next generation web scanning new zealand a case study
play

Next generation web scanning New Zealand: A case study First - PowerPoint PPT Presentation

Oct 21, 2023 •191 likes •802 views

Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By Andrew Horton aka urbanadventurer NZ Web Recon Goal: To scan all of New Zealand's web-space to see what's there. Requirements: Targets

  1. Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By Andrew Horton aka urbanadventurer

  2. NZ Web Recon Goal: To scan all of New Zealand's web-space to see what's there. Requirements: – Targets – Scanning – Analysis Sounds easy, right? urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  3. Targets urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  4. Targets What does 'NZ web-space' mean? It could mean: • Geographically within NZ regardless of the TLD • The .nz TLD hosted anywhere • All of the above For this scan it means, IPs geographically within NZ urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  5. Finding Targets We need creative methods to find targets urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  6. DNS Zone Transfer urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  7. Find IP addresses on IRC and by resolving lots of NZ websites 58.*.*.* 60.*.*.* 65.*.*.* 91.*.*.* 110.*.*.* 111.*.*.* 113.*.*.* 114.*.*.* 115.*.*.* 116.*.*.* 117.*.*.* 118.*.*.* 119.*.*.* 120.*.*.* 121.*.*.* 122.*.*.* 123.*.*.* 124.*.*.* 125.*.*.* 130.*.*.* 131.*.*.* 132.*.*.* 138.*.*.* 139.*.*.* 143.*.*.* 144.*.*.* 146.*.*.* 150.*.*.* 153.*.*.* 156.*.*.* 161.*.*.* 162.*.*.* 163.*.*.* 165.*.*.* 166.*.*.* 167.*.*.* 192.*.*.* 198.*.*.* 202.*.*.* 203.*.*.* 210.*.*.* 218.*.*.* 219.*.*.* 222.*.*.* 729,580,500 IPs. More than we want to try. urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  8. IP address blocks in the IANA IPv4 Address Space Registry Prefix Designation Date Whois Status [1] ----- ------ ---- ----- ---------- 000/8 IANA - Local Identification 1981-09 RESERVED 001/8 IANA UNALLOCATED 002/8 RIPE NCC 2009-09 whois.ripe.net ALLOCATED 003/8 General Electric Company 1994-05 LEGACY 201/8 LACNIC 2003-04 whois.lacnic.net ALLOCATED 202/8 APNIC 1993-05 whois.apnic.net ALLOCATED 203/8 APNIC 1993-05 whois.apnic.net ALLOCATED 204/8 ARIN 1994-03 whois.arin.net ALLOCATED 205/8 ARIN 1994-03 whois.arin.net ALLOCATED 206/8 ARIN 1995-04 whois.arin.net ALLOCATED 207/8 ARIN 1995-11 whois.arin.net ALLOCATED 208/8 ARIN 1996-04 whois.arin.net ALLOCATED 209/8 ARIN 1996-06 whois.arin.net ALLOCATED 210/8 APNIC 1996-06 whois.apnic.net ALLOCATED 211/8 APNIC 1996-06 whois.apnic.net ALLOCATED This list has 663,255,000 IPs. More than we want to try. urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  9. Failed methods to find targets • DNS Zone transfers from top level domain name servers • Learn IP address ranges for well known national websites and networks • All IP addresses allocated to APNIC (Asia Pacific NIC) We need new methods to find IP addresses and website hostnames for New Zealand urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  10. geoipgen and the MaxMind GeoIP database Use MaxMind’s free database of IP to Country allocations Homepage: www.morningstarsecurity.com/research/geoipgen Produces 6,319,348 New Zealand IP addresses urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  11. Scanning for TCP Port 80 with nmap Find the 75,964 web servers among 6 million IPs into nmap -i ./iplist -P0 -sT --open -n -p 80 – oG iplist.gnmap.log urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  12. Reverse Resolving IP addresses Use adns-tools for fast, asynchronous resolving 31,973 IPs are resolved to hostnames urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  13. Search query ip:210.48.71.196 11,872 IPs are indexed by bing.com which have 89,265 virtual hosts. urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  