SlideShare ist ein Scribd-Unternehmen logo

WHOIS the Master

Als PPTX, PDF herunterladen
Jason Ross
Jason Ross

Presents a WHOIS database search engine tool I wrote to allow pentesters to access network information for specified targets. First presented at BSidesDE 2010

Technologie
1 von 28
WHOIS the master an introduction to Sho'Nuff jason ross
about me • job: break stuff for the intrepidus group • play: with malware • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
what's a LIR? • Local Internet Registry • usually an ISP
why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
theoretical challenges • most efficient way to scan • how to handle referrals • should i throttle queries • parsing the results
shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres – to prove it can always get worse • is now written in ruby!
what’s new? • better integration with shodan • privacy policy • more query types supported
linking results to shodan • shodan has an API! • so i just make calls to it for you – many thanks to achillean, for letting this work!
interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
Demo!
future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tie-back of malicious content to "real world" network & hosting businesses • integrate DNS records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?
where is it? http://whoisthemaster.org
the end @rossja algorythm@gmail.com cruft.blogspot.com

Empfohlen

MCN Pro Workshop AGO Basquiat Booth
MCN Pro Workshop AGO Basquiat BoothMCN Pro Workshop AGO Basquiat Booth
MCN Pro Workshop AGO Basquiat Booth
Kristin Bayans
 
ICANN 51: Deploying the IETF’s WHOIS Replacement
ICANN 51: Deploying the IETF’s WHOIS ReplacementICANN 51: Deploying the IETF’s WHOIS Replacement
ICANN 51: Deploying the IETF’s WHOIS Replacement
ICANN
 
What is WHOIS?
What is WHOIS?What is WHOIS?
What is WHOIS?
ICANN
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
Carlos Martinez Cagnazzo
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
APNIC
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques Workshop
Priyanka Aash
 

Empfohlen

MCN Pro Workshop AGO Basquiat Booth
MCN Pro Workshop AGO Basquiat BoothMCN Pro Workshop AGO Basquiat Booth
MCN Pro Workshop AGO Basquiat Booth
Kristin Bayans
 
ICANN 51: Deploying the IETF’s WHOIS Replacement
ICANN 51: Deploying the IETF’s WHOIS ReplacementICANN 51: Deploying the IETF’s WHOIS Replacement
ICANN 51: Deploying the IETF’s WHOIS Replacement
ICANN
 
What is WHOIS?
What is WHOIS?What is WHOIS?
What is WHOIS?
ICANN
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
Carlos Martinez Cagnazzo
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
APNIC
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques Workshop
Priyanka Aash
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell Heilling
Russell Heilling
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
RIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, AnalysisRIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, Analysis
RIPE NCC
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAs
APNIC
 
Global IRR and RPKI: a Problem Statement
Global IRR and RPKI: a Problem StatementGlobal IRR and RPKI: a Problem Statement
Global IRR and RPKI: a Problem Statement
APNIC
 
ILIA
ILIAILIA
ILIA
APNIC
 
IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32
ARIN
 
Dmk blackops2006
Dmk blackops2006Dmk blackops2006
Dmk blackops2006
Dan Kaminsky
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
Priyanka Aash
 
NEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service Overview
NEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service OverviewNEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service Overview
NEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service Overview
Amazon Web Services
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
Digicomp Academy AG
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
Digicomp Academy AG
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer Networking
Amit Saha
 
Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" Systems
Ricardo Vice Santos
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation
Alee Hassan
 
Traffic locality
Traffic localityTraffic locality
Traffic locality
APNIC
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
APNIC
 
C*ollege Credit: Is My App a Good Fit for Cassandra?
C*ollege Credit: Is My App a Good Fit for Cassandra?C*ollege Credit: Is My App a Good Fit for Cassandra?
C*ollege Credit: Is My App a Good Fit for Cassandra?
DataStax
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
RIPE NCC
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
Jason Ross
 
