IP Addresses Triage
Last week, I was in Germany to attend the TROOPERS security conference and I had the opportunity to follow Chris Truncer’s talk about passive intelligence gathering. Passive intelligence is a must-do when you need to collect information about a target (when working from the offensive side) or an attacker (from the defensive side). It helps to collect as much information as possible and relies often on OSINT (Open Source INTelligence - publicly available data). From a defensive point of view, the first step is to collect logs (as much as you can). And what do we find in logs? Mostly IP addresses! We can have tons of IP addresses collected every day. The next step is to get more information about them and it is often a pain. During his talk, Chris presented his tool (called Just-Metadata) that helps to collect and manage information on IP addresses. This is performed via two phases:
- Phase 1: collect information about the IP addresses
- Phase 2: analyze the gathered data and get interesting information
When I tested the tool, I was surprised to not see any module for DShield! As we have a nice database of IP addresses and reputation, why not use it from Just-Metadata? The tool being very modular, it was easy to add an extra module to gather information from our database and a simple reporting module. Here is a list of the current available gathering modules:
[>] Please enter a command: list gather Shodan => Requests Shodan for information on provided IPs GeoInfo => This script gathers geographical information about the loaded IP addresses DShield => This module checks DShield for hits on loaded IPs Whois => This module gathers whois information FeedLists => This module checks IPs against potential threat lists MyWOT => Requests MyWOT for domain reputation information on provided domains VirusTotal => This module checks VirusTotal for hits on loaded IPs All => Invokes all of the above IntelGathering modules
And modules to analyze the collected data:
[>] Please enter a command: list analysis TopNetBlocks => Returns the top "X" number of most seen whois CIDR netblocks Keys => Returns IP Addresses with shared public keys (SSH, SSL) FeedHits => Lists IPs being tracked in threat lists DShield => Returns IP addresses with results in DShield PortSearch => Returns the top "X" number of most used ports TopPorts => Returns the top "X" number of most used ports Country => Search for IPs by country of origin MyWOTDomains => Parse mywot domain reputation results GeoInfo => Analyzes IPs geographical/ISP information Virustotal => Returns IP addresses with results in VirusTotal All => Invokes all of the above Analysis modules
How does it work? Create (or generate) a text file containing the IP addresses to analyze and load it into Just-Metadata:
[>] Please enter a command: load ip.txt [*] Loaded 5 systems [>] Please enter a command: gather all Querying Shodan for information about 120.27.31.143 Querying Shodan for information about 77.247.182.246 Querying Shodan for information about 193.169.52.214 Querying Shodan for information about 46.4.120.238 Querying Shodan for information about 101.200.0.122 Getting info on... 120.27.31.143 Getting info on... 77.247.182.246 Getting info on... 193.169.52.214 Getting info on... 46.4.120.238 Getting info on... 101.200.0.122 Information found on 120.27.31.143 Information found on 77.247.182.246 No information within DShield for 193.169.52.214 No information within DShield for 46.4.120.238 Information found on 101.200.0.122 Gathering whois information about 120.27.31.143 Gathering whois information about 77.247.182.246 Gathering whois information about 193.169.52.214 Gathering whois information about 46.4.120.238 Gathering whois information about 101.200.0.122 Grabbing list of TOR exit nodes.. Grabbing attacker IP list from the Animus project... Grabbing EmergingThreats list... Grabbing AlienVault reputation list... Grabbing Blocklist.de info... Grabbing DragonResearch's SSH list... Grabbing DragonResearch's VNC list... Grabbing NoThinkMalware list... Grabbing NoThinkSSH list... Grabbing Feodo list... Grabbing antispam spam list... Grabbing malc0de list... Grabbing MalwareBytes list... Information found on 120.27.31.143 Information found on 77.247.182.246 Information found on 193.169.52.214 Information found on 46.4.120.238 Information found on 101.200.0.122 [>] Please enter a command: save State saved to disk at metadata03212016_150606.state
Then, you can use analyzis modules to build intelligence from the collected data. Here is a sample output of my DShield module:
[>] Please enter a command: analyse dshield 10 ********************************************************************** IPs and Detected Counts ********************************************************************** 101.200.0.122: 832 count(s) 120.27.31.143: 596 count(s) 77.247.182.246: 186 count(s) ********************************************************************** IPs and Attacked Targets ********************************************************************** 101.200.0.122: 270 target(s) 120.27.31.143: 119 target(s) 77.247.182.246: 7 target(s) ********************************************************************** IPs and Detected Risk **********************************************************************
I sent a pull request to Chris yesterday and he already merge it. The tool is available on his github repository. It's easy to set up, does not have lot of dependencies and it runs smoothly in a Docker container.
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
My next class:
Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
×
Diary Archives
Comments