As I said in Claude Studies Taurine, that is the first and last time I’m going to post anything involving using AI where I do not also have the expertise to evaluate the results.
I started going through the list of hundreds of MCP servers and I discovered one that provides an MCP interface to Shodan. As an OG Shodan user with that $20 lifetime membership they offered back when they started, I was immediately intrigued.
And what better to do with it than inspect my favorite digital cesspool, Kiwi Farms.
Attention Conservation Notice:
Double checking an infrastructure analysis report from Claude/Shodan using Maltego. If you’re not doing deep technical attribution this will seem like a foreign language.
=== This Is What Claude Wrote ===
Kiwifarms.net Infrastructure Analysis Report
Report Generated: June 29, 2025
Analysis Scope: DNS infrastructure, hosting providers, geographic distribution, and security configuration
Executive Summary
Kiwifarms.net employs a distributed, redundant hosting architecture spanning multiple countries and providers. The infrastructure demonstrates sophisticated anti-censorship measures with geographic diversity, multiple IP addresses, and domain aliasing strategies designed for resilience against takedown attempts.
DNS Configuration Analysis
Primary Domain: kiwifarms.net
Shodan Analysis: https://www.shodan.io/domain/kiwifarms.net
Core Infrastructure
Name Servers: DNSPod (ult01.dnspod.com, ult02.dnspod.com)
Email Services: mail.kiwifarms.net, integrated with MXRoute
IPv6 Support: Full dual-stack implementation
SPF Policy: Configured with MXRoute integration
Primary A Records (IPv4)
The domain resolves to 8 primary IPv4 addresses across multiple hosting providers:
179.43.172.163 (Private Layer Inc, Switzerland)
185.225.114.106 (Location TBD)
185.231.102.62 (Location TBD)
198.98.49.253 (Location TBD)
205.185.114.106 (FranTech Solutions, Las Vegas, NV)
207.5.194.234 (Location TBD)
212.23.222.98 (Location TBD)
45.61.186.103 (Location TBD)
IPv6 Records (AAAA)
6 IPv6 addresses providing redundant connectivity:
2605:6400:10:31c::
2605:6400:20:c8c::
2605:6400:40:fef0::
2a02:29b8:dc01:3750::bea
2a03:cfc0:8000:27::c303:df62
2a0c:5700:3133:650:8a3a:d5ff:fe51:67d6
Domain Aliasing Strategy
kiwifarms.net subdomains redirect to kiwifarms.st:
(Claude error, should have included URL https://www.shodan.io/domain/kiwifarms.st )
www.kiwifarms.net → kiwifarms.st
no-cookie.kiwifarms.net → kiwifarms.st
uploads.kiwifarms.net → kiwifarms.st
kiwifarms.st serves as the operational domain with identical IP infrastructure plus additional hosting at:
198.251.83.239
209.141.39.89 (extensive service portfolio)
Geographic Distribution
Confirmed Locations
Switzerland: Lugano (Private Layer Inc)
United States: Las Vegas, Nevada (FranTech Solutions)
Additional locations pending verification
Strategic Implications
The multi-jurisdictional hosting approach provides:
Regulatory arbitrage - difficulties for coordinated takedowns
Service continuity - redundancy against individual hosting provider actions
Performance optimization - geographic load distribution
Technical Infrastructure Analysis
Examined Servers
205.185.114.106 (Las Vegas, NV - FranTech Solutions)
Shodan Report: https://www.shodan.io/host/205.185.114.106
Active Services:
Port 80: HTTP redirect to HTTPS
Port 443/9443: OpenResty 1.25.3.1 (Nginx-based)
Port 8888: CORS-enabled API endpoint
Port 9999: HAProxy statistics interface
Security Configuration:
TLS 1.3 with 256-bit AES encryption
Self-signed certificates (expired November 2023)
Heartbleed vulnerability testing: SAFE
179.43.172.163 (Lugano, Switzerland - Private Layer Inc)
Shodan Report: https://www.shodan.io/host/179.43.172.163
Active Services:
Port 22: OpenSSH 8.4p1 (Debian)
Port 80: HTTP redirect to HTTPS
Port 443/9443: OpenResty 1.25.3.1
Port 8888: CORS-enabled service
Security Configuration:
SSH key fingerprint: 18:64:a7:75:27:17:b1:46:25:11:10:bc:c9:47:12:3d
Modern encryption algorithms (ChaCha20, AES-GCM)
TLS 1.3 implementation
Comprehensive SSH security features
Security Assessment
Strengths
Encryption: Modern TLS 1.3 implementation across servers
SSH Security: Strong cryptographic algorithms and key exchange methods
Redundancy: Multiple hosting providers and geographic locations
Anti-fingerprinting: Consistent OpenResty configuration across servers
Concerns
Certificate Management: Use of self-signed, expired certificates
Attack Surface: Multiple open ports including management interfaces
Coordination Risks: Centralized DNS management through DNSPod
Vulnerability Status
Heartbleed: All tested servers show SAFE status
