WHOIS the Master
-
Upload
jason-ross -
Category
Technology
-
view
116 -
download
0
Transcript of WHOIS the Master
WHOIS the master
an introduction to Sho'Nuff
jason ross
about me
• job: break stuff for the intrepidus group
• play: with malware
• poorly manage defcon group 585
• refuse to use caps in slide decks (acronyms excluded)
agenda
• 2^32 addresses ought to be enough for anybody
• alphabet soup, iron fists, and ipv6
• whois: awesomely full of crap
• shonuff – the whois master
a (very) brief history of 'the internet'
• lots of separate networks hooked up, some confusion ensued
• InterNIC stepped out, ICANN stepped in
• ICANN manages global addressing under contract to US Dept. of Commerce as IANA
• (not for) profit!
ipv4 network allocation• large blocks of addresses are allocated to global
geographic regions
• large blocks may be allocated to national geographic regions
• blocks are divided up and allocated to local ISPs
• individual addresses or small blocks are assigned to ISP customers
early allocation methods
• there's so much space!
• large chunks of network space allocated to single organizations
• justification requirements fairly lax
zomg! this thing works!
• demand increased
• address assignments got smaller
• requirements to prove need of requested space got tighter
what's a RIR?
• Regional Internet Registry
• in charge of large geographic regions– AfriNIC : Africa– APNIC : Asia / Pacific– ARIN : North America– LACNIC : Latin America & some Caribbean– RIPE NCC : Europe, Middle East, Central Asia
what's a NIR?
• National Internet Registry
• in charge of small geographic regions
• act as an agent of the RIR
• not commonly used, but there's a few
what's a LIR?
• Local Internet Registry
• usually an ISP
why the push for ipv6?
• ipv4 was not designed for security
• "available address space is running low"
security
• many con talks and whitepapers by folks lots smarter that i have already covered this
• so i won't
scarcity
• there have been comments and discussion around the fact that IPv4 space is 'running out' for years.
• IEEE-USA published a report on this in 8/1999
the sky is falling! (aka: how low can you go?)
image taken from arstechnica: http://is.gd/dCnMM
if ipv4 is running out, where did it go?
• nobody that knows is telling ('freely')
• nobody else knows
• leading to much debate
how to find out
• ask IANA!
• when that fails, ask the RIRs
• then ask the LIRs
overview of whois tools
• *nix: whois
• web: http://lmgtfy.com/?q=web+whois
• www.robtex.com/whois
what's missing?
• no standardized output• can't perform true wildcard queries– whois -h whois.arin.net " o . bank*"
• query options vary by RIR• information is not centralized – chasing referrals sucks
how accurate is whois data?
• contact data is required by law in most countries to be legit
• ARIN is working on a policy to validate WHOIS POC info
theoretical challenges
• most efficient way to scan
• how to handle referrals
• should i throttle queries
• parsing the results
shonuff – the WHOIS master!
• started as PHP/MySQL
• then i got mocked (gently)
• so i ported it to JSP/Postgres– to prove it can always get worse
• is now written in ruby!
what’s new?
• better integration with shodan
• privacy policy
• more query types supported
linking results to shodan
• shodan has an API!
• so i just make calls to it for you– many thanks to achillean, for letting this work!
interesting reports
• organizational breakdown– who has the most allocations– who has the most network space
• geographic breakdown– what countries have ip space– which countries have the most space
Demo!
future plans
• add in WHOIS contact data• malware IP to WHOIS correlation– allows easy tie-back of malicious content to "real
world" network & hosting businesses• integrate DNS records for netblocks• Maltego transform?• Tie-in for Fierce?• Metasploit fun?
where is it?
http://whoisthemaster.org