This talk, Mass Scanning the Internet at DefCon 22, piqued my interest as we at NTO are very fundamentally concerned with gathering massive amounts of security assessment data from a web application and so a perennial nemesis for us is memory management. So reading the brief, I thought, wow, these guys (Rob Graham, Paul McMillan, Dan Tentler) are scanning the whole internet. I might get some memory management ideas. Well, jumping ahead a little, the bottom line is: their tool isn’t too picky about every single connection succeeding or storing every last little bit of information gleaned from every successful port connection. The tool basically just blasts out a massive number of requests in a hugely parallel fashion and then notes what comes back. So what was I expecting, magic? One never knows. Oh well, so I didn’t discover how to cram terabytes of information into a 2gb process space but the talk was interesting anyway. This is not a denigration of their tool by the way, just an account of how vague expectations do not bottom line sometimes. In fact, it sounded like there was some very interesting engineering in the tool.
So, on to that. The spirit of this tool is to go get as much low hanging fruit as possible and it turns out (no surprise) there is quite a bit of it. Heartbleed, D-link router vulnerability, SSL in general. One can also survey all SSL certs in use… interesting one there. As it is port and IP scanning, it is not reliant on spidering, search engines, DNS, or any similar toehold-and-fanout techniques. The deepnet (or is it darknet, I keep hearing both) is illuminated by this tool. Using the tool in banner grab mode turns up loads of hackable LHF apparently. The speakers indicated that companies such as Siemens can turn out to be rather vulnerable when you scan them using these techniques. One point that is perhaps the most seminal implicit point of this talk is that we (security professionals), and myself in particular, are heavily steeped in web application/service security and tend to get monomaniacal to that effect but let us not forget that port scanning and hardening systems w.r.t. port-based service vulnerabilities, though we may tend to think if it as “last generation,” is still highly valid to be doing.
The speakers went on to talk about something I never really thought about, but it is quite worth thinking about… that of packet overhead and how billing is assessed. Of course TCP/IP packets have overhead but apparently some ISPs charge for gross bandwith utilitization versus others that charge for the content (minus the overhead). And the speakers indicated that if you do this mass scanning the internet stuff, you will incur the wrath/indignation of the ISP and possibly the organization(s) you are scanning. No great revelation that, but we all have probably done the naive thing of “hey that’s cool, I’m going to try it” and then later, “hey whoa, don’t overreact there, I didn’t mean anything by it,” with something like this. They recommend making an exclude list with, e.g., the DoD and similar organizations in it. Then they personality profiled the typical complainer… they tend to have an attitude, they tend to be kind of stupid technically. The speakers recommended paying shady VPS providers with bitcoin as a way of running scans without getting shut down by complaints, as said providers are well accustomed to that model, wink wink nudge nudge.
They then detailed how MassScan works as compared to Nmap. Basically what I said previously… massively parallel, blast out as many requests without being picky about what comes back. Banner checking seems to be the most potent assessment you can do with this tool apart from the implicit assessment value of finding out what exists on the internet. They then went on to present some data they gathered, such as 300,000 systems still vulnerable to Heartbleed as of July 2014. They talked about scanning mainframes. That reminds me of another talk I attended about how juicy mainframes can be precisely due to their being as old-school as they are.
And so that is what they presented in this talk. I come away with a renewed respect for port scanning; it’s not all just the web.