14. Google.com urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  15. Google.com There is a common misconception that Google scraping is no longer possible and is halted by Google’s bot detection. It is possible to search for a wide set of search terms and to retrieve a shallow set of the each result, i.e. 3 pages. searching aaa through to zzz found 58,602 hostnames searching every word in /usr/share/dict/words found 116,052 hostnames 126,408 unique NZ hostnames found with Google urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  16. DNS Zone Transfers Revisited urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  17. DNS Zone Transfers Revisited Extracting domainnames urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  18. DNS Zone Transfers Revisited Results Attempt a DNS zone transfer for each domain 135,591 unique domain names were found with reverse resolving IPs, Bing, and Google scanning. Tool: dns-enum.pl Found 560,352 hosts in 70,475 domains. urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  19. DNS Brute Forcing – Not Implemented Guessing subdomains, eg. test.example.com, www2.example.com, intranet.example.com urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  20. Final Target List • 699,413 unique hostnames found with reverse resolving, Google, Bing and zone transfers • Resolve the hostnames to IPs • Keep only the hostnames with IPs in the port scanned list of 75,964 IPs found with nmap • 75,964 IPs + 274,989 hostnames = 350,953 virtual hosts to test urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  21. Scanning – Targets – Scanning – Analysis urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  22. Traditional Web Scanners Nikto and Nessus • Time. Nikto takes too long because it guesses 1000s of URLs. • Impolite. Nikto has a big footprint with 1000s of lines in each web servers logs and it increases web server load. • Law. Some Nikto tests will attempt to exploit vulnerabilities so it is not suitable for use without permission. • Information. Pretty good Nmap • Time. Nmap is fast • Impolite. Nmap is polite, it makes only a few connections • Law. Unquestionable • Information. Scarce urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  23. WhatWeb • Time. Fast • Polite. Doesn't trigger NIDS • Law. Unquestionable • Information. Rich • Instead of guessing URLs to identify systems, make better use of the information provided by the web server during an HTTP transaction. urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  24. WhatWeb Discover what powers websites by identifying: • content management systems (CMS) • blogging platforms • stats/analytics packages • javascript libraries • HTTP servers • Written in Ruby for Linux • OpenSource License • Plugin architecture urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  25. WhatWeb • Passive and aggressive plugins • Passive plugins use information from: – The HTML page – HTTP headers – Cookies – URL • Lightweight like a search engine crawler • A single GET / HTTP/1.0 request urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  26. WhatWeb • Aggressive plugins use information from: – Testing for URLs and identifying patterns in the HTML – Testing for URLs and recognising the MD5 hash of the response – Testing for URLs and simply noting they exist or return an HTTP status 200 code. • Can return an exact version of a CMS, can discover installed modules or plugins • Uses multiple HTTP requests urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  27. WhatWeb urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  28. WhatWeb Examples urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  29. Passive & Aggressive Tests With aggressive tests it identifies the Joomla CMS version by retrieving a handful of URLs and recognising the MD5 hashes urbanadventurer (Andrew Horton) www.morningstarsecurity.com

