WHOIS the master
an introduction to Sho'Nuff
jason ross
about me
• break stuff for a living
• play with malware for fun
• poorly manage defcon group 585
• refuse to use caps in slide decks (acronyms excluded)
agenda
• 2^32 addresses ought to be enough for anybody
• alphabet soup, iron fists, and ipv6
• whois: awesomely full of crap
• shonuff – the whois master
a (very) brief history of 'the internet'
• lots of separate networks hooked up, some confusion ensued
• InterNIC stepped out, ICANN stepped in
• ICANN manages global addressing under contract to US Dept. of Commerce as IANA
• (not for) profit!
ipv4 network allocation
• large blocks of addresses are allocated to global geographic regions
• large blocks may be allocated to national geographic regions
• blocks are divided up and allocated to local ISPs
• individual addresses or small blocks are assigned to ISP customers
early allocation methods
• there's so much space!
• large chunks of network space allocated to single organizations
• justification requirements fairly lax
zomg! this thing works!
• demand increased
• address assignments got smaller
• requirements to prove need of requested space got tighter
what's a RIR?
• Regional Internet Registry
• in charge of large geographic regions
– AfriNIC : Africa
– APNIC : Asia / Pacific
– ARIN : North America
– LACNIC : Latin America & some Caribbean
– RIPE NCC : Europe, Middle East, Central Asia
what's a NIR?
• National Internet Registry
• in charge of small geographic regions
• act as an agent of the RIR
• not commonly used, but there's a few
what's a LIR?
• Local Internet Registry
• usually an ISP
why the push for ipv6?
• ipv4 was not designed for security
• "available address space is running low"
security
• many con talks and whitepapers by folks lots smarter that i have already covered this
• so i won't
scarcity
• there have been comments and discussion around the fact that IPv4 space is 'running out' for years.
• IEEE-USA published a report on this in 8/1999
the sky is falling! (aka: how low can you go?)
image taken from arstechnica: http://is.gd/dCnMM
if ipv4 is running out, where did it go?
• nobody that knows is telling ('freely')
• nobody else knows
• leading to much debate
how to find out
• ask IANA!
• when that fails, ask the RIRs
• then ask the LIRs
overview of whois tools
• *nix: whois
• web: http://lmgtfy.com/?q=web+whois
• www.robtex.com/whois
what's missing?
• no standardized output
• can't perform true wildcard queries
– whois -h whois.arin.net " o . bank*"
• query options vary by RIR
• information is not centralized
– chasing referrals sucks
how accurate is whois data?
• contact data is required by law in most countries to be legit
• ARIN is working on a policy to validate WHOIS POC info
theoretical challenges
• how to handle referrals
• should i throttle queries
• parsing the results
interesting reports
• organizational breakdown
– who has the most allocations
– who has the most network space
• geographic breakdown
– what countries have ip space
– which countries have the most space
linking results to shodan
• shodan has no API an API!
• so i just link to the search results make calls to it for you
• you need to have an account
• and you need to be logged in
shonuff – the WHOIS master!
• started as PHP/MySQL
• then i got mocked (gently)
• so i ported it to JSP/Postgres 5 days ago – to prove it can always get worse
• will probably end up as something else is now written in ruby!
future plans
• add in WHOIS contact data
• malware IP to WHOIS correlation
– allows easy tieback of malicious content to "real world" network & hosting businesses
• integrate DNS PTR records for netblocks
• Maltego transform?
• Tie-in for Fierce?
• Metasploit fun?