WHOIS the Master - An Introduction to ShoNuff


Published on

This talk introduces a new security tool called ShoNuff. With all the talk about IPv4 address scarcity, and the resulting migration to IPv6, I thought it would be interesting to see how the IP space was chopped up. Additionally, I figured it would be interesting to see what organizations were responsible for various network blocks. So, I've started enumerating the whois space for the entire Internet, normalizing that information and making it available to the public. Additionally, I'm tying the allocated network blocks to SHODAN, so that one can query an organization's name and return a complete list of netblocks associated with that entity, then discover what service banners SHODAN has for that particular netblock.

Jason Ross

Jason has been working in the IT industry for about 12 years, and specifically doing InfoSec for the past 9. Jason provides security consulting services, and, after hours, he performs malware research with a number of international organizations and runs the Rochester DefCon Group (DC585). Despite all that, Jason is most proud to be a husband, and a father to 4 wonderful sons.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WHOIS the Master - An Introduction to ShoNuff

  1. 1. WHOIS the master an introduction to Sho'Nuff jason ross
  2. 2. about me • break stuff for a living • play with malware for fun • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
  3. 3. agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
  4. 4. a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
  5. 5. ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
  6. 6. early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
  7. 7. zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
  8. 8. what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
  9. 9. what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
  10. 10. what's a LIR? • Local Internet Registry • usually an ISP
  11. 11. why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
  12. 12. security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
  13. 13. scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
  14. 14. the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
  15. 15. if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
  16. 16. how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
  17. 17. overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
  18. 18. what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
  19. 19. how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
  20. 20. theoretical challenges • how to handle referrals • should i throttle queries • parsing the results
  21. 21. interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
  22. 22. linking results to shodan • shodan has no API an API! • so i just link to the search results make calls to it for you • you need to have an account • and you need to be logged in
  23. 23. shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres 5 days ago – to prove it can always get worse • will probably end up as something else is now written in ruby!
  24. 24. future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tieback of malicious content to "real world" network & hosting businesses • integrate DNS PTR records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?
  25. 25. the end @rossja algorythm@gmail.com cruft.blogspot.com