Threat Hunting for Free¹

There is no network perimeter anymore!

¹ Free in cost only measured by time and effort.

Well, there is. 

Whether we like it or not, and defending them is hard, visibility is even harder. Risk management, a risk register, a vulnerability acceptance posture. Yeah, you usually hear about this after a security incident. There are some things you can do do fortify your defences, and they don't require a business case to implement, they don't need a project manager, and they likely cost less then a coffee.


Adversaries, attackers, breaches, hackers, all words familiar words in todays landscape, but its not as bad as it would appear, you can do a lot for not a lot of your time and effort, in this blog i will show two services that you can automate and remove a level of uncertaintly from your blindspots.

SHODAN

Firstly, there is 100 quality blog posts on defending your network using Shodan, and i will not try to do better than them, using my own experience and methods i'll share some ways to gain insights into how attackers use shodan to leverage a entry point, or a vulnerability.

So firstly, you'll need to get a Shodan account, there are super cheap, and usually around Black Friday do a lifetime account. <https://account.shodan.io/> once you've gotten started here, familiarise yourself with the CLI interface and install the tools required using 

$pip install shodan

Then

shodan init API_KEY_HERE

once you're done installing hit the -help switch to get a list of help commands, and <https://shodan.readthedocs.org/> and critically, the banner specification https://developer.shodan.io/api/banner-specification

So, in our case we need to identify a subnet to monitor, John has perfectly described how to do this here  but this post goes a little deeper.

200.gif

So, unless you're fortunate enough to never have heard of SMB or Ransomware, then you are likely going to be very bored by this set of investigative steps.
 
We're going to use a well known range of addresses to identify SMB exposure, and then run to someone internally and have a long chat about Ransomware insurance or Microsoft upgrade paths, whatever is cheapest (YMMV)

 So, we have our range of addresses from Azure. We're going to use this list from here <https://www.microsoft.com/en-gb/download/details.aspx?id=41653>

We are going to use 13.67.128.0/20 from the Microsoft Azure datacenter list, so given this is a public address lets go

First we go with:

shodan count net:13.67.128.0/20 1375

This will output a total number of devices shodan can see, not very helpful so lets chop it up a little more. 

Cool, so lets say i was an attacker i'd be interested in the path of least resistance right? SMB, RDP, etc, fire up my metasploit, and then watch as it exploits it all for me.

So lets check out if 445, or 3389 are open in this range. We need to extend the results list a little to be able to see.(AFAIK Shodan defaults 300 results)

shodan stats --facets port:500 net:13.67.128.0/20

will return a list of the top 500 ports and guess what

2.png

 

Of course the ports being open doesn't immediately mean pwnage, and nor should it. Multifactor authentication is available for Azure (Not free) but for admins it is, and 445 needs to be vulnerable and of course you can use other stuff like Authy and for o365 there is guidance here. You can check this out using the following command

shodan count port:445 net:13.67.128.0/2 SMB vuln:MS17-010

In my tests, the results was ZERO, so thats good news. So that is a very small step on protecting the perimeter for less than the price of a coffee, and about the same time as it would take to drink it.

Here Phishy, phishy...

Next, is the excellent tool from @x0rz here

I've been using my own version of this tool, customised to use some more personally interesting topics such as banking, and US Political lures. You can do the same for your own company as i've done in the past with varying success, in our case we're using Microsoft. So we can just comment out all of the junk and put in the following (I recommend combining it with DNStwist) then we have a long list of likely typo domains, and some which are being used in the certificate transparency generation list.

https://dnstwister.report/search/6d6963726f736f66742e636f6d gives us a lot so if we use these in conjunction with our list of suspicious.py we may get lucky, this can help us lower the risk of users being phished, or landing pages used to harvest credentials as observed recently by Microsoft here https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/

Some results here

https://asciinema.org/a/gO6uDVvninfOuIdsnAjePX5vk

Happy Hunting