just-metadata

Veil-Framework and ChristopherTruncer Website Brute Force and Just-Metadata

Christopher Truncer IT Security , Leave a comment

I’ve been monitoring the logs from the Veil-Evasion and this website, and I noticed the past couple days that there’s a lot of attempts to log in to the Veil website. Seeing as I am not logging into it myself, I know that this is obviously going to be someone trying to break in. However, this isn’t an attack where the attacker is trying to remain under the radar, this is pretty blatant.

I’ve parsed my apache logs for any attempt to log into the Veil-Evasion website. This will obviously include my information, but it will be the minority. I ran all IP addresses through Just-Metadata, and this what I think is some of the interesting information it discovered:

Short story, the attacker appears to be coming out of Russia. Note: This doesn’t mean it’s a Russian attacker, just that the IP space they are attacking from appears to be Russian.

Top 10 Countries
(Country : Number of Occurrences)
===================================
Russia : 2699
Ukraine : 249
France : 165
Belarus : 60
Brazil : 46
Kazakhstan : 37
Vietnam : 32
Turkey : 31
Georgia : 25
India : 23

Top 10 Cities
(City : Number of Occurrences)
===================================
Moscow, Russia : 329
Roubaix, France : 159
Saint Petersburg, Russia : 107
Yekaterinburg, Russia : 74
Rostov-on-Don, Russia : 72
Novosibirsk, Russia : 71
Nizhniy Novgorod, Russia : 60
Ufa, Russia : 52
Perm, Russia : 50
Samara, Russia : 50

Continue reading

Just-Metadata – Intel Gathering and Analysis of IP Metadata

Christopher Truncer Development, IT Security , , 15 Comments

Github Repo: https://github.com/ChrisTruncer/Just-Metadata

For some time now, I’ve been working on a tool which aggregates data about IP addresses from publicly available sources. Three separate events prompted this project. First, I began noticing a large number of IP addresses attempting to brute force their way into my mail server.  Second, a large number of systems/IPs scanned my web server for vulnerable web applications (Tomcat, phpMyAdmin, etc).  Finally, ATD sometimes will receive spam email that contains malware.  Justin Warner (@sixdub), ATD’s resident reverse engineer, investigated one of the malware sample in a spam message we received and was able to extract the IP addresses of the callback domain.

I wanted to see if there was anything I could learn about the systems/IPs targeting my server and the malware callback domains we were seeing.  Specifically, I wanted to collect the following:

  • IP Whois Information
  • Geographical Information
  • Shodan information (Ports, keys, certificates, etc.)
  • VirusTotal
  • Various Threat Feeds
  • etc…

After a couple conversations with Justin, I decided to write a tool to do just that.  Justin and I brainstormed functionality that would be useful, and the type of information we would want to gather. However, just simply gathering the information isn’t necessarily enough to provide any sort of value.  It’s the analysis of the available data where I can get something useful.  Are the systems that are scanning me owned by the same person/company/etc.? Are they located in the same country? To answer these questions, I wrote Just-Metadata, which I am happy to release today.

Let’s walk through some of the features, and how Just-Metadata works.

JustMetadata Main Menu

To start off using Just-Metadata, create a text file containing a list of IP addresses (each on a new line).  To get the IPs into the Just-Metadata, you’ll use the load command, and provide the path to the file containing the IP addresses, similar to either of the following:

Continue reading

An Ongoing Attack – Attacker Metadata Information

Christopher Truncer Development, IT Security , , , 2 Comments

It appears that my personal, and the Veil-Framework server, are under attack from someone attempting to brute force their way into our mail servers.  I noticed this yesterday (5/12) around noon (Eastern Time Zone), and is still underway as of the time of this article.  I’ve been monitoring the logs, and these attacks aren’t coming from a single IP address, but IPs from all over the world.

I have a tool that I am working on that can be used in this scenario.  Right now, I want to try to find as much information about the systems attacking me as I can from publicly available information, without directly interrogating the attacking systems.  Some of the information that I try to gather is stuff such as:

  • Geo-location information
    • Country
    • City
    • Timezone
    • GPS Coordinates
  • ISP
  • Is it a known attacker documented by the Animus Project?
  • Do the attacking IP addresses share any common traits
    • SSH Keys
    • HTTPS Certificates
    • Certificate Chains
  • What common ports are open across the attacking IPs?
  • Are any of the IPs known by VirusTotal?

For anyone that is interested in obtaining the attacking IPs from me, just feel free to reach out to me.  This tool will still need some work in it’s output formatting, but I figured I’d want to give a dump of the raw output in case anyone found its information useful.  Ideally, this attacker metadata information can be helpful to others, but I’d also love to hear if there are tweaks that would make this information more useful.

Here’s some of the data about the systems that are currently attacking my servers (OBVIOUS NOTE: The information here is just about the systems attacking me, and where they are coming from.  An IP address does not equal attribution.  Also, the information that is calculated for “Top X” output is only calculated if the information is available.)

Top 10 Countries
(Country : Number of Occurances)
===================================
India : 300
Vietnam : 292
Peru : 206
Russia : 164
Germany : 134
Iran : 127
Kazakhstan : 126
Belarus : 94
Ukraine : 71
Mexico : 69

Continue reading