Now You TCP Me, Now You Don't: The Strengths and Weaknesses of Various Internet Scanning Services

now i'm very very excited to introduce our next speaker this particular talk is one i am specifically super hyped about because it's a topic that i love and a fantastic speaker and adi is such a nice speaker as well she's a very very nice person i just met her backstage and we're really really happy to have adi here because uh adi has never presented at b sites tel aviv before so we're super excited to have a d on the stage let me tell you a little bit about the talk and about a d okay so this talk is now you tcp me now you don't and that is such a clever statement adi i'm gonna get a

t-shirt made that says that because it's so so on point so now you tcp me now you don't this is going to be about the internet scanning tools like showdown and other tools i have known to feature showdown in many of my talks i use it for my security testing many security pros use tools like showdown and other internet scanning services so this is what we're gonna hear all about right now and adi ben israel our next speaker she is a really really fantastic nice human being and she loves the internet and she says that she has loved the internet even before she found ways to connect into people's routers so that's pretty cool adi and actually

she also likes to dance and play the trombone but not at the same time although that is an incredible talent a deep probably if you would play the trombone and dance at the same time you would have uh you will be able to join the circus uh but thankfully for us adi is here with us as a security professional as an internet internet astronaut if you were looking for interesting things to find in the internet world and she's really passionate about sharing her knowledge so please help me in giving a super warm welcome to adi ben israel welcome adi thank you so much so happy to have you with us there you go adi hi i'm adi

and this is now you tcp me now you don't the strengths and weaknesses of various internet scanning services so a little about me i am a former a recovering internet security researcher i did this for five years and about half a year ago i decided that i want to learn how to program a bit so i am now work at a storage company called weka where i program in the very common language called d but i still keep up with uh with the internet and networking by uh by being the one who installs all the routers at every place i live before we start two things the first thing that's very important is that everything i

talk is a free offering from all the services i will talk about i will not talk about any enterprise options or anything that costs more than giving up some personal details and second there will be a quiz on this so please join the v sites workspace and the 20 talk or 20 lobby channel to see the to see to be part of the quiz so first of all why scan the internet well if you're asking this you're probably looking at the wrong conference we scan because we can the internet is a safari and scanning is just one of the many ways to understand it through scanning the internet we can find new services new resources and possibly even new

vulnerabilities and you would think that the internet was scanned from its inauguration but that's not the case the the first open scanning project was the lander project in 2004 and they scanned the internet by running a pin ping scan on all on all ipv4 addresses the map here this is the most famous census map of the ipv4 addresses and this was done in 2012. so why not why don't why haven't people scanned the internet well that's because scanning is hard if you scan on your home computer using the regular bandwidth it's very slow comparatively there are for about 4 billion ip addresses and about 65 000 ports and combining them all together it would take a very long time to scan the entire

internet also isps don't really like you spamming syn packets trust me don't try this at home it's very hard to get an isp to unblock you so either you slow down your scanning face considerably or you start using a server or multiple servers if you use servers you have to get the data back somehow and then you have to to save the data in some sort of db and if you scan only once instead and and if you don't want to scan only once and want to scan the internet continuously you have to have a lot of space and you have to version the db because you don't want previous data to override the current data you have

and all of this is it would just take too long for a security researcher as a side job if it's not some it's too much it takes too much time and resources for security researcher on their own to do this but luckily it's hard but it's not that hard there are a lot of bots humans and crawlers that scan the internet because all the stuff i mentioned are pretty if you take this as a full-time job they're not very difficult but most of the most of the scanners on the internet save data to themselves this interesting thing is scanning an internet scanning service does is that it doesn't only scan the internet but it also displays the data

in a way that is easy for users to query and because of this and the fact that regular security researchers on their day-to-day jobs would not be able to do this in their free time this democracizes access to internet scale data sets so the first scanning service and the most popular one that i'm talking i'm going to talk about is the one that i also show here which is choden sheldon was founded in 2009 and as far as i know it was the first public internet scanning service anything else that came beforehand has been lost to the internet there have been so many talks about showdown and what it can show in 2015 they even tweeted

the control page of a particle accelerator which is pretty cool and one of the reasons that children is popular is that it has it was alone in the landscape for about five years but and then came along came census census was started as the zed map project in 2012 by a group of researchers in the university of michigan they wanted to see if the internet was getting safer by um want to see if the internet was getting safer by trying to scan the entire internet and the way to do this and their their new idea was to instead of creating a full connection just send tcp packets uh syn packets tcp syn packets and then if you get a result then the

port is open and then they have another tool called that grab where that you can get the full hdp response or any other port data you're looking for they spun out into a company in 2017. so how do we compare these two services showdown has a more focused search for example if you give it a a string it will not look in the tls certificate for this data which census will but this is because census indexes every piece of data it receives especially tls data which this is really helpful if you find a certificate a unique certificate length i want to see if there are any other ips that have this length of certificate for

example also census uses known tools since census is based on zmapp and zedgrav it's very easy to um to check what census missed or if there's anything that could bypass it this is a very interesting and this helps as opposed to showdown who's uh whose tools are proprietary a point to showdown is that it scans more ports children scanned about a thousand two hundred thirty fourth as opposed to since this is a thousand forty it's not a lot but you're if you're looking for an esoteric port this could make the difference so we see see that we saw that scanning is hard we saw that scanning is not hard enough so that nobody will do it and we found

