Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
WHOIS the master
an introduction to
Sho'Nuff
jason ross
about me
• job: break stuff for the intrepidus group
• play: with malware
• poorly manage defcon group 585
• refuse to use...
agenda
• 2^32 addresses ought to be enough for
anybody
• alphabet soup, iron fists, and ipv6
• whois: awesomely full of cr...
a (very) brief history of 'the internet'
• lots of separate networks hooked up, some
confusion ensued
• InterNIC stepped o...
ipv4 network allocation
• large blocks of addresses are allocated to global
geographic regions
• large blocks may be alloc...
early allocation methods
• there's so much space!
• large chunks of network space allocated to
single organizations
• just...
zomg! this thing works!
• demand increased
• address assignments got smaller
• requirements to prove need of requested
spa...
what's a RIR?
• Regional Internet Registry
• in charge of large geographic regions
– AfriNIC : Africa
– APNIC : Asia / Pac...
what's a NIR?
• National Internet Registry
• in charge of small geographic regions
• act as an agent of the RIR
• not comm...
what's a LIR?
• Local Internet Registry
• usually an ISP
why the push for ipv6?
• ipv4 was not designed for security
• "available address space is running low"
security
• many con talks and whitepapers by folks lots
smarter that i have already covered this
• so i won't
scarcity
• there have been comments and discussion
around the fact that IPv4 space is 'running out'
for years.
• IEEE-USA ...
the sky is falling! (aka: how low can you go?)
image taken from arstechnica: http://is.gd/dCnMM
if ipv4 is running out, where did it go?
• nobody that knows is telling ('freely')
• nobody else knows
• leading to much d...
how to find out
• ask IANA!
• when that fails, ask the RIRs
• then ask the LIRs
overview of whois tools
• *nix: whois
• web: http://lmgtfy.com/?q=web+whois
• www.robtex.com/whois
what's missing?
• no standardized output
• can't perform true wildcard queries
– whois -h whois.arin.net " o . bank*"
• qu...
how accurate is whois data?
• contact data is required by law in most
countries to be legit
• ARIN is working on a policy ...
theoretical challenges
• most efficient way to scan
• how to handle referrals
• should i throttle queries
• parsing the re...
shonuff – the WHOIS master!
• started as PHP/MySQL
• then i got mocked (gently)
• so i ported it to JSP/Postgres
– to prov...
what’s new?
• better integration with shodan
• privacy policy
• more query types supported
linking results to shodan
• shodan has an API!
• so i just make calls to it for you
– many thanks to achillean, for lettin...
interesting reports
• organizational breakdown
– who has the most allocations
– who has the most network space
• geographi...
Demo!
future plans
• add in WHOIS contact data
• malware IP to WHOIS correlation
– allows easy tie-back of malicious content to ...
where is it?
http://whoisthemaster.org
the end
@rossja
algorythm@gmail.com
cruft.blogspot.com
Nächste SlideShare
Wird geladen in …5
×

WHOIS the Master

251 Aufrufe

Veröffentlicht am

Presents a WHOIS database search engine tool I wrote to allow pentesters to access network information for specified targets. First presented at BSidesDE 2010

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

WHOIS the Master

  1. 1. WHOIS the master an introduction to Sho'Nuff jason ross
  2. 2. about me • job: break stuff for the intrepidus group • play: with malware • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
  3. 3. agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
  4. 4. a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
  5. 5. ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
  6. 6. early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
  7. 7. zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
  8. 8. what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
  9. 9. what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
  10. 10. what's a LIR? • Local Internet Registry • usually an ISP
  11. 11. why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
  12. 12. security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
  13. 13. scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
  14. 14. the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
  15. 15. if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
  16. 16. how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
  17. 17. overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
  18. 18. what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
  19. 19. how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
  20. 20. theoretical challenges • most efficient way to scan • how to handle referrals • should i throttle queries • parsing the results
  21. 21. shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres – to prove it can always get worse • is now written in ruby!
  22. 22. what’s new? • better integration with shodan • privacy policy • more query types supported
  23. 23. linking results to shodan • shodan has an API! • so i just make calls to it for you – many thanks to achillean, for letting this work!
  24. 24. interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
  25. 25. Demo!
  26. 26. future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tie-back of malicious content to "real world" network & hosting businesses • integrate DNS records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?
  27. 27. where is it? http://whoisthemaster.org
  28. 28. the end @rossja algorythm@gmail.com cruft.blogspot.com

×