Muninn Monitoring Changes in the Icelandic Internet Through Repeated Port Scanning
Total Page:16
File Type:pdf, Size:1020Kb
Muninn Monitoring Changes in the Icelandic Internet through Repeated Port Scanning Alex Már Gunnarsson Níels Ingi Jónasson Sindri Ingólfsson Thesis of 12 ECTS Bachelor of Science in Computer Science May 2019 Muninn Monitoring Changes in the Icelandic Internet through Repeated Port Scanning Alex Már Gunnarsson Níels Ingi Jónasson Sindri Ingólfsson Thesis of 12 ECTS credits submitted to the School of Computer Science at Reykjavík University in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science May 2019 Supervisor: Gylfi Þór Guðmundsson Examiner: Marcel Kyas Advisors: Theódór R. Gíslason Hlynur Óskar Guðmundsson Acknowledgements We would like to give special thanks to these individuals and organizations. Syndis was very generous to accomidate us by providing us with an office space, lunches and caffeine as well as advice from experts in the field. CERT for showing great interest in the project and providing advice regarding ethical concerns. Opin Kerfi was nice enough to allow us to perform our scans when no other service provider was willing to host us. Hlynur Þór Óskarsson for taking time out of his busy schedule to provide us with guidance on a weekly basis. Theódór Ragnar Gíslason for encouragement and being there when we needed to consult his expertise. Gylfi Þór Guðmundsson for being constantly ready to help and molding our mass of stupid ideas into good ones. i [This page is intentionally left blank] ii Contents 1 Introduction 1 2 Background 2 2.1 Standards and Definitions . .2 2.2 Internet Census 2012 . .5 2.3 Shodan . .5 2.4 Application for Historical Service Assessment (AHSA) . .6 2.5 Heimdallur . .6 3 Analysis of the Icelandic Internet 6 3.1 Problematic Firewalls . .7 3.2 Scanning the full port range . .8 3.3 Banners versus CPEs . .9 3.4 Noteworthy banners . 11 3.5 Scan Delta . 11 4 Design and Implementation of Muninn 15 4.1 Design . 15 4.2 Implementation . 17 5 Evaluation and Results 20 5.1 Selective scanning with Muninn . 20 5.2 Targeted Scanning with Muninn . 25 6 Discussion 26 6.1 Ethics . 26 6.2 Computer Emergency Response Team (CERT) . 27 6.3 Limitations . 27 7 Future Work 27 7.1 Automated tracking of changes . 28 7.2 Deeper scan . 28 7.3 Distribution of the platforms . 28 7.4 CPE extraction . 28 7.5 Going beyond Iceland . 29 8 Conclusion 29 iii Abstract The world is becoming ever more connected. Home routers, webcameras, databases, TVs and even garden sprinklers are all examples of devices that are now connected to the Internet. In this connected landscape hackers constantly look for vulnerable devices. A single version upgrade can mean the difference between a safe and compromised machine. In this paper we analyse the data made available by the port scanner Heimdallur. We aim to answer our research question: Can we monitor changes of the Icelandic Internet in semi real time through repeated port scanning? We constructed a new port scanner Muninn which utilizes historical information to scan even faster than previously possible. Muninn has two main uses. Firstly Muninn can obtain an updated view of all responsive Icelandic Internet services in just a few hours. This allows us to monitor any changes happening on the Internet. Secondly Muninn can find and monitor any specific set of services very closely. This can be crucial following the discovery of a vulnerability. It enables us to track any abnormal activity and see exactly for how long the machines remained vulnerable before updating to a safe version. iv 1 Introduction The Internet is a contraction of the words "interconnected network" and it is in this connectivity that the Internet’s greatest strength and its greatest security risks lie. Be- cause of this any service on the Internet is by design open to everything else unless it is specifically closed or hidden. IoT analytics estimated that the number of connected devices in 2018 exceeded 17 Billion [13]. With so many open and connected devices any- one with the mind for it can take a look or even interact with poorly configured services. This inevitably leads to many services being left unintentionally open, often with severe consequences. This was the case in 2012 when an anonymous researcher decided to scour the Internet for insecure devices. He managed to gain unauthorized access to around 420 thousand devices and turn them into a botnet under his control known as the Carna Botnet [2]. He then decided to use this botnet to scan the entire internet within an hour and later that year published his findings. Again four years later another person going by the name janit0r created a similar botnet [12]. However he had a more malicious intent, over the course of 13 months