two scanning services that exist there must be more how can you find more we need the opposite of a scanning service and this is where gray noise comes in grey noise is a sensor network um it is the opposite of showdown and senses in a way that it is completely passive um greatness has served multiple servers across the world in different autonomous zones and when a scanner a showdown census or something proprietary tries to scan grey noise gray noise logs ip the four and the data received now let's see what greenhouse has to say about choden

this is the gray noise visualizer and if i enter showdown i can see i can see that it's loading but if we if we let it load okay if the demo isn't working let me go and redo the the slides

okay let's look at them through here

here if we look at what showdown shows with greatness here about showdown it shows a lot of different um the different ips that choden uses and let's pick a specific one i can see the ip that it scans from reverse dns if it exists possible scanning types and the number of ports now remember that i told you that choden scans about 1 240 ports they don't actually document that anywhere what i did is because grain was recognized as both showdown and census i took the reports that grain noise recognized that diabetes that grain was recognized as showdown and the eyephase that is recognized as synthesis made a unique list of ports and compared the two

so granois classifies all its ips into three categories every ip that it finds malicious unknown and benign malicious ivs are those that show indications of trying to brute force passwords or scan for recognizable exploits unknown services just scan the internet not for any specific re um but grey noise doesn't recognize them it doesn't know that it's showdown for example or any other known scan or google bot and the benign are scans that choden recognizes such as jordan or census they might also show indications of sending a vulnerable packet but it's possible that but since greno is only a sensor network and doesn't um doesn't run a full interaction it's possible that they check only if

this um only send a vulnerable packet to see if they get the the expected vulnerable response or if it's an iv that close the vulnerability so we talked about great uh showdown and census and we talked about grain noise and how grainoids can recognize sodium census so let's see what other scanning services greenways recognizes i'm going to talk about two of them onif and rapid7 onif is a front scanning server that was started in 2018 it's not it doesn't scan very many ports only about 100 but it takes data from a bunch of different places such as it tries to resolve the ip to see what where it's from or it takes data from pastebin to see if

um if the ip um was ever seen in different um in different pasties and rapid seven rapid 7 is interesting because it displays the data much differently unlike all the other scanning services which show the data you give a single ip and they give you the response in rapid 7 you find you get uh once a da once a month you get a dump of for example all the http get responses that rapid seven received in the in the last month from 480 or port 5555 they have a list of ports there and this is really useful because showdown to get this data from showdown it would take a lot of credits and that's a lot of money and a lot of

other possible searches that could happen but are all the data are all the actors that green noise defines as benign really benign there's pdr labs which called itself an internet mapping experiment and an industry research group i didn't find much data about it and it looks from gray noise it looks like its scans are benign they don't try they don't try to check for any vulnerabilities on the other hand there is stretchoid this is stretchy's front page and the only page you can find on its website it pretty much says give me your ip and i promise i won't scan you i don't really trust it and it scans mostly from digitalocean which is um which is a small cloud player

and unlike pdr labs it does send vulnerable packets that contain vulnerabilities it's been seen to try uh to try to send requests that exploit an elastic search called the injection vulnerability i'm not really sure what's going on there but it's very fishy and now i want to talk about a service that gray noise recognizes but barely um fofa uh grey noise has only eight results for fosa it's possible that this is because fofa is a chinese internet scanning service as you can see from the text and what i like about fofa is that it has some things that stand apart from showden and census for example it displays data not only for an ip it doesn't only show the last

ip but it also shows data from from before so if you want to look at the lifespan of an ip address fofa is a good place to look also it um it saves a lot of a lot more of the html page now i'll show this using anglerfish anglerfish is a honeypot whose uh page is about forty thousand more than forty thousand characters all of these characters are vulnerable substrings um that of substrings of router names titles server names pretty much what they're saying is come at me bro just try to exploit anything you can on me and while showdown shows about 12 000 characters of this page fofa shows about 28 000. and that really shows the difference

when you're looking for um for some sort of service who's only recognizable substring is further down very far down on its page or does have a page with a lot of characters so i wasn't kidding about the quiz so please uh please go on to the slack channel and um and let's start scenario one a security researcher believe they have found the new misfortune cookie and is interested in seeing all the pages from all the ips that have port 7547 open in the last month which scanning service would you use please uh please fill out the survey the the quiz and um let's see

that's right i would use 7. because rapid 7 gives a dump of all the data in the last month it's a much better service to use than all the others where you have to query a specific ip or have to use a lot of credits to get further pay more pages on to the next scenario scenario two d-link dsl 2750b has a command injection vulnerability according to exploit db but the device name at the is at the very bottom of its login home page what scanning service would you use

that's right i always use fosa because sofa has indexes more of the html data then it's a much better service to use and as you can see um while showdown has only 63 results for this uh this router census has 393 and fofa has 519 unique ips and note that i took a span of about two weeks so it's not the fact that fofa has saved scans from the past doesn't make sense and for our last scenario i want to find data about a specific ip address because it came up as possibly interesting from my company's ids what scanning service would you use well it really depends what what you're comfortable with or what you like

i would use showdown if i'm more most comfortable with that or if i want the most what i want to look at the most ports i would use onif if i want to see this if this ip for some reason is has been found you in pastebin i would use sofa because it's chinese and might not have the exclusion lists that other scanning services have or i would use census because i'm most comfortable with that and i want to see if there's any interesting data that was indexed i wouldn't use rapid 7 for this because it's not a specific ip but in conclusion no scanning service is an entire toolbox and i very much hope

that next time you find an interesting ivy you won't use a screwdriver to try to take a nail out from a board thank you very much