  30. Aggressive Tests phpBB forum /docs/CHANGELOG.html urbanadventurer (Andrew Horton) www.morningstarsecurity.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By

Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By

Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By Andrew Horton aka urbanadventurer NZ Web Recon Goal: To scan all of New Zealand's web-space to see what's there. Requirements: Targets

854 views • 62 slides
Operation of a Hydrothermal System with Increased Renewable Generation: New Zealand Case Study

Operation of a Hydrothermal System with Increased Renewable Generation: New Zealand Case Study

Operation of a Hydrothermal System with Increased Renewable Generation: New Zealand Case Study Hydro Power Scheduling Workshop Stavanger, Norway By Luke Schwartfeger, Dr. Alan Wood, Gari Bickers 12-13 th September 2018 Contents

368 views • 20 slides
Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen

Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen

J13 Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen Abiko (MINORU International Patent Office) 1. Purpose Through the case study of the small animal capture tool (rattrap), the method the

139 views • 11 slides
BP GoM: A Case Study of a Next Generation Undersea Fiber Optic System for Oil and Gas

BP GoM: A Case Study of a Next Generation Undersea Fiber Optic System for Oil and Gas

conference & convention enabling the next generation of networks & services BP GoM: A Case Study of a Next Generation Undersea Fiber Optic System for Oil and Gas Applications Rob Munier Jeremiah Mendez Derek Buffitt Tyco Electronics

628 views • 27 slides
BP GoM: A Case Study of a Next Generation Undersea Fiber Optic System for Oil and Gas

BP GoM: A Case Study of a Next Generation Undersea Fiber Optic System for Oil and Gas

conference & convention enabling the next generation of networks & services BP GoM: A Case Study of a Next Generation Undersea Fiber Optic System for Oil and Gas Applications Rob Munier Jeremiah Mendez Derek Buffitt Tyco Electronics

376 views • 26 slides
Museum of New Zealand 20 years of advances in fire modelling What are the benefits? A case study

Museum of New Zealand 20 years of advances in fire modelling What are the benefits? A case study

Te Papa Tongarewa Museum of New Zealand 20 years of advances in fire modelling What are the benefits? A case study Presented by Kevin Weller About Te Papa Built 1996 5 hectares 6 floors Large atriums Single compartment

737 views • 22 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

New Zealand Pilot Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS What are the ecosystem services that our Auckland water Clients impact on and depended on ? What risks and opportunities arise to

256 views • 9 slides
Positive Policy Pressures for Social Inclusion in Public Art Galleries: A New Zealand Case Study

Positive Policy Pressures for Social Inclusion in Public Art Galleries: A New Zealand Case Study

Federation of International Human Rights Museums Conference 2015 Te Papa Tongarewa Museum of New Zealand Claire Baker New Zealand claireadelebaker@gmail.com Positive Policy Pressures for Social Inclusion in Public Art Galleries: A New Zealand

348 views • 10 slides
Grappling with uncertainty in collaboration: a New Zealand case study Ronlyn Duncan, PhD Senior

Grappling with uncertainty in collaboration: a New Zealand case study Ronlyn Duncan, PhD Senior

IAIA2017 Le Centre Sheraton Montreal Hotel Montreal, Canada, 4 7 April, 2017 Grappling with uncertainty in collaboration: a New Zealand case study Ronlyn Duncan, PhD Senior Lecturer in Water Management Department of Environmental Management,

514 views • 29 slides
on Microhydroelectric Power Generation A Case Study of the Burnshire Dam: Woodstock, VA

on Microhydroelectric Power Generation A Case Study of the Burnshire Dam: Woodstock, VA

The Impact of River Flow on Microhydroelectric Power Generation A Case Study of the Burnshire Dam: Woodstock, VA Alex Barnes, Alex Pineda, Richard Rizzo ISAT 493 April 15 th , 2016 Origin of the Project Our work

1.27k views • 51 slides
Commercialisation, income generation & trading case study 3 Content of presentation

Commercialisation, income generation & trading case study 3 Content of presentation

Commercialisation, income generation & trading case study 3 Content of presentation Portsmouth - Why is this a focus for us? Strategy Transforming to a more entrepreneurial council Property Investment Fund Marketing our

784 views • 53 slides
Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, Vern Paxson Background IPv4 scanning - Zmap . 2 Background 2 128 addresses => 10 30 years to scan 32 nybbles (hex

518 views • 28 slides
Integration of Waste Supply and Use Data into Regional Footprints: Case Study on the Generation

Integration of Waste Supply and Use Data into Regional Footprints: Case Study on the Generation

