Last week, I was in Germany to attend the TROOPERS security conference and I had the opportunity to follow Chris Truncers talk about passive intelligence gathering. Passive intelligence is a must-do when you need to collect information about a target (when working from the offensive side) or an attacker (from the defensive side). It helps to collect as much information as possible and relies often on OSINT (Open Source INTelligence -publicly available data). From a defensive point of view, the first step is to collect logs (as much as you can). And what do we find in logs? MostlyIP addresses! We can have tons of IP addresses collected every day. The next step is to get more information about them and it is often a pain. During his talk, Chris presented histool (called Just-Metadata) thathelps to collect and manage information on IP addresses. This is performed via">When I tested the tool, I was surprised to not see any module for DShield! As we have a nice database of IP addresses and reputation, why not use it from Just-Metadata? The tool being very modular, it waseasy to add an extramoduleto gather information from our database and a simple reporting module.">
[] Please enter a command: list gatherShodan = Requests Shodan for information on provided IPsGeoInfo = This script gathers geographical information about the loaded IP addressesDShield = This module checks DShield for hits on loaded IPsWhois = This module gathers whois informationFeedLists = This module checks IPs against potential threat listsMyWOT = Requests MyWOT for domain reputation information on provided domainsVirusTotal = This module checks VirusTotal for hits on loaded IPsAll = Invokes all of the above IntelGathering modules">
[] Please enter a command: list analysisTopNetBlocks = Returns the top X number of most seen whois CIDR netblocksKeys = Returns IP Addresses with shared public keys (SSH, SSL)FeedHits = Lists IPs being tracked in threat listsDShield = Returns IP addresses with results in DShieldPortSearch = Returns the top X number of most used portsTopPorts = Returns the top X number of most used portsCountry = Search for IPs by country of originMyWOTDomains = Parse mywot domain reputation resultsGeoInfo = Analyzes IPs geographical/ISP informationVirustotal = Returns IP addresses with results in VirusTotalAll = Invokes all of the above Analysis modules">
[] Please enter a command: load ip.txt[*] Loaded 5 systems[] Please enter a command: gather allQuerying Shodan for information about 120.27.31.143Querying Shodan for information about 77.247.182.246Querying Shodan for information about 193.169.52.214Querying Shodan for information about 46.4.120.238Querying Shodan for information about 101.200.0.122Getting info on... 120.27.31.143Getting info on... 77.247.182.246Getting info on... 193.169.52.214Getting info on... 46.4.120.238Getting info on... 101.200.0.122Information found on 120.27.31.143Information found on 77.247.182.246No information within DShield for 193.169.52.214No information within DShield for 46.4.120.238Information found on 101.200.0.122Gathering whois information about 120.27.31.143Gathering whois information about 77.247.182.246Gathering whois information about 193.169.52.214Gathering whois information about 46.4.120.238Gathering whois information about 101.200.0.122Grabbing list of TOR exit nodes..Grabbing attacker IP list from the Animus project...Grabbing EmergingThreats list...Grabbing AlienVault reputation list...Grabbing Blocklist.de info...Grabbing DragonResearchs SSH list...Grabbing DragonResearchs VNC list...Grabbing NoThinkMalware list...Grabbing NoThinkSSH list...Grabbing Feodo list...Grabbing antispam spam list...Grabbing malc0de list...Grabbing MalwareBytes list...Information found on 120.27.31.143Information found on 77.247.182.246Information found on 193.169.52.214Information found on 46.4.120.238Information found on 101.200.0.122[] Please enter a command: save">Then, you can use analyzis modules to build intelligence from the collected data. Here is a sample">
[] Please enter a command: analyse dshield 10********************************************************************** IPs and Detected Counts**********************************************************************101.200.0.122: 832 count(s)120.27.31.143: 596 count(s)77.247.182.246: 186 count(s)********************************************************************** IPs and Attacked Targets**********************************************************************101.200.0.122: 270 target(s)120.27.31.143: 119 target(s)77.247.182.246: 7 target(s)********************************************************************** IPs and Detected Risk**********************************************************************">I sent a pull request to Chris yesterday and he already merge it. The tool is available on his githubrepository.Its easy to set up, does not have lot of dependencies andit runs smoothly in">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC Handler - Freelance Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.