Tizen Security
Tizen SecurityTizen Security
Tizen Security
Jason Ross
 

Weitere ähnliche Inhalte

Ähnlich wie WHOIS the Master

Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation
Alee Hassan
 
C*ollege Credit: Is My App a Good Fit for Cassandra?
C*ollege Credit: Is My App a Good Fit for Cassandra?C*ollege Credit: Is My App a Good Fit for Cassandra?
C*ollege Credit: Is My App a Good Fit for Cassandra?
DataStax
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 

Ähnlich wie WHOIS the Master (20)

Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell Heilling
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
RIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, AnalysisRIPE Labs Operator Tools, Ideas, Analysis
RIPE Labs Operator Tools, Ideas, Analysis
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAs
 
Global IRR and RPKI: a Problem Statement
Global IRR and RPKI: a Problem StatementGlobal IRR and RPKI: a Problem Statement
Global IRR and RPKI: a Problem Statement
 
ILIA
ILIAILIA
ILIA
 
IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32
 
Dmk blackops2006
Dmk blackops2006Dmk blackops2006
Dmk blackops2006
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
NEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service Overview
NEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service OverviewNEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service Overview
NEW LAUNCH IPv6 in the Cloud: Protocol and AWS Service Overview
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer Networking
 
Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" Systems
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation
 
Traffic locality
Traffic localityTraffic locality
Traffic locality
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
C*ollege Credit: Is My App a Good Fit for Cassandra?
C*ollege Credit: Is My App a Good Fit for Cassandra?C*ollege Credit: Is My App a Good Fit for Cassandra?
C*ollege Credit: Is My App a Good Fit for Cassandra?
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 

Mehr von Jason Ross

Mehr von Jason Ross (7)

Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Tizen Security
Tizen SecurityTizen Security
Tizen Security
 
AC2DM For Security
AC2DM For SecurityAC2DM For Security
AC2DM For Security
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'd
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzz
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

WHOIS the Master

  • 1. WHOIS the master an introduction to Sho'Nuff jason ross
  • 2. about me • job: break stuff for the intrepidus group • play: with malware • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
  • 3. agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
  • 4. a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
  • 5. ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
  • 6. early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
  • 7. zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
  • 8. what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
  • 9. what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
  • 10. what's a LIR? • Local Internet Registry • usually an ISP
  • 11. why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
  • 12. security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
  • 13. scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
  • 14. the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
  • 15. if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
  • 16. how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
  • 17. overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
  • 18. what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
  • 19. how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
  • 20. theoretical challenges • most efficient way to scan • how to handle referrals • should i throttle queries • parsing the results
  • 21. shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres – to prove it can always get worse • is now written in ruby!
  • 22. what’s new? • better integration with shodan • privacy policy • more query types supported
  • 23. linking results to shodan • shodan has an API! • so i just make calls to it for you – many thanks to achillean, for letting this work!
  • 24. interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
  • 25. Demo!
  • 26. future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tie-back of malicious content to "real world" network & hosting businesses • integrate DNS records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?

