The common problem
For a number of years during our red-teaming, and major infosec panics (such as eternal-blue, blue-keep etc), clients have asked us on their behalf to scan their entire range. However, some Infosec professionals and CISO’s struggle to know the extent of their publicly accessible networks, due to inherited infrastructure (M&A (Merges and Acquisitions), ever expanded cloud infrastructure, change of providers, poor documentation etc). So identifying net-ranges can become a tricky task:
- wrong subnets could be scanned
- entire net-ranges could be missed
- 3rd party providers/ISPs with dedicated infrastructure is missed.
Netscylla’s solution to the problem is to ‘mine’, the Whois registrars for the organisation’s name(s). In an attempt to quickly obtain the breath of the network. Now we said it was tricky… But today we release our in-house tool whereis, in a hope that it can make techies jobs easier in locating the net-ranges of their publicly accessible infrastructure.
Example 1 - example keyword
$ ./whereis.py example 220.127.116.11/29 18.104.22.168/29 22.214.171.124/29 126.96.36.199/30
We can then perform a manual check of each CIDR to confirm example keyword is actually returned:
$ whois -a 188.8.131.52 NetRange: 184.108.40.206 - 220.127.116.11 CIDR: 18.104.22.168/29 NetName: IMPORTEXAMPLES <---- matches here $ whois -a 22.214.171.124 NetRange: 126.96.36.199 - 188.8.131.52 CIDR: 184.108.40.206/29 NetName: EXAMPLEESSAYS <---- matches here $ whois -a 220.127.116.11 NetRange: 18.104.22.168 - 22.214.171.124 CIDR: 126.96.36.199/30 NetName: CTSC-S3362 NetHandle: NET-64-136-255-92-1 Parent: CTSTELECOM-BLK-1 (NET-64-136-224-0-1) NetType: Reassigned OriginAS: Customer: Digital Example (C06469865) <---- matches here
Warning - as the script is only matching records by a given keyword, results could be gratuitous.
When scanning for your own organisation name (as expected), its best to double check the results, as other organisations with similar name could be included in the results.
Example 2 - encapsulated string
$ ./whereis.py "private bank" 188.8.131.52/29 184.108.40.206/29 220.127.116.11/28 ...
Again we perform a manual check, to confirm the results:
$ whois -a 18.104.22.168 NetRange: 22.214.171.124 - 126.96.36.199 CIDR: 188.8.131.52/29 NetName: BORELPRIVATEBANKTRUS
We have hosted our code on github:
Netscylla or its staff cannot be held responsible for any abuse relating from this blog post. This post is to raise awareness in network mapping publicly accessible infrasture linked to specific organisations or keyword patterns. REMEMBER: It is illegal to attempt unauthorised access on any system you do not personally own, unless you have explicit permission in writing from the system owner!