Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IP Addresses Triage

Published: 2016-03-21
Last Updated: 2016-03-22 07:22:27 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Last week, I was in Germany to attend the TROOPERS security conference and I had the opportunity to follow Chris Truncer’s talk about passive intelligence gathering. Passive intelligence is a must-do when you need to collect information about a target (when working from the offensive side) or an attacker (from the defensive side). It helps to collect as much information as possible and relies often on OSINT (Open Source INTelligence - publicly available data). From a defensive point of view, the first step is to collect logs (as much as you can). And what do we find in logs? Mostly IP addresses! We can have tons of IP addresses collected every day. The next step is to get more information about them and it is often a pain. During his talk, Chris presented his tool (called Just-Metadata) that helps to collect and manage information on IP addresses. This is performed via two phases:
  • Phase 1: collect information about the IP addresses
  • Phase 2: analyze the gathered data and get interesting information
When I tested the tool, I was surprised to not see any module for DShield! As we have a nice database of IP addresses and reputation, why not use it from Just-Metadata? The tool being very modular, it was easy to add an extra module to gather information from our database and a simple reporting module. Here is a list of the current available gathering modules:
[>] Please enter a command: list gather
Shodan => Requests Shodan for information on provided IPs
GeoInfo => This script gathers geographical information about the loaded
           IP addresses
DShield => This module checks DShield for hits on loaded IPs
Whois => This module gathers whois information
FeedLists => This module checks IPs against potential threat lists
MyWOT => Requests MyWOT for domain reputation information on provided domains
VirusTotal => This module checks VirusTotal for hits on loaded IPs
All => Invokes all of the above IntelGathering modules
And modules to analyze the collected data:
[>] Please enter a command: list analysis
TopNetBlocks => Returns the top "X" number of most seen whois CIDR netblocks
Keys => Returns IP Addresses with shared public keys (SSH, SSL)
FeedHits => Lists IPs being tracked in threat lists
DShield => Returns IP addresses with results in DShield
PortSearch => Returns the top "X" number of most used ports
TopPorts => Returns the top "X" number of most used ports
Country => Search for IPs by country of origin
MyWOTDomains => Parse mywot domain reputation results
GeoInfo => Analyzes IPs geographical/ISP information
Virustotal => Returns IP addresses with results in VirusTotal
All => Invokes all of the above Analysis modules
How does it work? Create (or generate) a text file containing the IP addresses to analyze and load it into Just-Metadata:
[>] Please enter a command: load ip.txt
[*] Loaded 5 systems
[>] Please enter a command: gather all
Querying Shodan for information about 120.27.31.143
Querying Shodan for information about 77.247.182.246
Querying Shodan for information about 193.169.52.214
Querying Shodan for information about 46.4.120.238
Querying Shodan for information about 101.200.0.122
Getting info on... 120.27.31.143
Getting info on... 77.247.182.246
Getting info on... 193.169.52.214
Getting info on... 46.4.120.238
Getting info on... 101.200.0.122
Information found on 120.27.31.143
Information found on 77.247.182.246
No information within DShield for 193.169.52.214
No information within DShield for 46.4.120.238
Information found on 101.200.0.122
Gathering whois information about 120.27.31.143
Gathering whois information about 77.247.182.246
Gathering whois information about 193.169.52.214
Gathering whois information about 46.4.120.238
Gathering whois information about 101.200.0.122
Grabbing list of TOR exit nodes..
Grabbing attacker IP list from the Animus project...
Grabbing EmergingThreats list...
Grabbing AlienVault reputation list...
Grabbing Blocklist.de info...
Grabbing DragonResearch's SSH list...
Grabbing DragonResearch's VNC list...
Grabbing NoThinkMalware list...
Grabbing NoThinkSSH list...
Grabbing Feodo list...
Grabbing antispam spam list...
Grabbing malc0de list...
Grabbing MalwareBytes list...
Information found on 120.27.31.143
Information found on 77.247.182.246
Information found on 193.169.52.214
Information found on 46.4.120.238
Information found on 101.200.0.122
[>] Please enter a command: save
State saved to disk at metadata03212016_150606.state
Then, you can use analyzis modules to build intelligence from the collected data. Here is a sample output of my DShield module:
[>] Please enter a command: analyse dshield 10
**********************************************************************
                    IPs and Detected Counts
**********************************************************************
101.200.0.122: 832 count(s)
120.27.31.143: 596 count(s)
77.247.182.246: 186 count(s)
**********************************************************************
                    IPs and Attacked Targets
**********************************************************************
101.200.0.122: 270 target(s)
120.27.31.143: 119 target(s)
77.247.182.246: 7 target(s)
**********************************************************************
                    IPs and Detected Risk
**********************************************************************
I sent a pull request to Chris yesterday and he already merge it. The tool is available on his github repository. It's easy to set up, does not have lot of dependencies and it runs smoothly in a Docker container.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)
Diary Archives