As I said in Claude Studies Taurine, that is the first and last time I’m going to post anything involving using AI where I do not also have the expertise to evaluate the results.

I started going through the list of hundreds of MCP servers and I discovered one that provides an MCP interface to Shodan. As an OG Shodan user with that $20 lifetime membership they offered back when they started, I was immediately intrigued.

And what better to do with it than inspect my favorite digital cesspool, Kiwi Farms.

Attention Conservation Notice:

Double checking an infrastructure analysis report from Claude/Shodan using Maltego. If you’re not doing deep technical attribution this will seem like a foreign language.

=== This Is What Claude Wrote ===

Kiwifarms.net Infrastructure Analysis Report

Report Generated: June 29, 2025
Analysis Scope: DNS infrastructure, hosting providers, geographic distribution, and security configuration

Executive Summary

Kiwifarms.net employs a distributed, redundant hosting architecture spanning multiple countries and providers. The infrastructure demonstrates sophisticated anti-censorship measures with geographic diversity, multiple IP addresses, and domain aliasing strategies designed for resilience against takedown attempts.

DNS Configuration Analysis

Primary Domain: kiwifarms.net
Shodan Analysis: https://www.shodan.io/domain/kiwifarms.net

Core Infrastructure

• Name Servers: DNSPod (ult01.dnspod.com, ult02.dnspod.com)

• Email Services: mail.kiwifarms.net, integrated with MXRoute

• IPv6 Support: Full dual-stack implementation

• SPF Policy: Configured with MXRoute integration

Primary A Records (IPv4)

The domain resolves to 8 primary IPv4 addresses across multiple hosting providers:

1. 179.43.172.163 (Private Layer Inc, Switzerland)

2. 185.225.114.106 (Location TBD)

3. 185.231.102.62 (Location TBD)

4. 198.98.49.253 (Location TBD)

5. 205.185.114.106 (FranTech Solutions, Las Vegas, NV)

6. 207.5.194.234 (Location TBD)

7. 212.23.222.98 (Location TBD)

8. 45.61.186.103 (Location TBD)

IPv6 Records (AAAA)

6 IPv6 addresses providing redundant connectivity:

• 2605:6400:10:31c::

• 2605:6400:20:c8c::

• 2605:6400:40:fef0::

• 2a02:29b8:dc01:3750::bea

• 2a03:cfc0:8000:27::c303:df62

• 2a0c:5700:3133:650:8a3a:d5ff:fe51:67d6

Domain Aliasing Strategy

kiwifarms.net subdomains redirect to kiwifarms.st:

(Claude error, should have included URL https://www.shodan.io/domain/kiwifarms.st )

• www.kiwifarms.net → kiwifarms.st

• no-cookie.kiwifarms.net → kiwifarms.st

• uploads.kiwifarms.net → kiwifarms.st

kiwifarms.st serves as the operational domain with identical IP infrastructure plus additional hosting at:

• 198.251.83.239

• 209.141.39.89 (extensive service portfolio)

Geographic Distribution

Confirmed Locations

• Switzerland: Lugano (Private Layer Inc)

• United States: Las Vegas, Nevada (FranTech Solutions)

• Additional locations pending verification

Strategic Implications

The multi-jurisdictional hosting approach provides:

• Regulatory arbitrage - difficulties for coordinated takedowns

• Service continuity - redundancy against individual hosting provider actions

• Performance optimization - geographic load distribution

Technical Infrastructure Analysis

Examined Servers

205.185.114.106 (Las Vegas, NV - FranTech Solutions)

Shodan Report: https://www.shodan.io/host/205.185.114.106

Active Services:

• Port 80: HTTP redirect to HTTPS

• Port 443/9443: OpenResty 1.25.3.1 (Nginx-based)

• Port 8888: CORS-enabled API endpoint

• Port 9999: HAProxy statistics interface

Security Configuration:

• TLS 1.3 with 256-bit AES encryption

• Self-signed certificates (expired November 2023)

• Heartbleed vulnerability testing: SAFE

179.43.172.163 (Lugano, Switzerland - Private Layer Inc)

Shodan Report: https://www.shodan.io/host/179.43.172.163

Active Services:

• Port 22: OpenSSH 8.4p1 (Debian)

• Port 80: HTTP redirect to HTTPS

• Port 443/9443: OpenResty 1.25.3.1

• Port 8888: CORS-enabled service

Security Configuration:

• SSH key fingerprint: 18:64:a7:75:27:17:b1:46:25:11:10:bc:c9:47:12:3d

• Modern encryption algorithms (ChaCha20, AES-GCM)

