31 entries in 0.094s
Framedragger: (the SYN probes to the full ipv4 space are the easy part, and those have already been done across 3 different machines for maximum sciency science (http://siphnos.mkj.lt/datadrop/2017/port22-ip/); key extraction is the thing that's left)
Framedragger: and in scanning news, launched ipv4 rescan. (1st phase, which is easier than 2nd phase (key extraction), but will give us some interesting data nonetheless.)
Framedragger: yeah. ftr i do not survive or profit from vps. it can be useful sometimes (such as FOR INSTANCE for scanning the damn ipv4, overnight, and not paying for whole month, or for whole box.)
Framedragger: cock.li served its mission for doing initial ipv4 space scans, tho
Framedragger: just ftr, i've been poking around scans.io which now has a search interface for (e.g.) all ipv4 space (among other things). e.g.: https://www.censys.io/ipv4/ (ssh - banner, whole public key, etc.; also https, etc etc.)
Framedragger: well, maybe he treats his ipv4 assets the same way he treats outstanding paypal cents, i.e. something he may prefer to get rid of. :) but that was an uninformed assumption of mine
Framedragger: hey mircea_popescu, you still got a bunch of ipv4 addresses available? are they under a single /16? i may be interested in purchasing/leasing them from you for a non-tmsr related project
Framedragger: (format in TXTs is simple CSV: ipv4address,banner -- the latter may contain spaces, commas etc, but any surrounding whitespace (incl newlines) is stripped. there's only one banner per ipv4 even though *same* scan sometimes returned multiple (slightly different, e.g. includes or excludes OS string) banners.)
Framedragger: asciilifeform: btw banners: i'm yet to clean up the logs (some time next week or thereafter), but just in case you're eager (prolly have lots on yer head tho), here they are: http://siphnos.mkj.lt/datadrop/banners/ ; s1 has 13 files corresponding to the 13 bundles; s2 is from the additional bundle i sent you later (the re-scan + additional hosts). together this constitutes whole ipv4.
Framedragger: asciilifeform: makes me want to try top 100 password lists on telnet/ssh/etc on the whole ipv4, you know
Framedragger: also, i may want to re-run the base ipv4 ssh server finder at some point, i'm sure i'll get some more keys :p
Framedragger: http://btcbase.org/log/2016-07-19#1506544 << i've a $10 vps, no complaints, i did the initial ipv4 probing off of that. didn't run any i/o etc benchmarks tho. any particular questions (i can run some benchmark if you want)☝︎
Framedragger: this concludes the ipv4 ssh key scan (the new keys are due to re-scan + the previously-excluded hetzner hosting ip ranges). i may rescan in a couple of weeks or a month to see how many new etc (and in general it would be a good and interesting exercise, etc.) some kind of writeup will follow...eventually
Framedragger: the excluded ranges for anyone curious: (the ones before "# temporary" are default for masscan, based on ipv4 reserved ranges from IANA)
Framedragger: from rescan of ipv4, from 'untainted' ip addresses. the ">1M" is due not only to rescan itself, but also because i had excluded ipv4 ranges for hetzner which had been sending tons of abuse complaintz. i can handle those complaints now. but i had forgotten about exclusion of hetzner ssh hosts. the new tarball will fix this (it won't include any old ssh keys, only new ones).
Framedragger: vc reminds me, i'll re-do the port 22 ipv4 probe on his cockful box :p
Framedragger: yeah i'm not certain how representative that figure is of whatever, honestly. with all metaphor removed, it literally is "the number of ipv4 hosts which respond to a TCP SYN to port 22 with TCP ACK [packet with ACK flag set]". i'm fairly confident that i haven't missed many hosts of this kind, but too should be replicated and tested.
Framedragger: (i used one vps at a time (switched due to abuse complaints and so that i'd be sure there's no filtering / results are not biased) for the "which IPs out of all IPv4 are alive behind :22" scan, and i then used 13 cheap VPSes for the actual ssh key extraction out of the 20.8M alive candidates. if curious re cost: will get the bill for the 13 VPSes later, but it was basically 11 hours of scanning, 2.99eur / mo. per VPS, hourly billing, so
Framedragger: asciilifeform: mircea_popescu: i'd like to interrupt this joyful occasion of copulation of you two by noting that ssh-rsa keys of all of ipv4 are now ready for phuctoring and further analysis; they are in the format of e,N,ipaddress. there's 10.6M of them, out of 20.8M something-listening-on-port-22 hosts. rejoice!
Framedragger: ..sooo, ~21.1M ssh hosts with port 22 open in ipv4 space. i expected more, but a time will come for a re-scan, and i finally got around to 'streamlining' the process, and vc's idontcareaboutscans policy helped here, so re-scan will be a piece of cake.
Framedragger: someone also tried spidering ssh keys from .onion hosts, and then matching them with ssh keys of ipv4 space; i want to re-try that, too
Framedragger: vc: cool, and i remember you saying this the first time otherwise wouldn't have done it, just wanted to let you know that these particular scans won't (*completely*) trash the reputation of the currently assigned ipv4 :)
Framedragger: (gun resume and finish ipv4 open ssh port scans tonight with vc's node (vc: it's randomized ip range scan and only 30 kpackets/s, before you ask), and then deploy ~10 vps nodes for ssh key extraction, feeding port-22-open-list from the former into the latter.)
Framedragger: http://btcbase.org/log/2016-06-02#1475260 << (i'm busy with afk stuff and most probably won't be able to resume the ipv4 ssh keyscan thing until some time next week. but i'll ping you once this is done)☝︎
Framedragger: digital ocean e.g. - scanned more than querter of ipv4 space using TCP SYN (masscan) - so just to see which :22 hosts are up - received numerous abuse complaints from all over the net, all forwarded to me
Framedragger: (again, general ipv4 mapping is no prob, it's the more particular ssh key extraction that is slow and very hax0ry apparently)
Framedragger: (scanning the whole ipv4 in the sense of "check if something's listening behind this port, for all IPs" is apparently the easy part, even with no/little investment. you don't need to use stateful sockets etc. extracting particular info after doing some back-and-forth is where it's harder to scale.)
Framedragger: ..hrm. zmap finished scanning sixteen /8's (so a sixteenth of ipv4 space, minus reserved blocks), but in those blocks there were two known servers running openssh which was picked up by ssh-keyscan. they weren't picked up by zmap. if the thing is unreliable then it's worthless (it still found > 95k of ssh servers though, but...)
Framedragger: "With [... some custom] changes, ZMap can comprehensively scan for a single TCP port across the entire public IPv4 address space [on a 10Gbps pipe, looks like] in 4.5 minutes given adequate upstream bandwidth." https://www.usenix.org/system/files/conference/woot14/woot14-adrian.pdf - not bad
Framedragger: i'm considering running zmap on high-throughput server to quickly get all internet-connected machines in ipv4 space, and then feeding that into ssh-keyscan. may be more efficient. also need to get some disposable ip addresses or something, cause according to internet my coupla server IPs will soon be added to some shitlist
Framedragger: so, like, presumably, one would want keys of ssh servers that are behind *all* routable public ipv4 addresses?