Thursday, July 15, 2010
Adam is one of the organisers of Kiwicon, and has presented on this topic in Singapore.

Using tools to capture / probe network traffic.

If you compare to app/data recon tools like Maltego, network recon tools aren't as start of the art.

But... if you own the networks under this new fangled cloud stuff, then you own the whole environment.

It's hard to map out, search and investigate >= Class A

At the moment, only big countries can do that sort of investigation. Apparently countries are gearing up for 'Cyber Wars'.

But, individuals and corporates can get involved in the same activities of cyber-war or cyber-terrorism.

Scanning, pinging and trying exploits doesn't scale well - you have to do a lot of work and get lots of false hits.

You might get owned randomly - it's cheap to own more targets, and then figure out what to do with it later.


It's hard to target large numbers of IP addresses. The current tools can't scale to those kinds of numbers (and the pay services will get really expensive).

So he built a geo-targeted network recon data acquisition system with a web interface, and scanned all of NZ and Singapore for conferences.

An interface to search over data.

"This is a highly secure router, stay away" - the open telnet port tells us so.

Cool things it does:
  • Searches over certificates
  • Screen captures remote desktop screens
  • Good for targeting: finding particular applications / devices / protocols
  • Good at finding other assets owned by a company outside of their own netblock
  • Helps us understand how many vulnerable things are sitting out there
The internals of the tool:

Version 1 was just to see how plausible it was to scan large chunks of the internet. Used lots of glued together tools like nmap etc.

Version 2 is now a simple python script that has been optimised for acquiring the data by scanning a whole country block over certain ports.

A few billion rows of data - use MongoDB to store data. Erlang, RabbitMQ, Python, Celery MQ, Python / Django frontend, GridFS distributed filestore.

Target selection:

How do you define what a country is? Is it domain names ending in .nz? Netblocks announced at peering exchanges? Address registry allocations? GeoIP?

He chose GeoIP as it simplified things - but misses out on .nz stuff hosted overseas.

Acquiring data:

Custom-tuned protocols to limit rates, fire up application to capture details for different protocols.

About 1.4B rows per complete scan of NZ and Singapore.

Need to optimise for search / retrieval as that's the primary use once the data is acquired.

Data mining:

Look for old boxes, boxes with self-signed certs, certain switches, domains etc.

Singapore: 377k boxes that talk HTTP - more than the number of live systems. 14k cisco boxes. 12k open RDP (one with background of Commonwealth Bank of Australia :))

IDS Avoidance:

He's not actually carrying out any intrusions. Only collecting banners, and complying with what they say.

IDSs don't necessarily detect them - only 7 complaints to ISP in NZ, and one funny one in Singapore.

People are watching - DNS PTR backscatter gives an idea of people watching and resolving domain names for IP address.

Portscans aren't very interesting these days. People notice, but don't do anything.

But not good for:

If you notice mis-configured systems, it's hard to do anything about it.

Giving it as public / bad guy access would be difficult and cause problems.

What about Shodan?

Scan whole world for 4 ports (21, 22, 23, 80), but not as many hosts or depth of coverage in NZ.

Sells commercial access to exported data.

What does it mean?

A search engine over this data makes it very powerful.

It's not that hard to do this sort of thing. It's probably already being done by military or crime industries. Cheap compared to a drug submarine :)


What did the abuse mails say?

One from a Uni, two or three from an ISP and they noticed scanning of the SIP voice customers. A few of ZoneAlarm type people noticing.

Scanning boxes: Where were they hosted? Bandwidth out?

Domestically peered, gigabit to APE. It's not really bandwidth constrained, it's constrained by politeness. Turned off state tracking for outbound connections. Could probably do the whole country in 2 hours if you cranked it up, but would cause problems for people.

Comments are closed.