CIRP Life Cycle Engineering Conference 2018 Integration of Waste Supply and Use Data into Regional Footprints: Case Study on the Generation and Use of Waste from Consumption and Production Activities in Brussels Vanessa Zeller, Edgar Towa,

170 views • 13 slides
Electricity Generation Energy mix in Kenya and a case study of Kenya's SMR RTA 8 th July, 2019

Electricity Generation Energy mix in Kenya and a case study of Kenya's SMR RTA 8 th July, 2019

Electricity Generation Energy mix in Kenya and a case study of Kenya's SMR RTA 8 th July, 2019 Presented by Nduma Ruwah Technical Directorate, NuPEA Table of Contents Kenya Kenyas Vision Kenya Installed capacity Justification

702 views • 21 slides
Ocean ecosystem conservation and seafood security for future generation A case study of

Ocean ecosystem conservation and seafood security for future generation A case study of

Ocean ecosystem conservation and seafood security for future generation A case study of ecosystem g y y approach to fisheries and the adaptive management of the Shiretoko World Natural Heritage Site g

950 views • 37 slides
IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn

IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn

IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn Phlsson Who are we? FUKT Computer Society Unix system since 1995 Using IPsec since 2003 FUKT is a society/club for computer enthusiasts

927 views • 45 slides
Linux Plumbers Conference 2011 LTTng 2.0 : Application, Library and Kernel tracing within your

Linux Plumbers Conference 2011 LTTng 2.0 : Application, Library and Kernel tracing within your

Linux Plumbers Conference 2011 LTTng 2.0 : Application, Library and Kernel tracing within your Linux distribution. E-mail: mathieu.desnoyers@efficios.com Mathieu Desnoyers September 9th, 2011 1 > Presenter Mathieu Desnoyers

421 views • 23 slides
DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R.

DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R.

DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R. Bannister dbis.sf.net Background RFC 2307, late 1990s (experimental) RFC 2307bis, 2002-2009 (draft) RFC 4876, 2007 nss_ldap (PADL, Sun

283 views • 9 slides
Project Plan Kubernetes Cluster Inspection Tool The Capstone Experience Team Google Dave Ackley

Project Plan Kubernetes Cluster Inspection Tool The Capstone Experience Team Google Dave Ackley

Project Plan Kubernetes Cluster Inspection Tool The Capstone Experience Team Google Dave Ackley Linghao Ji Guillermo Jimenez Haylee Quarles Casey Schneider Ben Whitelaw Department of Computer Science and Engineering Michigan State

310 views • 12 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
FINFISHER: FinFly ISP 2.0 Infrastructure Product Training Table of content 2 1. Introduction

FINFISHER: FinFly ISP 2.0 Infrastructure Product Training Table of content 2 1. Introduction

1 FINFISHER: FinFly ISP 2.0 Infrastructure Product Training Table of content 2 1. Introduction 2. The infrastructure - ADMF Client and Infection GUI - Administration: ADMF - iProxy: NDP01/02 - Radius Probe: RP01/02 - Communication 3. Use

901 views • 67 slides
Adaptive Scheduling Parameters Manager for A.Balsini SCHED DEADLINE Introduction Problem

Adaptive Scheduling Parameters Manager for A.Balsini SCHED DEADLINE Introduction Problem

SCHED DL: Adaptive Scheduling Parameters Manager Adaptive Scheduling Parameters Manager for A.Balsini SCHED DEADLINE Introduction Problem Optimistic vs Pessimistic Alessio Balsini Tools Overview a.balsini@sssup.it Kernel Module

784 views • 47 slides
Fault Tolerance Support of Smart-M3 Application on the Software Infrastructure Level Ivan Galov,

Fault Tolerance Support of Smart-M3 Application on the Software Infrastructure Level Ivan Galov,

Fault Tolerance Support of Smart-M3 Application on the Software Infrastructure Level Ivan Galov, Dmitry Korzun Petrozavodsk State University Department of Computer Science AMICT2014 conference October 21, 2014, Petrozavodsk, Russia Ivan

696 views • 13 slides

More recommend