Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
WHOIS the master
an introduction to
Sho'Nuff
jason ross
about me
• job: break stuff for the intrepidus group
• play: with malware
• poorly manage defcon group 585
• refuse to use...
agenda
• 2^32 addresses ought to be enough for
anybody
• alphabet soup, iron fists, and ipv6
• whois: awesomely full of cr...
a (very) brief history of 'the internet'
• lots of separate networks hooked up, some
confusion ensued
• InterNIC stepped o...
ipv4 network allocation
• large blocks of addresses are allocated to global
geographic regions
• large blocks may be alloc...
early allocation methods
• there's so much space!
• large chunks of network space allocated to
single organizations
• just...
zomg! this thing works!
• demand increased
• address assignments got smaller
• requirements to prove need of requested
spa...
what's a RIR?
• Regional Internet Registry
• in charge of large geographic regions
– AfriNIC : Africa
– APNIC : Asia / Pac...
what's a NIR?
• National Internet Registry
• in charge of small geographic regions
• act as an agent of the RIR
• not comm...
what's a LIR?
• Local Internet Registry
• usually an ISP
why the push for ipv6?
• ipv4 was not designed for security
• "available address space is running low"
security
• many con talks and whitepapers by folks lots
smarter that i have already covered this
• so i won't
scarcity
• there have been comments and discussion
around the fact that IPv4 space is 'running out'
for years.
• IEEE-USA ...
the sky is falling! (aka: how low can you go?)
image taken from arstechnica: http://is.gd/dCnMM
if ipv4 is running out, where did it go?
• nobody that knows is telling ('freely')
• nobody else knows
• leading to much d...
how to find out
• ask IANA!
• when that fails, ask the RIRs
• then ask the LIRs
overview of whois tools
• *nix: whois
• web: http://lmgtfy.com/?q=web+whois
• www.robtex.com/whois
what's missing?
• no standardized output
• can't perform true wildcard queries
– whois -h whois.arin.net " o . bank*"
• qu...
how accurate is whois data?
• contact data is required by law in most
countries to be legit
• ARIN is working on a policy ...
theoretical challenges
• most efficient way to scan
• how to handle referrals
• should i throttle queries
• parsing the re...
shonuff – the WHOIS master!
• started as PHP/MySQL
• then i got mocked (gently)
• so i ported it to JSP/Postgres
– to prov...
what’s new?
• better integration with shodan
• privacy policy
• more query types supported
linking results to shodan
• shodan has an API!
• so i just make calls to it for you
– many thanks to achillean, for lettin...
interesting reports
• organizational breakdown
– who has the most allocations
– who has the most network space
• geographi...
Demo!
future plans
• add in WHOIS contact data
• malware IP to WHOIS correlation
– allows easy tie-back of malicious content to ...
where is it?
http://whoisthemaster.org
the end
@rossja
algorythm@gmail.com
cruft.blogspot.com
Próxima SlideShare
Cargando en…5
×

WHOIS the Master

252 visualizaciones

Publicado el

Presents a WHOIS database search engine tool I wrote to allow pentesters to access network information for specified targets. First presented at BSidesDE 2010

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

WHOIS the Master

  1. 1. WHOIS the master an introduction to Sho'Nuff jason ross
  2. 2. about me • job: break stuff for the intrepidus group • play: with malware • poorly manage defcon group 585 • refuse to use caps in slide decks (acronyms excluded)
  3. 3. agenda • 2^32 addresses ought to be enough for anybody • alphabet soup, iron fists, and ipv6 • whois: awesomely full of crap • shonuff – the whois master
  4. 4. a (very) brief history of 'the internet' • lots of separate networks hooked up, some confusion ensued • InterNIC stepped out, ICANN stepped in • ICANN manages global addressing under contract to US Dept. of Commerce as IANA • (not for) profit!
  5. 5. ipv4 network allocation • large blocks of addresses are allocated to global geographic regions • large blocks may be allocated to national geographic regions • blocks are divided up and allocated to local ISPs • individual addresses or small blocks are assigned to ISP customers
  6. 6. early allocation methods • there's so much space! • large chunks of network space allocated to single organizations • justification requirements fairly lax
  7. 7. zomg! this thing works! • demand increased • address assignments got smaller • requirements to prove need of requested space got tighter
  8. 8. what's a RIR? • Regional Internet Registry • in charge of large geographic regions – AfriNIC : Africa – APNIC : Asia / Pacific – ARIN : North America – LACNIC : Latin America & some Caribbean – RIPE NCC : Europe, Middle East, Central Asia
  9. 9. what's a NIR? • National Internet Registry • in charge of small geographic regions • act as an agent of the RIR • not commonly used, but there's a few
  10. 10. what's a LIR? • Local Internet Registry • usually an ISP
  11. 11. why the push for ipv6? • ipv4 was not designed for security • "available address space is running low"
  12. 12. security • many con talks and whitepapers by folks lots smarter that i have already covered this • so i won't
  13. 13. scarcity • there have been comments and discussion around the fact that IPv4 space is 'running out' for years. • IEEE-USA published a report on this in 8/1999
  14. 14. the sky is falling! (aka: how low can you go?) image taken from arstechnica: http://is.gd/dCnMM
  15. 15. if ipv4 is running out, where did it go? • nobody that knows is telling ('freely') • nobody else knows • leading to much debate
  16. 16. how to find out • ask IANA! • when that fails, ask the RIRs • then ask the LIRs
  17. 17. overview of whois tools • *nix: whois • web: http://lmgtfy.com/?q=web+whois • www.robtex.com/whois
  18. 18. what's missing? • no standardized output • can't perform true wildcard queries – whois -h whois.arin.net " o . bank*" • query options vary by RIR • information is not centralized – chasing referrals sucks
  19. 19. how accurate is whois data? • contact data is required by law in most countries to be legit • ARIN is working on a policy to validate WHOIS POC info
  20. 20. theoretical challenges • most efficient way to scan • how to handle referrals • should i throttle queries • parsing the results
  21. 21. shonuff – the WHOIS master! • started as PHP/MySQL • then i got mocked (gently) • so i ported it to JSP/Postgres – to prove it can always get worse • is now written in ruby!
  22. 22. what’s new? • better integration with shodan • privacy policy • more query types supported
  23. 23. linking results to shodan • shodan has an API! • so i just make calls to it for you – many thanks to achillean, for letting this work!
  24. 24. interesting reports • organizational breakdown – who has the most allocations – who has the most network space • geographic breakdown – what countries have ip space – which countries have the most space
  25. 25. Demo!
  26. 26. future plans • add in WHOIS contact data • malware IP to WHOIS correlation – allows easy tie-back of malicious content to "real world" network & hosting businesses • integrate DNS records for netblocks • Maltego transform? • Tie-in for Fierce? • Metasploit fun?
  27. 27. where is it? http://whoisthemaster.org
  28. 28. the end @rossja algorythm@gmail.com cruft.blogspot.com

×