SSH: Modern, hardened configuration
Web Services: Standard OpenResty/Nginx security profile
Hosting Provider Analysis
Primary Providers
FranTech Solutions (AS53667) - Las Vegas-based VPS provider
Private Layer Inc (AS51852) - Swiss hosting with privacy focus
Additional providers across diverse ASNs for maximum resilience
Provider Risk Assessment
Reputation: Mix of mainstream and privacy-focused providers
Jurisdiction: Strategic distribution across legal frameworks
Stability: Established providers with varying policies
Operational Patterns
Load Balancing Strategy
Round-robin DNS across multiple A records
Geographic distribution for performance and resilience
Failover capabilities through redundant infrastructure
Anti-Censorship Architecture
Domain redundancy: .net and .st TLD usage
Provider diversity: Multiple hosting companies and jurisdictions
Geographic spread: Reduces single-point-of-failure risks
Recommendations
For Network Monitoring
Monitor all 8+ IPv4 addresses for service availability
Track certificate updates and security patches
Assess new IP additions/removals for infrastructure changes
For Security Analysis
Regular vulnerability scanning across all endpoints
Certificate lifecycle monitoring
SSH key rotation tracking
DNS change monitoring for infrastructure modifications
Technical Appendix
DNS Query Examples
kiwifarms.net A records: 8 IPv4 addresses
kiwifarms.net AAAA records: 6 IPv6 addresses
kiwifarms.st A records: 10 IPv4 addresses (superset)
Port Scan Summary
22 (SSH): Available on select servers
80 (HTTP): Redirects to HTTPS
443 (HTTPS): Primary web service
8888: API/service endpoint
9443: Secondary HTTPS port
9999: Management interface
Certificate Information
Issuer: Self-signed (Internet Widgits Pty Ltd)
Status: Expired (November 2023)
Encryption: TLS 1.3, 256-bit AES-GCM
This analysis is based on public infrastructure data available through Shodan and DNS queries as of June 29, 2025. Infrastructure may change without notice.
=== End Claude Reporting ===
This is a “white hat” report, Claude presumes that the request is based on protecting the domain, not that an opponent asked.
I learned about a gap in my process thanks to reviewing this - look at this clue. Claude just reported this: 209.141.39.89 (extensive service portfolio)
But what I see in Shodan is that this system is running cPanel, a commercial hosting environment, or perhaps the free clone of this service, CPW.
And Maltego did not pick up that 209.141.39.89 IP, so even after I prompted it to use Shodan ports, this important clue was missing. Hrm …
Modifications:
The only time I will serve as a free security assessment for Josh Moon is when he can read it in a court filing after the damage has been done. That being said, my former methods for analysis generally involved:
Maltego - overall pentester framework
RiskIQ - both Maltego transforms and web
BuiltWith - both Maltego transforms and web
Shodan - both Maltego transforms and web
Open Threat Exchange - Maltego transforms
urlscan.io - web interface
I have been feeling painfully constrained since Microsoft shut down RiskIQ at the end of 2024. I’ve had the €2,500 IntelX Researcher account for a few months and some additional API access, and it’s done some good with the data from MIOS: Iran’s PressTV. But it’s hard for me to go deep on something that may or may not be around.
While working on this article I noticed there’s also a BuiltWith MCP server. I’ve found one issue with it already, but knowing that company they’ll resolve it pretty quickly.
The other thing I saw on that list that intrigued me was Burp Suite integration. I would self describe as a profiler rather than penetration tester, so I have only a little stick time with Burp Suite. I do make extensive use of OWASP’s Zed Attack Proxy and I just found that they have a ZAP MCP server available, too, it’s just not on that list.. So that’s a whole other evaluation to do, in an area that I have never mentioned previously.
Conclusion:
The Shodan integration alone just earned Claude a seat beside Maltego when I’m doing infrastructure attribution work. The presence of BuiltWith, once it’s debugged, will sweeten the deal. I got curious about what else is already available and not on the big list - here’s an option for AlienVault’s Open Threat Exchange.
This is a trend and one that makes perfect sense. I know that Maltego is already at work on MCP integration, too. But Claude just has a different purpose and I suspect I’m going to be running them side by side for the foreseeable future.
Previous AI use has given me incremental improvements. This feels like the first enormous leap.