SlideShare a Scribd company logo
1 of 25
Download to read offline
WHOIS the master
an introduction to
Sho'Nuff
jason ross
about me
• break stuff for a living
• play with malware for fun
• poorly manage defcon group 585
• refuse to use caps in slide decks (acronyms
excluded)
agenda
• 2^32 addresses ought to be enough for
anybody
• alphabet soup, iron fists, and ipv6
• whois: awesomely full of crap
• shonuff – the whois master
a (very) brief history of 'the internet'
• lots of separate networks hooked up, some
confusion ensued
• InterNIC stepped out, ICANN stepped in
• ICANN manages global addressing under contract
to US Dept. of Commerce as IANA
• (not for) profit!
ipv4 network allocation
• large blocks of addresses are allocated to global
geographic regions
• large blocks may be allocated to national
geographic regions
• blocks are divided up and allocated to local ISPs
• individual addresses or small blocks are assigned
to ISP customers
early allocation methods
• there's so much space!
• large chunks of network space allocated to
single organizations
• justification requirements fairly lax
zomg! this thing works!
• demand increased
• address assignments got smaller
• requirements to prove need of requested
space got tighter
what's a RIR?
• Regional Internet Registry
• in charge of large geographic regions
– AfriNIC : Africa
– APNIC : Asia / Pacific
– ARIN : North America
– LACNIC : Latin America & some Caribbean
– RIPE NCC : Europe, Middle East, Central Asia
what's a NIR?
• National Internet Registry
• in charge of small geographic regions
• act as an agent of the RIR
• not commonly used, but there's a few
what's a LIR?
• Local Internet Registry
• usually an ISP
why the push for ipv6?
• ipv4 was not designed for security
• "available address space is running low"
security
• many con talks and whitepapers by folks lots
smarter that i have already covered this
• so i won't
scarcity
• there have been comments and discussion
around the fact that IPv4 space is 'running out'
for years.
• IEEE-USA published a report on this in 8/1999
the sky is falling! (aka: how low can you go?)
image taken from arstechnica: http://is.gd/dCnMM
if ipv4 is running out, where did it go?
• nobody that knows is telling ('freely')
• nobody else knows
• leading to much debate
how to find out
• ask IANA!
• when that fails, ask the RIRs
• then ask the LIRs
overview of whois tools
• *nix: whois
• web: http://lmgtfy.com/?q=web+whois
• www.robtex.com/whois
what's missing?
• no standardized output
• can't perform true wildcard queries
– whois -h whois.arin.net " o . bank*"
• query options vary by RIR
• information is not centralized
– chasing referrals sucks
how accurate is whois data?
• contact data is required by law in most
countries to be legit
• ARIN is working on a policy to validate WHOIS
POC info
theoretical challenges
• how to handle referrals
• should i throttle queries
• parsing the results
interesting reports
• organizational breakdown
– who has the most allocations
– who has the most network space
• geographic breakdown
– what countries have ip space
– which countries have the most space
linking results to shodan
• shodan has no API an API!
• so i just link to the search results make calls to
it for you
• you need to have an account
• and you need to be logged in
shonuff – the WHOIS master!
• started as PHP/MySQL
• then i got mocked (gently)
• so i ported it to JSP/Postgres 5 days ago
– to prove it can always get worse
• will probably end up as something else is now
written in ruby!
future plans
• add in WHOIS contact data
• malware IP to WHOIS correlation
– allows easy tieback of malicious content to "real
world" network & hosting businesses
• integrate DNS PTR records for netblocks
• Maltego transform?
• Tie-in for Fierce?
• Metasploit fun?
the end
@rossja
algorythm@gmail.com
cruft.blogspot.com

More Related Content

More from Rochester Security Summit

A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetRochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

More from Rochester Security Summit (11)

Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Recently uploaded

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 

Recently uploaded (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 

WHOIS the Master - An Introduction to ShoNuff

  • 1. WHOIS the master an introduction to Sho'Nuff jason ross
  • 2. about me • break stuff for a living • play with malware for fun • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
  • 3. agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
  • 4. a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
  • 5. ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
  • 6. early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
  • 7. zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
  • 8. what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
  • 9. what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
  • 10. what's a LIR? • Local Internet Registry • usually an ISP
  • 11. why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
  • 12. security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
  • 13. scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
  • 14. the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
  • 15. if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
  • 16. how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
  • 17. overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
  • 18. what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
  • 19. how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
  • 20. theoretical challenges • how to handle referrals • should i throttle queries • parsing the results
  • 21. interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
  • 22. linking results to shodan • shodan has no API an API! • so i just link to the search results make calls to it for you • you need to have an account • and you need to be logged in
  • 23. shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres 5 days ago – to prove it can always get worse • will probably end up as something else is now written in ruby!
  • 24. future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tieback of malicious content to "real world" network & hosting businesses • integrate DNS PTR records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?