Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DerbyCon 2013: Scanning Darkly

HD Moore
September 27, 2013

DerbyCon 2013: Scanning Darkly

This presentation dives into the evolution of large-scale internet scanning and the launch of Project Sonar. The video is also available online at http://www.irongeek.com/i.php?page=videos/derbycon3/1102-scanning-darkly-hd-moore-keynote

HD Moore

September 27, 2013
Tweet

More Decks by HD Moore

Other Decks in Research

Transcript

  1. Hello Derbycon HD Moore Metasploit founder and chief architect Chief

    research officer for Rapid7 Head of Rapid7 Labs Twitter: @hdmoore Email: [email protected]
  2. Mass scanning is starting to mature ► Major improvements to

    scanning tools ► Numerous large-scale scanning efforts ► Scary and not-so-scary precedents Derbycon 3.0
  3. U. Michigan team released Zmap ► Send a single probe

    across IPv4 in 45 minutes ► Detailed research paper with examples ► Development continues at GitHub ► Epic forge-socket support ► http://zmap.io ZMap $ zmap -p 80 -o results.txt
  4. Over 110 internet-wide SSL scans in 12 mos ► Created

    a detailed view of the SSL ecosystem ► Realtime monitoring of Sandy outages ► Obtained 43 million unique certs ZMap: Data Collection
  5. Errata Security released Masscan ► Scan all of IPv4 for

    a single TCP port in 3 minutes* ► Leverages 10GbE NICs and PF_RING sockets ► Development continues at GitHub MASSCAN $ masscan 0.0.0.0/0 -p 80
  6. Nmap 6.40 makes scanning mo-better! ► Performance improvements all around

    ► Tons of new scripts and fingerprints ► XML + NSE output improvements ► Swiss army knife of scanning Nmap
  7. Nmap is competitive with the right options ► Combine –sS

    with –PS for one-pass SYN scans ► Set --min-rate and --min-rtt-timeouts ► Limit retries with –-min-retries Nmap
  8. Benign botnet used to scan the internet ► Used over

    420,000 devices to scan over 730 ports ► Excellent writeup and a whopping 9Tb of data Internet Census 2012
  9. Internet scanning has barriers to entry ► Legal concerns vary

    by region and attitude ► Scans lead to abuse complaints to ISPs ► Computing and time costs Challenges
  10. Internet scanning is a niche field ► Challenges prevent widespread

    adoption ► Value is centered around research ► Businesses can see it as a threat Status Quo
  11. Internet scan data is incredibly useful ► Identify and quantify

    widespread vulnerabilities ► Provide due diligence for vendors & partners ► Market share information for products ► Locate unmanaged corporate assets ► Get a handle on shadow IT Internet Scan Data
  12. Hard to find any measurable improvement ► Exposures are getting

    worse each time we look ► VxWorks WDBRPC exposure is increasing ► UPnP has shown minimal improvements ► DDNS DDoS is bad enough ► SNMP is worse Security is Getting Worse
  13. This is a rock the community can move ► Demonstrate

    value to IT, security, and the business ► Drive research based on quantified exposure ► Build awareness around public networks ► Hold vendors and ISPs accountable ► Provide ammo for legal reform Time for a Change
  14. Community project for internet scans ► Open source tools to

    simplify scanning ► Open datasets for everyone ► Practical applications http://miniurl.org/sonar Project Sonar
  15. Integration with existing tools ► UDP probes and processing tools

    for Zmap ► NSE scripts for running with Nmap ► SSL certificate grabbers ► Fast DNS lookup tools Sonar: Scanning #ScanAllTheThings
  16. Critical.IO Archive ► Parsed banners across 18 services over 10

    months ► Current dataset is in compressed JSON ► Historical view of your networks ► Segmented for easy lookups Sonar: Dataset 1 #ScanAllTheThings
  17. ► 2.4 TB of service fingerprints (355 GB bz2 compressed)

    ► 1.57 billion records Sonar: Dataset 1 #ScanAllTheThings
  18. SSL Certificates ► All SSL certs on IPv4 port 443

    as of September 10th ► Available as raw certs and parsed IP -> Name pairs ► ~33 million records @ 50 GB ( 16 GB compressed ) ► ~8.6 million unique IP->Name pairs ( 270 MB ) Sonar: Dataset 2 #ScanAllTheThings
  19. Reverse DNS ► Full reverse DNS for IPv4, regularly updated

    ► ~1.13 billion records @ 50 GB ( 3 GB compressed ) ► Similar use cases to DeepMagic’s PTR search Sonar: Dataset 3 #ScanAllTheThings
  20. ZMap & Rapid7 teams are collaborating ► Launching a shared

    internet scan data portal ► Accepting data from third-parties (you!) ► Includes all datasets already mentioned ► Also 18 months of SSL scans! http://scans.io Data Portals & Downloads #GrepAllTheThings?
  21. You can find zero-day with public datasets ► Easy to

    identify common vulnerabilities ► Look for min/max and anomalies ► Unix pipelines are all you need Examples: Research #ScanAllTheThings
  22. Random things that aren’t random ► Any duplicate SSL key

    is probably a vulnerability ► Tens of thousands of systems with duplicates ► We need eyes to actually classify these ► Identify vendors and report Duplicate SSL Certificates #ScanAllTheThings
  23. SSL certificates make good fingerprints ► Identify all occurrences of

    an embedded device ► Locate otherwise hard to identify systems ► Enterprise appliances galore SSL Fingerprinting #ScanAllTheThings
  24. Improving your company’s security ► Identify external assets you may

    have missed ► Quickly scan massive networks easily ► Historical data helps with response ► Practical data mining Examples: Infosec #ScanAllTheThings
  25. SSL certificates are ubiquitous ► Every important site has a

    SSL certificate ► SSL certificates map to domains Cloud services often use customer certificates ► Identify undocumented third-party services ► May find 10%+ more than your IT knows about Asset Discovery (SSL) #ScanAllTheThings
  26. Reverse DNS provides an interesting view ► Forward DNS may

    not match, but reverse is still set ► Find routers, modems, old ISP connections ► Find VPS services, rogue partners, and VARs ► Accidentally the whole intel agency Asset Discovery (DNS) #ScanAllTheThings
  27. Classify 100,000 nodes in 5 minutes ► Quickly scan a

    small subset of ports ► Send UDP probes for dangerous services ► Analyze, sort, and prioritize assessment Quick Risk Assessment #ScanAllTheThings