Dailydave mailing list archives
SmartLists
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 16 Nov 2006 08:42:32 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Admin note: The mailing list might have kicked you off after receiving a bounce notice from you. It's not personal, it's just DNS issues or something. Maybe your spam rejection hated something someone said.] So one thing going into CANVAS next month is something I call a SmartList. The problem you have is that people give you a class B, or a huge list of active IP's, and say "Attack this, but don't hurt anything when you do." The normal way you'd avoid hurting anything is by saying "Give me a list of all the IP ranges where sensitive things are, and I won't scan those as hard." But this is pretty bad, because perhaps they forget to give you the mainframe's IP and you crash it and then bloody fun ensues. So a SmartList is like a blacklist, but instead of relying on things you know before your scan starts, it uses information gathered during your attacks to stop attacking anything it finds out matches a particular set of features you've designated as sensitive. For example, you can say "Don't attack anything where the netbios server name is PROD.*" and none of your production servers will be attacked once it learns their netbios name. Or you can say "Don't attack any servers that GEOIP says have extradition treaties with the United States." Or you can say "Don't attack any servers that are running kerberos (aka, domain controllers)." "Don't attack any servers where a user "bob" is logged in". "Don't attack the Windows NT 4.0 machines". Etc. Just doing the numbers here in my head, with a starting point of a normal Linux laptop doing a full CANVAS attack on a class C in 10 minutes (we use 256 threads, so each IP gets attacked at once), a full class B would take around 15 hours. That means about a day per class B, so a full Internet scan, with 255 attacking machines, would take 255 days. So let's say once a year you can scan the entire Internet space for all exploitable vulnerabilities and own everything ownable for around 2,385,000 USD. To get that number I added: Bandwidth and hosting for 255 machines at $500 per month: 1,530,000 Machines themselves: 765,000 CANVAS Licenses (30 at 3K each. Each license allows for 10 installs) : 90,000 Two million might seem like a lot of money, but maybe you can get a better deal on hosting than I can. And the second year you don't have to buy the machines themselves. Even CANVAS is cheaper the second year, not that it's a big part of your costs. I estimate it costs you 1,788,750 yearly to do this every year. That's today's prices, without any optimization on the process itself, of which there are several I can think of right now that we haven't done (new exploits come out, so you need to update intelligently, and there are lots of dead IP spaces you can just ignore, for example). Two million dollars is what the Navy spends per year on managing IDS systems for every base, I'd guess. Let's take them out of one of the bases and do this instead. Alternatively, we can let organized crime do it for us. The process is essentially free (although less reliable) if 255 people each donate a box on a cable modem. Just this morning's thoughts. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFFXGrFB8JNm+PA+iURAi1fAJ4uH66oxmZqAwCaYKKWjCsIqHcacACfWkHs iNqrikWWLB+z0GdVV2NzzKk= =d9rO -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- SmartLists Dave Aitel (Nov 16)
- Re: SmartLists Jason (Nov 16)