WHOIS the master

an introduction to Sho'Nuff

jason ross

about me

• job: break stuff for the intrepidus group

• play: with malware

• poorly manage defcon group 585

• refuse to use caps in slide decks (acronyms excluded)

agenda

• 2^32 addresses ought to be enough for anybody

• alphabet soup, iron fists, and ipv6

• whois: awesomely full of crap

• shonuff – the whois master

a (very) brief history of 'the internet'

• lots of separate networks hooked up, some confusion ensued

• InterNIC stepped out, ICANN stepped in

• ICANN manages global addressing under contract to US Dept. of Commerce as IANA

• (not for) profit!

ipv4 network allocation• large blocks of addresses are allocated to global

geographic regions

• large blocks may be allocated to national geographic regions

• blocks are divided up and allocated to local ISPs

• individual addresses or small blocks are assigned to ISP customers

early allocation methods

• there's so much space!

• large chunks of network space allocated to single organizations

• justification requirements fairly lax

zomg! this thing works!

• demand increased

• address assignments got smaller

• requirements to prove need of requested space got tighter

what's a RIR?

• Regional Internet Registry

• in charge of large geographic regions– AfriNIC : Africa– APNIC : Asia / Pacific– ARIN : North America– LACNIC : Latin America & some Caribbean– RIPE NCC : Europe, Middle East, Central Asia

what's a NIR?

• National Internet Registry

• in charge of small geographic regions

• act as an agent of the RIR

• not commonly used, but there's a few

what's a LIR?

• Local Internet Registry

• usually an ISP

why the push for ipv6?

• ipv4 was not designed for security

• "available address space is running low"

security

• many con talks and whitepapers by folks lots smarter that i have already covered this

• so i won't

scarcity

• there have been comments and discussion around the fact that IPv4 space is 'running out' for years.

• IEEE-USA published a report on this in 8/1999

the sky is falling! (aka: how low can you go?)

image taken from arstechnica: http://is.gd/dCnMM

if ipv4 is running out, where did it go?

• nobody that knows is telling ('freely')

• nobody else knows

• leading to much debate

how to find out

• ask IANA!

• when that fails, ask the RIRs

• then ask the LIRs

overview of whois tools

• *nix: whois

• web: http://lmgtfy.com/?q=web+whois

• www.robtex.com/whois

what's missing?

• no standardized output• can't perform true wildcard queries– whois -h whois.arin.net " o . bank*"

• query options vary by RIR• information is not centralized – chasing referrals sucks

how accurate is whois data?

• contact data is required by law in most countries to be legit

• ARIN is working on a policy to validate WHOIS POC info

theoretical challenges

• most efficient way to scan

• how to handle referrals

• should i throttle queries

• parsing the results

shonuff – the WHOIS master!

• started as PHP/MySQL

• then i got mocked (gently)

• so i ported it to JSP/Postgres– to prove it can always get worse

• is now written in ruby!

what’s new?

• better integration with shodan

• privacy policy

• more query types supported

linking results to shodan

• shodan has an API!

• so i just make calls to it for you– many thanks to achillean, for letting this work!

interesting reports

• organizational breakdown– who has the most allocations– who has the most network space

• geographic breakdown– what countries have ip space– which countries have the most space

Demo!

future plans

• add in WHOIS contact data• malware IP to WHOIS correlation– allows easy tie-back of malicious content to "real

world" network & hosting businesses• integrate DNS records for netblocks• Maltego transform?• Tie-in for Fierce?• Metasploit fun?

where is it?

http://whoisthemaster.org

the end

@rossja

algorythm@gmail.com

cruft.blogspot.com