BlackHat资料us-14-Schloesser-Internet-Scanning-Current-State-And-Lessons-Learned.pdfVIP

Internet Scanning Current State and Lessons Learned Mark Schloesser - Rapid7 Labs @ BlackHat USA - August 6th 2014 $ id Mark Schloesser • Twitter @repmovsb • Security Researcher at Rapid7 Labs • Core developer for Cuckoo Sandbox • Research on botnets, malware • Lots of smaller sideprojects, (Android), honeypots, protocols Outline Quick Recap Internet Scanning • Intro / History / Motivation / Ethics / etc Project Sonar Research / Findings Asset discovery example use case Large scale scanning Internet wide data-gathering Internet-wide scanning Internet Mapping Project, Bell Labs / Lumeta, 1998+ IPv4 Census 2003-2006 EFF SSL Observatory 2014 Internet Census 2012 (the botnet) Shodan RIPE Atlas (slightly different) Critical.IO, 2012-2013 University of Michigan Shadowserver ErrataSec (R. Graham / masscan) Rapid7, Project Sonar Research / Finding history Top 3 UPnP software stacks contain vulnerabilities / are exploitable • Most widespread service on the Internet, millions of devices affected, patch rates low until today IPMI Server Management Protocol vulnerabilities • Server Management Controllers auth-bypass and other vulns Widespread misconfigurations • NTP DDoS amplification problems known since 2010 • Open Recursors, Open SMTP relays, ElasticSearch instances, etc Mining Ps and Qs, UMich / UCSD • Weak keys used for SSL communication SNMP – list processes, get credentials username=sa password=Masterkey2011 LicenseCheck=Defne DSN=sms;UID=XXX;PWD=XXXsys; DSN=GeoXXX;UID=XXX;PWD=XXXsys; 8383 password h4ve@gr8d3y --daemon --port 8020 --socks5 --s_user Windows --s_password System XXXX /ssh /auth=password /user=admin /passwd=admin_p@s$word http://a.b.c/manage/retail_login.php3?ms_id=14