Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$...
Transcript of Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$...
![Page 1: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/1.jpg)
Mass$Scanning$the$Internet$
Tips,$tricks,$results$$
Robert$Graham$Paul$McMillan$Dan$Tentler$
![Page 2: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/2.jpg)
0.0.0.0/0$
![Page 3: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/3.jpg)
Why$scan$the$Internet$(defensive)$
• How$many$systems$are$vulnerable$to$Heartbleed?$
• How$many$systems$can$be$used$for$NTP$amplificaKon?$
• How$many$systems$vulnerable$to$DLLink$router$vulnerability/$
• Survey$all$SSL$cerKficates$in$use$
![Page 4: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/4.jpg)
Why$scan$the$Internet$(offensive)$
• Uh,$it’s$the$deepnet$• Pick$a$random$port,$run$masscan$with$“—banners”,$and$you$find$something$hackable$within$minutes$
![Page 5: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/5.jpg)
Why$scan$the$Internet$(really)$• Because$it’s$fun$• Because$it’s$informaKve$– You$can’t$appreciate$how$small$the$Internet$is$unKl$you’ve$scanned$0.0.0.0/0$
• It’ll$make$you$famous$– Pick$a$target,$like$a$Siemens$control$system$– Scan$the$Internet$for$it$– Do$a$BlackHat$talk$– Get$in$the$news$
![Page 6: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/6.jpg)
TheoreKcal$Physical$infrastructure$
• Packets$have$overhead$– Ethernet$packets$have$44$bytes$overhead$– TCP$SYN$packets$are$40$bytes$
• Max$rate$for$1Lgbps$Ethernet$– 476Lmbps$of$actual$traffic$– 524Lmbps$of$Ethernet$overhead$– 1,488,000$packets/second$
hap://blog.erratasec.com/2013/10/whatsLmaxLspeedLonLethernet.html$
![Page 7: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/7.jpg)
ISP$billing$• Some$ISPs$measure$Ethernet$rate$– Charge$you$for$the$full$1Lgbps$
• Some$ISPs$measure$WAN$rate$– Charge$you$for$~600Lmbps$
• Some$ISPs$don’t$see$the$small$packets$– This$one$Kme,$ISP$didn’t$see$our$outbound$traffic,$only$inbound$
• Some$ISPs$are$unmetered$– Yea!$
![Page 8: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/8.jpg)
PracKcal$Physical$Infrastructure$• VPS$can$strain$under$the$load$of$small$packets$• Ethernet$switches$struggle$with$small$packets$– Above$500kpps$is$ohen$difficult$– Turning$off$flowLcontrol$may$help$
• Some$parts$may$drop$packets$– Transmijng$500kpps$doesn’t$mean$all$packets$are$reaching$the$Internet$
• I$usually$do$~150kpps$– When$I$don’t$parKcularly$care$about$speed$
![Page 9: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/9.jpg)
Abuse$complaints$
• You$will$get$abuse$complaints$• Your$ISP$will$get$upset$• Some$things$are$worse$than$others$– Heartbleed$scans$generate$abuse$complaints$weeks$later$
– HTTP$scans$get$you$put$on$fail2ban$lists$– Snort/emergingthreat$rules$generate$a$lot$of$complaints$
![Page 10: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/10.jpg)
ISPs$must$take$this$seriously$
• Some$networks$react$by$blackholing$the$enKre$AS$
• DoD$gets$real$pissy$
![Page 11: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/11.jpg)
Maintain$exclude$list$• /etc/masscan/masscan.conf$• exclude$=$224.0.0.0L255.255.255.255$• excludeLfile$=$exclude.ips$
![Page 12: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/12.jpg)
Complainers$are$ohen$dicks$
• “I’m$going$to$call$the$Internet$Police$on$you”$
• “We’ve$blocked$you$at$the$firewall,$so$there!$neenerLneener”$
![Page 13: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/13.jpg)
Complainers$are$ohen$stupid$
• “The$infrastructure$of$Woori$Financial$Group$is$classified$as$"NaKonal$Security$ObjecKve$Facility$L$class$A"$and$unauthorized$access$to$this$facility$is$strictly$prohibited$by$related$laws$and$regulaKons.”$
![Page 14: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/14.jpg)
Friendly$with$ISP$
• We$work$closely$with$our$ISP$• Provide$free$cybersec$consulKng$• Handle$abuse$complaints$ourselves$– SWIP$–$Shared$WHOIS$Project$
• Add$everyone$who$asks$to$our$“exclude”$aka$“blacklist”$file$
![Page 15: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/15.jpg)
…or$you$can$do$anonymous$VPS$
• Pay$cheap$VPS$provider$with$Bitcoin$• You$can$complete$the$scan$and$be$done$before$complaints$cause$them$to$shut$down$your$account$