• TLS 1.3 implementation

• Comprehensive SSH security features

Security Assessment

Strengths

• Encryption: Modern TLS 1.3 implementation across servers

• SSH Security: Strong cryptographic algorithms and key exchange methods

• Redundancy: Multiple hosting providers and geographic locations

• Anti-fingerprinting: Consistent OpenResty configuration across servers

Concerns

• Certificate Management: Use of self-signed, expired certificates

• Attack Surface: Multiple open ports including management interfaces

• Coordination Risks: Centralized DNS management through DNSPod

Vulnerability Status

• Heartbleed: All tested servers show SAFE status

• SSH: Modern, hardened configuration

• Web Services: Standard OpenResty/Nginx security profile

Hosting Provider Analysis

Primary Providers

1. FranTech Solutions (AS53667) - Las Vegas-based VPS provider

2. Private Layer Inc (AS51852) - Swiss hosting with privacy focus

3. Additional providers across diverse ASNs for maximum resilience

Provider Risk Assessment

• Reputation: Mix of mainstream and privacy-focused providers

• Jurisdiction: Strategic distribution across legal frameworks

• Stability: Established providers with varying policies

Operational Patterns

Load Balancing Strategy

• Round-robin DNS across multiple A records

• Geographic distribution for performance and resilience

• Failover capabilities through redundant infrastructure

Anti-Censorship Architecture

• Domain redundancy: .net and .st TLD usage

• Provider diversity: Multiple hosting companies and jurisdictions

• Geographic spread: Reduces single-point-of-failure risks

Recommendations

For Network Monitoring

1. Monitor all 8+ IPv4 addresses for service availability

2. Track certificate updates and security patches

3. Assess new IP additions/removals for infrastructure changes

For Security Analysis

1. Regular vulnerability scanning across all endpoints

2. Certificate lifecycle monitoring

3. SSH key rotation tracking

4. DNS change monitoring for infrastructure modifications

Technical Appendix

DNS Query Examples

kiwifarms.net A records: 8 IPv4 addresses
kiwifarms.net AAAA records: 6 IPv6 addresses  
kiwifarms.st A records: 10 IPv4 addresses (superset)

Port Scan Summary

• 22 (SSH): Available on select servers

• 80 (HTTP): Redirects to HTTPS

• 443 (HTTPS): Primary web service

• 8888: API/service endpoint

• 9443: Secondary HTTPS port

• 9999: Management interface

Certificate Information

• Issuer: Self-signed (Internet Widgits Pty Ltd)

• Status: Expired (November 2023)

• Encryption: TLS 1.3, 256-bit AES-GCM

This analysis is based on public infrastructure data available through Shodan and DNS queries as of June 29, 2025. Infrastructure may change without notice.

=== End Claude Reporting ===

This is a “white hat” report, Claude presumes that the request is based on protecting the domain, not that an opponent asked.

I learned about a gap in my process thanks to reviewing this - look at this clue. Claude just reported this: 209.141.39.89 (extensive service portfolio)

But what I see in Shodan is that this system is running cPanel, a commercial hosting environment, or perhaps the free clone of this service, CPW.

And Maltego did not pick up that 209.141.39.89 IP, so even after I prompted it to use Shodan ports, this important clue was missing. Hrm …

Modifications:

The only time I will serve as a free security assessment for Josh Moon is when he can read it in a court filing after the damage has been done. That being said, my former methods for analysis generally involved:

• Maltego - overall pentester framework

• RiskIQ - both Maltego transforms and web

• BuiltWith - both Maltego transforms and web

• Shodan - both Maltego transforms and web

• Open Threat Exchange - Maltego transforms

• urlscan.io - web interface

I have been feeling painfully constrained since Microsoft shut down RiskIQ at the end of 2024. I’ve had the €2,500 IntelX Researcher account for a few months and some additional API access, and it’s done some good with the data from MIOS: Iran’s PressTV. But it’s hard for me to go deep on something that may or may not be around.

While working on this article I noticed there’s also a BuiltWith MCP server. I’ve found one issue with it already, but knowing that company they’ll resolve it pretty quickly.

The other thing I saw on that list that intrigued me was Burp Suite integration. I would self describe as a profiler rather than penetration tester, so I have only a little stick time with Burp Suite. I do make extensive use of OWASP’s Zed Attack Proxy and I just found that they have a ZAP MCP server available, too, it’s just not on that list.. So that’s a whole other evaluation to do, in an area that I have never mentioned previously.

Conclusion:

The Shodan integration alone just earned Claude a seat beside Maltego when I’m doing infrastructure attribution work. The presence of BuiltWith, once it’s debugged, will sweeten the deal. I got curious about what else is already available and not on the big list - here’s an option for AlienVault’s Open Threat Exchange.

This is a trend and one that makes perfect sense. I know that Maltego is already at work on MCP integration, too. But Claude just has a different purpose and I suspect I’m going to be running them side by side for the foreseeable future.

Previous AI use has given me incremental improvements. This feels like the first enormous leap.