WHOIS the master

an introduction to Sho'Nuff

jason ross

about me

• break stuff for a living

• play with malware for fun

• poorly manage defcon group 585

• refuse to use caps in slide decks (acronyms excluded)

agenda

• 2^32 addresses ought to be enough for anybody

• alphabet soup, iron fists, and ipv6

• whois: awesomely full of crap

• shonuff – the whois master

a (very) brief history of 'the internet'

• lots of separate networks hooked up, some confusion ensued

• InterNIC stepped out, ICANN stepped in

• ICANN manages global addressing under contract to US Dept. of Commerce as IANA

• (not for) profit!

ipv4 network allocation

• large blocks of addresses are allocated to global geographic regions

• large blocks may be allocated to national geographic regions

• blocks are divided up and allocated to local ISPs

• individual addresses or small blocks are assigned to ISP customers

early allocation methods

• there's so much space!

• large chunks of network space allocated to single organizations

• justification requirements fairly lax

zomg! this thing works!

• demand increased

• address assignments got smaller

• requirements to prove need of requested space got tighter

what's a RIR?

• Regional Internet Registry

• in charge of large geographic regions

– AfriNIC : Africa

– APNIC : Asia / Pacific

– ARIN : North America

– LACNIC : Latin America & some Caribbean

– RIPE NCC : Europe, Middle East, Central Asia

what's a NIR?

• National Internet Registry

• in charge of small geographic regions

• act as an agent of the RIR

• not commonly used, but there's a few

what's a LIR?

• Local Internet Registry

• usually an ISP

why the push for ipv6?

• ipv4 was not designed for security

• "available address space is running low"

security

• many con talks and whitepapers by folks lots smarter that i have already covered this

• so i won't

scarcity

• there have been comments and discussion around the fact that IPv4 space is 'running out' for years.

• IEEE-USA published a report on this in 8/1999

the sky is falling! (aka: how low can you go?)

image taken from arstechnica: http://is.gd/dCnMM

if ipv4 is running out, where did it go?

• nobody that knows is telling ('freely')

• nobody else knows

• leading to much debate

how to find out

• ask IANA!

• when that fails, ask the RIRs

• then ask the LIRs

overview of whois tools

• *nix: whois

• web: http://lmgtfy.com/?q=web+whois

• www.robtex.com/whois

what's missing?

• no standardized output

• can't perform true wildcard queries

– whois -h whois.arin.net " o . bank*"

• query options vary by RIR

• information is not centralized

– chasing referrals sucks

how accurate is whois data?

• contact data is required by law in most countries to be legit

• ARIN is working on a policy to validate WHOIS POC info

theoretical challenges

• how to handle referrals

• should i throttle queries

• parsing the results

interesting reports

• organizational breakdown

– who has the most allocations

– who has the most network space

• geographic breakdown

– what countries have ip space

– which countries have the most space

linking results to shodan

• shodan has no API an API!

• so i just link to the search results make calls to it for you

• you need to have an account

• and you need to be logged in

shonuff – the WHOIS master!

• started as PHP/MySQL

• then i got mocked (gently)

• so i ported it to JSP/Postgres 5 days ago – to prove it can always get worse

• will probably end up as something else is now written in ruby!

future plans

• add in WHOIS contact data

• malware IP to WHOIS correlation

– allows easy tieback of malicious content to "real world" network & hosting businesses

• integrate DNS PTR records for netblocks

• Maltego transform?

• Tie-in for Fierce?

• Metasploit fun?

the end

@rossja

algorythm@gmail.com

cruft.blogspot.com