11.27.2017

Passive Intelligence

Now, I'm not some fancy big shot who wanted to define things my way and tell everyone else to piss off. However, I don't entirely understand how other people claim passive intelligence the way they do. So, as an example, I continue on my dive into finding various notions from data within comparing unique malware domain resolutions. In this case, over on http://0daz.io/useful.log I found several domains were being built on a common provider (000webhostapp). The domains that were shown on that, were found to be malicious and put on the malware domains list of domains (http://malwaredomains.lehigh.edu/files/domains.txt). So, first thoughts would be that there is some unique design on how malwaredomains finds those specifically while very few, if any, no-ip and similar sites are on there. Regardless, I took the approach of how much I can find about 000webhostapp based on these.

curl http://0daz.io/useful.log 2>/dev/null|grep -i 000webhostapp.com|awk '{print $2}'|sort|uniq|wc -l
221

I found 221 unique ips from this list, after this has been building for only 2 days. Meaning several of these have a change default ipv4 address at least. If this is anything malicious or just the way that hosting provider acts, isn't really the discussion. The discussion right now is how many /28 i can make out of these ips, maybe I can map their publicly available/usable network space? well,

$ curl http://0daz.io/useful.log 2>/dev/null|grep -i 000webhostapp.com|awk '{print $2}'|sort|uniq >> 000webhostappips.log
$ cat 000webhostappips.log |whois `head -n 1`|grep -i route|ipcalc `awk '{print $2}'`
Address:   145.14.144.0         10010001.00001110.1001000 0.00000000
Netmask:   255.255.254.0 = 23   11111111.11111111.1111111 0.00000000
Wildcard:  0.0.1.255            00000000.00000000.0000000 1.11111111
=>
Network:   145.14.144.0/23      10010001.00001110.1001000 0.00000000
HostMin:   145.14.144.1         10010001.00001110.1001000 0.00000001
HostMax:   145.14.145.254       10010001.00001110.1001000 1.11111110
Broadcast: 145.14.145.255       10010001.00001110.1001000 1.11111111
Hosts/Net: 510                   Class B

 Now, all we really have is just some lame ass data we can't really do much with right? So we would generally go back and dig into the next thing passing it up right here. But this is a blog post on passive intelligence so we need to be extremely passive right? lmao.

First, lets do some routing fun!

mtr 145.14.144.1 -r -c 100 |grep -iv "???"|tail -n 1|awk '{print $2}'
74.112.174.249
I'll leave it to you to understand why this is useful for the most part, but i'll tell you after a chain of commands, I did add "route add -net 145.14.144.0 netmask 255.255.254.0 gw 74.112.174.249" for shits and giggles. Not that anyone needs a static route when dynamic routing is in place... or do they? People may even say that you "can't just do that with public routes" but you can. "What happens when your static route disagrees with their automatic route" well now you're gettin' somewhere. lol. Anyway, enough play time with that.

Next, lets play with searching shodan, I hear people like doing that:
cat 000webhostappips.log |whois `head -n 1`|grep -i route|prips `awk '{print $2}'` > /tmp/iplist; for i in `strings /tmp/iplist`; do curl -A "" -X GET  "https://api.shodan.io/shodan/host/"$i"?key=L9VKwKTdXH1cP35YnIPMUW658XEC2eFe";echo ""; sleep 30; done >> shodansearch.log; rm /tmp/iplist
While we wait for that result, lets also run virustotal scans.

cat 000webhostappips.log |whois `head -n 1`|grep -i route|prips `awk '{print $2}'` > /tmp/iplistvt; for i in `strings /tmp/iplistvt`; do ./ipscan-vt.py $i;echo ""; sleep 15; done >> virustotalsearch.log; rm /tmp/iplistvt
(I just made the ip field of the example python script into sys.argv[1]  so I could run it like this)

So now I have a new set of domains, urls, ips, etc... I also have a list of ips that are not used, telling me that they possibly do subnet this structure further than their /23, into more like /28 groups.

Now we can dump all our results to a database and start again!
curl http://0daz.io/useful.log 2>/dev/null|awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp
This time around we're digging through the same compiled list to see what does not have unique entities in this list. Since the list is originally unique domains and ip mixture, pulling just the domains and only displaying duplicate ones, would give us domains that have had more than one ip resolution for it. 
curl http://0daz.io/useful.log > useful.log 2>/dev/null; cat useful.log |awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp|grep -i `head -n 1` useful.log
029999.com 112.90.252.102
029999.com 23.225.139.82 
curl http://0daz.io/useful.log > useful.log 2>/dev/null; cat useful.log |awk '{print $1}' |sort |uniq -d|grep -iv 000webhostapp|grep -i `tail -n 1` useful.log > /tmp/lol; for i in `cat /tmp/lol`; do echo $i; whois $i|grep -i "cidr\|netname\|route\|OriginAS"; done
zebrezebre.com
50.63.202.61
CIDR:           50.62.0.0/15
NetName:        GO-DADDY-COM-LLC
OriginAS:       AS26496
zebrezebre.com
50.63.202.63
CIDR:           50.62.0.0/15
NetName:        GO-DADDY-COM-LLC
OriginAS:       AS26496
A smart person, or someone who cares, might want to start dumping this sort of data into a database somewhere instead of flat files. This is easily done and i'll leave you to it. This is just for example purposes to dive into processes that are entirely scriptable but people don't bother doing so, even for easy one person diving into one set of actors. All whois and domain lookup functions are available as easily grabbed python modules, and parsing examples in bash are much harder than properly parsing with python. So deal with it guise.

Why this is important:
  • People consider passive intelligence information that's provided to them without any alteration or deviance. 
  • Passive intelligence is and should include refining information provided. While you probably shouldn't abuse antiquated router issues for fun and profit, you can and should begin archiving these issues and refining data that comes to you. 
  • Intelligence isn't provided to you. You must do something. If your platform is something like virustotal, you still require (lul who pays for this anyway?) all data you consume still should be processed for leverage points and parse-able information. Data enrichment is essential to functional intelligence. 
Yes yes, not all data is useful to every person, but it needs to be there. I can't tell you how many ways people evade detection based on connections people throw away. 7 layers deep and still nothing to be seen, you're probably throwing away too much. That seems to be the biggest argument threat intelligence people give is that too much data is cumbersome so it slows people down. There is nothing that should slow you down. Parse out every way you can proceed the first time. The data represented here is data that anyone with any computer could do, they could parse this better and use the information with their own threat platforms (maltego, as well as several threat intel providers, allow functional use of csvs, which can be parsed directly from what I've given without any rewrite, so stfu and do it). Now I need everyone to quit saying passive intelligence is functionally just data given to you.

Maybe then you'd understand what active intelligence is.

K thnx.
Ferasdour
https://keybase.io/ferasdour



No comments:

Post a Comment

2am rant