Hinweis der Redaktion

  1. Because IP is 32 bit, there are about 4.2 billion potential IP addresses (2^32 = 4,294,967,296). Early thought was that we'd never run out. Now there are claims that we are running out (and there have been since late 1999 / early 2000) The address space is managed by a conglomeration of organizations, each with fun acronyms for names. Information about who the space has been assigned to is viewed as propietary, and confidential, information – despite the fact that it is publicly available in the form of WHOIS. WHOIS is useful, but has some shortcomings. Most specifically, it's difficult to query based on descriptive text, or obtain a list of "all networks that are associated with entity X". So… I wrote a tool to allow those things.
  2. The history of "the internet" as we know it today is a very convoluted (and in many cases disputed) tale. Accordingly, i'm ignoring it entirely, and simply summarizing it as "lots of private networks came together using a suite of protocols tested by the US DOD research arm known as ARPA. Things got crazy for a bit, but everyone saw it was useful, so eventually a non profit organization was created to help things out and manage the address and name space of the network going forward." That organization is ICANN (Internet Corporation for Assigned Names and Numbers), and they oversee the global address and namespace by managing a subsidiary organization called the Internet Assigned Numbers Authority (IANA) under contract to the US Dept. of Commerce. In addition to global IP space assignment, IANA controls the Autonomous System (AS) Number assignments, and documents IP port number assignments made by the IETF.
  3. In general, IANA doesn't provide IP addresses to the public. It provides large blocks of space to various NICs (Network Information Centers) so that they can then be parceled out and given to ISPs in smaller chunks in a hierarchical manner. The typical process is: * IANA assigns large blocks of addresses to Regional Internet Registries (RIR) * The RIR assigns blocks of addresses from their IANA assigned pool to National Internet Registries (NIR) or Local Internet Registries (LIR). * The RIR then assigns addresses to specific ISPs, which are then further divided into small pools for specific end user needs.
  4. As the use of the internet increased, address assignments got more specific to address concerns about scarcity. Additionally, requirements for obtaining blocks of network space from RIRs grew more stringent. The current ARIN guidelines for IP address allocation for private organizations (end-users…eg. not an ISP) is: minimum allocation: /20 (4,096 addresses) A 25% immediate utilization rate, and A 50% utilization rate within one year. https://www.arin.net/policy/nrpm.html#four
  5. A RIR assigns network space to LIRs or NIRs, not to end users directly.
  6. NIRs operate as an agent to the RIR which oversees them. they allocate the network space assigned to the the RIR and assign it to LIRs within their geographic region of responsibility. the NIR is not directly assigned network addresses as a RIR is, it simply manages the assignment of addresses for a specific area.
  7. LIRs are assigned small blocks of network space, which they further divide as needed to meet the operational needs of their end users.
  8. IEEE paper on this subject can be found at: http://www.ieeeusa.org/volunteers/committees/ccp/documents/IPv6FinalwhitepaperFinalAugust2009.pdf
  9. Image taken from an article on ars technica about the scarcity of ipv4 space.
  10. ARIN does provide a bulk database download option. "to support the work of bona fide academic researchers, and to operators and researchers who are using the data to provide a clear benefit to the broader networking community. ARIN does not provide bulk copies of Whois data to operators who wish to incorporate this data into products, services, or internal systems with no clear benefit to the broader community." To qualify: Step 1: Complete Request Form Step 2: Review Process "Upon receipt of your signed AUP, ARIN staff will begin a thorough review of your request by contacting you via e-mail using the e-mail address specified in the signature section of the Bulk Whois Request Form. ARIN will ask you a set of questions aimed at understanding why you require access to a bulk copy of the data." More information on that can be found at https://www.arin.net/resources/request/bulkwhois.html
  11. IANA maintains a list of top level block assignments at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml This file is useful for gaining a very general overview of where IP space has been assigned. Most of the entries on the list are RIRs however, making it useless for telling where the address space is actually being used. So, to get more meaningful information, there's a need to go down at least one level, and ask the RIRs
  12. On most unix based systems, there's a utility called whois which can be used to perform queries of domain names and/or IP addresses. In addition, robtex.com maintains a web based interface to whois, and a lot of other useful networking tools.
  13. The whois syntax above comes close to performing a wild card query, but ARIN only supports wildcard at the end of the string.
  14. Because of how network space is allocated and assigned, often the WHOIS data obtained from the RIR points to an NSP, which places a referral to the WHOIS server run by the LIR that space has been allocated to. If you then query the server in the referral, you can obtain more specific data about the customer the NSP has assigned the particular block to I decided to break parsing down into multiple stages: obtain all top level WHOIS information parse for referrals, then process them in a second stage continue until all referrals have been processed