Slides from PyConCZ 2018 by @JirkaV

1. @JirkaV, PyCon CZ 2018
Portscan all the things!
(fast, distributed and effective)

2. @JirkaV, PyCon CZ 2018
About (TL;DR)
“Senior Red Team Analyst” (read: hacker)
13 years of hacking $BIGCORPs*
Python user since Python 2.4
*at their request

3. @JirkaV, PyCon CZ 2018
Portscan? Why?
“Our perimeter is secure”

4. @JirkaV, PyCon CZ 2018
Portscan? Why?
“Our perimeter is secure”
“No, we don’t know what it looks like exactly”

5. @JirkaV, PyCon CZ 2018
Portscan? Why?
“Our perimeter is secure”
“No, we don’t know what it looks like exactly”
Trust, but verify

6. @JirkaV, PyCon CZ 2018
“Port” ?
8.8.8.8
8.8.4.4
9.9.9.9
1.1.1.1
http://www.python.org
https://www.python.org

7. @JirkaV, PyCon CZ 2018
“Port” ?
8.8.8.8:53
8.8.4.4:53
9.9.9.9:53
1.1.1.1:53
http://www.python.org:80
https://www.python.org:443
Ports range from 1 to 65535

8. @JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program

9. @JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program
Which might be misconfigured or vulnerable

10. @JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program
Which might be misconfigured or vulnerable
It might leak data or provide access to inner
network

11. @JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program
It might be misconfigured or vulnerable
It might leak data or provide access to inner
network
We need to find it and check it

12. @JirkaV, PyCon CZ 2018
Closed Port

13. @JirkaV, PyCon CZ 2018
Open Port

14. @JirkaV, PyCon CZ 2018
Open Port

15. @JirkaV, PyCon CZ 2018
The “handshake”
Hey!

16. @JirkaV, PyCon CZ 2018
The “handshake”
Go away!
Hey!

17. @JirkaV, PyCon CZ 2018
The “handshake”
Hey, you!
You!
Hey!

18. @JirkaV, PyCon CZ 2018
The Bad
A lot of ports to check (16 million for a “small”
perimeter)

19. @JirkaV, PyCon CZ 2018
The Bad
A lot of ports to check (16 million for a “small”
perimeter)
Tools / HW appliances for detecting scans

20. @JirkaV, PyCon CZ 2018
The Bad
A lot of ports to check (16 million for a “small”
perimeter)
Tools / HW appliances for detecting scans
No clear indication if ports are closed or we’re
being blocked

21. @JirkaV, PyCon CZ 2018
The Good

22. @JirkaV, PyCon CZ 2018
The Good
>>> import antigravity *
*not realy

23. @JirkaV, PyCon CZ 2018
The Good
>>> import socket
>>> import multiprocessing
>>> import queue

24. @JirkaV, PyCon CZ 2018
Distributed Port Scanner
127.0.0.14:8723
127.0.0.61:11319
127.0.0.113:12121
127.0.0.109:4138
...
127.0.0.14:8723-CLOSED
127.0.0.61:11319-CLOSED
127.0.0.113:12121-OPEN
127.0.0.109:4138-CLOSED
...

25. @JirkaV, PyCon CZ 2018
The Worker
def probe(ip, port):
s = socket.socket()
s.settimeout(3)
try:
s.connect( (ip, port) )
s.close()
return True
except (ConnectionError, OSError, socket.timeout):
pass
return False

26. @JirkaV, PyCon CZ 2018
The Worker
manager = QueueManager(address=(SERVER_IP, PORT))
manager.connect()
input_q = manager.targets_queue()
results_q = manager.results_queue()
while True:
ip, port = input_q.get()
result = probe(ip, port)
results_q.put( (ip, port, result) )

27. @JirkaV, PyCon CZ 2018
Real World Scanner
~0.5 million checks per day by a single machine
(30 scanner processes)

28. @JirkaV, PyCon CZ 2018
Questions?
https://github.com/JirkaV/PyConCZ_2017