Wednesday, October 08, 2014

Six-month anniversary scan for Heartbleed

I just launched my six-month anniversary scan for Heartbleed. I'll start reporting early results tomorrow afternoon. I'm dialing the scan to run slowly and spreading it across four IP addresses (and 32k ports) in order to avoid unduly alarming people.

If you would like the results of the scan for your subnet, send us your address ranges to our "abuse@" email address. We'll lookup the abuse contact email for those ranges and send you what we found for that range. (This offer good through the end of October 2014).

Here is a discussion of the options.

--conf /etc/masscan/masscan.conf
You don't see this option, but it's the default. This is where we have the 'excluderanges' configured. Because we exclude everyone who contacts us an "opts-out" of our white-hat scans, we are down to scanning only 3.5 billion hosts now, out of around 4 billion.
The the "/0" means "the entire Internet". Actually, any valid IPv4 address can replace the and it'll produce the same results, such as "" to amuse your friends.

This says to scan on port 443, the default SSL port. At some point in the future, I'll scan for some other common SSL ports, including the STARTTLS ports like port 25.

This means to create a full TCP connection with the system and grab "banner" info. In this case, that means sending an SSL "hello" request and to parse the received X.509 certificate. It'll parse that certificate and dump the hostname from it.

--capture cert
This means to also capture the X.509 certificate. I don't really care for this scan, but on general principles, grabbing certificates is good for other SSL research. This happens before the heartbleed check.

This means that after the initial SSL Hello that it will attempt a "Heartbleed" request. In this case, the returned information will just be a "VULN: [Heartbleed]" message for the IP address. If you want more, then "--capture heartbleed" an also be used to grab the "bleeding" information. I don't do that.

-oB heartbleed.scan
This means to save the results in a binary file called "heartbleed.scan". This is the custom masscan format that can be read using the --readscan option later to convert to XML, JSON, and other output formats. I always scan using this format, but I think I'm the only one.

--rotate-dir /var/log/masscan
You don't see it here on the command-line because it's in masscan.conf (see above), but every hour the contents of "heartbleed.scan" are rotated into this directory and a new file created. That file is timestamped with the current time.

--rotate hourly
You don't see it here, but it's in masscan.conf. This means that rotation to /var/log/masscan should happen every hour on the hour. If you start a scan at 1:55, it'll be rotated at 2:00. It renames the file with the timestamp as the prefix, like 141007-020000-heartbleed.scan, so having it aligned to an even hour makes things easier to work with. Note that "minutely" and "daily" are also supported.

--rate 80000
People don't like getting scanned to fast, it makes IDS and firewall logs unhappy. Therefore, I lower the rate to only 80,000 packets/second to reduce their strain. This consequently means the scan is going to take 13 hours to complete.

On the same principle as slowing the rate, spreading across multiple source IP address makes IDS/firewalls squawk less, and makes people less unhappy. We have only a small range to play with, so I'm only using 4 IP addresses. Note that masscan has it's own TCP/IP stack -- it's "spoofing" these IP addresess, no machine actually exists here. If you try to ping them, you'll get no response. This is the best way to run masscan, though people still find it confusing.

--source-port 32768-65535
By default, masscan uses a randomly assigned source port. I prefer to use a range of source ports.

No comments: