This talk introduces a new security tool called ShoNuff. With all the talk about IPv4 address scarcity, and the resulting migration to IPv6, I thought it would be interesting to see how the IP space was chopped up. Additionally, I figured it would be interesting to see what organizations were responsible for various network blocks. So, I've started enumerating the whois space for the entire Internet, normalizing that information and making it available to the public. Additionally, I'm tying the allocated network blocks to SHODAN, so that one can query an organization's name and return a complete list of netblocks associated with that entity, then discover what service banners SHODAN has for that particular netblock.
Jason Ross
Jason has been working in the IT industry for about 12 years, and specifically doing InfoSec for the past 9. Jason provides security consulting services, and, after hours, he performs malware research with a number of international organizations and runs the Rochester DefCon Group (DC585). Despite all that, Jason is most proud to be a husband, and a father to 4 wonderful sons.
2. about me
• break stuff for a living
• play with malware for fun
• poorly manage defcon group 585
• refuse to use caps in slide decks (acronyms
excluded)
3. agenda
• 2^32 addresses ought to be enough for
anybody
• alphabet soup, iron fists, and ipv6
• whois: awesomely full of crap
• shonuff – the whois master
4. a (very) brief history of 'the internet'
• lots of separate networks hooked up, some
confusion ensued
• InterNIC stepped out, ICANN stepped in
• ICANN manages global addressing under contract
to US Dept. of Commerce as IANA
• (not for) profit!
5. ipv4 network allocation
• large blocks of addresses are allocated to global
geographic regions
• large blocks may be allocated to national
geographic regions
• blocks are divided up and allocated to local ISPs
• individual addresses or small blocks are assigned
to ISP customers
6. early allocation methods
• there's so much space!
• large chunks of network space allocated to
single organizations
• justification requirements fairly lax
7. zomg! this thing works!
• demand increased
• address assignments got smaller
• requirements to prove need of requested
space got tighter
8. what's a RIR?
• Regional Internet Registry
• in charge of large geographic regions
– AfriNIC : Africa
– APNIC : Asia / Pacific
– ARIN : North America
– LACNIC : Latin America & some Caribbean
– RIPE NCC : Europe, Middle East, Central Asia
9. what's a NIR?
• National Internet Registry
• in charge of small geographic regions
• act as an agent of the RIR
• not commonly used, but there's a few
11. why the push for ipv6?
• ipv4 was not designed for security
• "available address space is running low"
12. security
• many con talks and whitepapers by folks lots
smarter that i have already covered this
• so i won't
13. scarcity
• there have been comments and discussion
around the fact that IPv4 space is 'running out'
for years.
• IEEE-USA published a report on this in 8/1999
14. the sky is falling! (aka: how low can you go?)
image taken from arstechnica: http://is.gd/dCnMM
15. if ipv4 is running out, where did it go?
• nobody that knows is telling ('freely')
• nobody else knows
• leading to much debate
16. how to find out
• ask IANA!
• when that fails, ask the RIRs
• then ask the LIRs
18. what's missing?
• no standardized output
• can't perform true wildcard queries
– whois -h whois.arin.net " o . bank*"
• query options vary by RIR
• information is not centralized
– chasing referrals sucks
19. how accurate is whois data?
• contact data is required by law in most
countries to be legit
• ARIN is working on a policy to validate WHOIS
POC info
21. interesting reports
• organizational breakdown
– who has the most allocations
– who has the most network space
• geographic breakdown
– what countries have ip space
– which countries have the most space
22. linking results to shodan
• shodan has no API an API!
• so i just link to the search results make calls to
it for you
• you need to have an account
• and you need to be logged in
23. shonuff – the WHOIS master!
• started as PHP/MySQL
• then i got mocked (gently)
• so i ported it to JSP/Postgres 5 days ago
– to prove it can always get worse
• will probably end up as something else is now
written in ruby!
24. future plans
• add in WHOIS contact data
• malware IP to WHOIS correlation
– allows easy tieback of malicious content to "real
world" network & hosting businesses
• integrate DNS PTR records for netblocks
• Maltego transform?
• Tie-in for Fierce?
• Metasploit fun?