477da5440a6187bd3f1b39a429c406 / 6 IPs3edaecae621ce5af73296bd4484a532d241 / 1 IPs3356ae6145fa86124298066e281ea2d9234 / 4 IPs

TLS JA4

24h ยท click to find peers
t13i251000_b78ed14e2fd0_ab7e3b40a67714.1K / 8 IPst13i190800_9dc949149365_97f8aa674fd913.1K / 704 IPst13i131000_f57a46bbacb6_ab7e3b40a67710.1K / 2.2K IPst13i140900_cbb2034c60b8_e7c2852226514.8K / 208 IPst13i190900_9dc949149365_e7c2852226514.3K / 475 IPs

HTTP JA4H

24h ยท click to find peers
ge11nn0400_88d30a62b7ad34.1K / 1.6K IPsge11nn06en_e4773a62bf4c14.1K / 7 IPsge11nn0200_3ed38b250d3d11.3K / 331 IPsge10nn0200_5594a17e7e7e11.1K / 1.4K IPsge11nn0300_0db47b7d240d9.0K / 1.8K IPs

Live leaderboards

aggregated 24h

Top countries

24h
๐Ÿ‡บ๐Ÿ‡ธUSUnited States
59.1K
๐Ÿ‡ฎ๐Ÿ‡ทIRIran
13.9K
๐Ÿ‡ซ๐Ÿ‡ทFRFrance
12.5K
๐Ÿ‡ฌ๐Ÿ‡งGBUnited Kingdom
12.1K
๐Ÿ‡ท๐Ÿ‡ดRORomania
11.2K

Top ASNs

24h
AS396982Google LLC
37.4K
AS209334Modat B.V.
16.7K
AS213790Limited Network LTD
13.8K
AS204428SS-Net
10.8K
AS213438ColocaTel Inc.
9.6K

Top ports

24h
22 SSH 161 src IPs
4.0K
445 SMB 290 src IPs
2.5K
80 HTTP 207 src IPs
2.1K
135 MSRPC 29 src IPs
2.1K
443 HTTPS 219 src IPs
1.3K

Top scanner hosts

24h, rDNS
๐Ÿ‡บ๐Ÿ‡ธscan.visionheight.com
3.0K
๐Ÿ‡บ๐Ÿ‡ธinternettl.org
1.9K
๐Ÿ‡ณ๐Ÿ‡ฑrnd.group-ib.com
1.8K
๐Ÿ‡ซ๐Ÿ‡ทo350.scanner.modat.io
794
๐Ÿ‡ซ๐Ÿ‡ทo303.scanner.modat.io
786

Query it

free ยท no auth

Browser or curl

curl https://honeylabs.net/lookup/<ip>

Browser returns HTML, curl/wget returns JSON. Append ?format=json to force.

AI agents ยท MCP

Claude, Cursor, anything

claude mcp add honeylabs \
  --transport http \
  https://mcp.honeylabs.net/mcp \
  --header "Authorization: Bearer <key>"

Free tier 100 q/day. Get a key โ†’

HTTP ยท JSON-RPC

Your own code

POST https://mcp.honeylabs.net/mcp
Authorization: Bearer <key>
Accept: application/json, text/event-stream

{"jsonrpc":"2.0","id":1,"method":"tools/list"}

Standard MCP wire format. SSE response.

Free lookups rate-limited to 10/min, 60/hr per source IP. Results cached 10 min per IP. Public dataset strips honeypot identity, full payload bytes, and credentials at the database layer. More about the dataset โ†’