janit0r managed to destroy 10 million devices around the world mostly Internet access devices like modems, routers and gateways but also Hikvision and Dahua web cameras. The botnet was aptly named BrickerBot and caused a lot of commotion [21]. Considering all of this, it is no surprise that scanning tools which find and identify running services have become standard for security experts and hackers alike. Many tools which facilitate this like Nmap [14] have been around for more than 20 years. Today it is easier than ever to search the Internet for connected devices. In fact services like Shodan scan the Internet and then allow their users to search through the accumulated data [25]. In late November 2018 a person going by the name Hacker Giraffe used Shodan to find printers open to the Internet and with just a few lines of code 50,000 printers started printing a custom made message [1]. In an interview Hacker Giraffe said "I’m usually lurking around Shodan... I’m usually just searching around looking for something to mess with. I was really looking for some protocol that should not be opened to the Internet" [22]. This interview does not only reflect how easy it is for anyone to find vulnerable connected devices but also how dangerous and simple to abuse such information can be. It is clear that keeping a close eye on the status and responses of connected devices is crucial for computer security today. Plenty of research has been done on the state and security of the Internet but this research might not apply to the Internet of a small community like Iceland. There is a lack of research on Internet security in Iceland specifically and our project will aim to fill that gap. What most scanners today have in common is that they only provide a single snap- shot of the Internet. However the Internet is ever changing and such a snapshot lacks context of change and direction. The sudden appearance of multiple routers or webcams responding to a scan might indicate possibly vulnerable consumer devices. Additionally by monitoring changes one might be able to glimpse how fast patches rollout following 1 their release. Knowing this can be crucial in case said patches resolve a critical security vulnerability. This information can for example be used to estimate the probability of a security breach by determining how long services remain vulnerable and if some other services were hacked during that time. Everyone seems to agree that the internet is ever changing and growing yet there is barely any research on how the services on the internet change as time progresses. Our aim is to monitor changes in the internet in as close to real time as possible so that we can see how the Internet changes and evolves. Inspired by Norse mythology we have named our infrastructure Muninn, after one of the Odin’s two ravens. The 48th verse of the ancient nordic poem Gylfaginning describes the ravens as follows: Huginn ok Muninn fljúga hverjan dag jörmungrund yfir; óumk ek Hugin, at hann aftr né komi, þó sjáumk ek meir of Munin. [26] Huginn and Muninn are said to fly over the world and return with news to Odin each and every morning. They ensured Odin always knew what was happening in the world of men. This accurately reflects the design of our scanner Muninn which scans the Icelandic internet and observes changes happening every day. Additionally the scanner should be able to find and monitor specific services, ports or IPs more closely if deemed important or interesting. As we mentioned before, one can do bad things to vulnerable services. As important as this kind of research is, it is equally important to be ethical and to be careful when gathering the information. For this reason we have included a special section on ethics in this report. 2 Background Services such as Shodan constantly scan the Internet yet there are not many researches which have gleaned into the idea of monitoring the Internet from a security perspective. Actively watching for vulnerable services and monitoring their updates is not common, however there is some similar work in this field which relates to ours. In this section we will define all the background material that we build our contribution on, starting by defining some standards and definitions. 2.1 Standards and Definitions In this section we present key concepts that are needed to understand the research that Muninn is built upon. 2 2.1.1 IP Addresses, ports and CIDR An IP address is used to identify servers that host the various internet services. However due to Network Address Translation (NAT), we can not be sure whether there is a single host or multiple devices behind a single IP address. That is why we will mostly refer to IP addresses, however this should be thought of as interchangeable with hosts or networks.