Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

WHOIS the Master - An Introduction to ShoNuff

on

  • 1,824 views

...



This talk introduces a new security tool called ShoNuff. With all the talk about IPv4 address scarcity, and the resulting migration to IPv6, I thought it would be interesting to see how the IP space was chopped up. Additionally, I figured it would be interesting to see what organizations were responsible for various network blocks. So, I've started enumerating the whois space for the entire Internet, normalizing that information and making it available to the public. Additionally, I'm tying the allocated network blocks to SHODAN, so that one can query an organization's name and return a complete list of netblocks associated with that entity, then discover what service banners SHODAN has for that particular netblock.

Jason Ross

Jason has been working in the IT industry for about 12 years, and specifically doing InfoSec for the past 9. Jason provides security consulting services, and, after hours, he performs malware research with a number of international organizations and runs the Rochester DefCon Group (DC585). Despite all that, Jason is most proud to be a husband, and a father to 4 wonderful sons.

Statistics

Views

Total Views
1,824
Views on SlideShare
1,824
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

WHOIS the Master - An Introduction to ShoNuff WHOIS the Master - An Introduction to ShoNuff Presentation Transcript

  • WHOIS the master an introduction to Sho'Nuff jason ross
  • about me • break stuff for a living • play with malware for fun • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
  • agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
  • a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
  • ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
  • early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
  • zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
  • what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
  • what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
  • what's a LIR? • Local Internet Registry • usually an ISP
  • why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
  • security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
  • scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
  • the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
  • if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
  • how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
  • overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
  • what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
  • how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
  • theoretical challenges • how to handle referrals • should i throttle queries • parsing the results
  • interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
  • linking results to shodan • shodan has no API an API! • so i just link to the search results make calls to it for you • you need to have an account • and you need to be logged in
  • shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres 5 days ago – to prove it can always get worse • will probably end up as something else is now written in ruby!
  • future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tieback of malicious content to "real world" network & hosting businesses • integrate DNS PTR records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?
  • the end @rossja algorythm@gmail.com cruft.blogspot.com