• A$lot$of$them$are$shady$operators$friendly$to$spam$and$scammers$anyway$
![Page 16: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/16.jpg)
masscan$
.$
![Page 17: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/17.jpg)
like$nmap$
• All$nmap$opKons$are$parsed$– …if$only$to$say$“this$nmap$opKon$isn’t$supported”$
• Output$formats$close$to$nmap$– Can$be$imported$into$some$tools$
• Lots$of$features$supported$– SCTP$scanning$– UDP$nmapLpayloads$
![Page 18: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/18.jpg)
unlike$nmap$
• Port)at)a)Time$instead$of$Host)at)a)Time$– Results$for$each$port$reported$as$soon$as$it’s$found$
– Results$are$not$combined$together$per$host$• …because$it’s$asynchronous$– Transmit$thread$spews$out$requests$– Receive$thread$receives$responses$
• …making$it$1000$Kmes$faster$
![Page 19: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/19.jpg)
Nmap$is$a$beaer$scanner$
• NSE$is$way$cool$• Scanning$a$single$host$is$way$beaer$
• Masscan$is$simply$a$faster$or$more1scalable$scanner$for$large$networks$
![Page 20: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/20.jpg)
It’s$own$TCP/IP$stack!!#$%^@$
• Masscan$has$it’s$own$TCP/IP$stack$– Runs$sideLbyLside$with$exisKng$stack$– Defaults$to$same$address$– Causes$duplicate$ARPs$and$TCP$RST$
• OS$RSTs$prevent$TCP$connecKons$from$being$established$– Should$spoof$different$IP$address$or$filter$range$of$ports$to$prevent$this$
![Page 21: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/21.jpg)
Banner$checking$
• Establishes$TCP$connecKon$• HeurisKcs$figure$out$protocols$– Scan$for$port$443$of$Internet$reveals$a$lot$of$SSH$and$HTTP$running$on$that$port$
• Only$a$few$things$supported$right$now$– One$of$these$days$I’ll$NSELstyle$scripKng,$but$right$now$you$can$hardLcode$C$stuff$
![Page 22: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/22.jpg)
MulKple$sources$
• LLshard$1/50$– Used$when$doing$the$same$scan$from$mulKple$machines$
• LLsourceLip$10.0.0.32L10.0.0.63$– Spreads$out$a$scan$from$mulKple$IP$addresses$from$the$same$machine$
• LLsourceLip$0.0.0.0L255.255.255.255$– …for$when$you$want$to$be$a$dick$
![Page 23: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/23.jpg)
Load$tesKng$
• This$will$crash$firewalls$• Great$for$load$tesKng$firewalls$• LLinfinite$LLbanners$LLsourceLip$<range>$– Maintains$lots$of$open$connecKons$with$target$
![Page 24: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/24.jpg)
Binary$format$
• Use$“LoB$foo.scan”$instead$of$“LoX$foo.xml”$• Then$convert:$
masscan$–readscan$foo.scan$–oX$foo.xml$
• Because$– It’s$more$compact$– If$there’s$bugs$in$output,$I$can$fix$them$
![Page 25: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/25.jpg)
Spoof$scan$
• Receive$on$one$IP$address$– Such$as$a$burner$Android$phone$– Receiving$packets$is$lowLbandwidth$
• Send$from$data$center$without$egress$filtering$– LLsourceLip$spoofing$the$other$source$address$
![Page 26: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/26.jpg)
results$
![Page 27: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/27.jpg)
VNC$scanning$
• ,$
![Page 28: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/28.jpg)
Heartbleed$
• 600k$systems$vulnerable$April$10$
• 300k$system$sKll$vulnerable$July$– Mostly$“devices”$
![Page 29: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/29.jpg)
Secure:$you$keep$using$that$word$
![Page 30: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/30.jpg)
Some$I$think$are$just$honeypots$
![Page 31: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/31.jpg)
Mainframe$scanning$
• TN3270$TelnetLoverLSSL$port$992$• Look$at$@mainframed767$for$cool$pics$of$IBM$Mainframe$login$screens$
![Page 32: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/32.jpg)
• ,$
![Page 33: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/33.jpg)
<other$results>$
![Page 34: Masscaning the Internet - DEF CON® Hacking Conference...Mass$Scanning$the$Internet$ Tips,$tricks,$results$ $ Robert$Graham$ Paul$McMillan$ Dan$Tentler$](https://reader033.fdocuments.net/reader033/viewer/2022050115/5f4c90b0bd1d2e07077c3221/html5/thumbnails/34.jpg)
<demos>$