SmartLists

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Admin note: The mailing list might have kicked you off after
receiving a bounce notice from you. It's not personal, it's just DNS
issues or something. Maybe your spam rejection hated something someone
said.]

So one thing going into CANVAS next month is something I call a
SmartList. The problem you have is that people give you a class B, or
a huge list of active IP's, and say "Attack this, but don't hurt
anything when you do."

The normal way you'd avoid hurting anything is by saying "Give me a
list of all the IP ranges where sensitive things are, and I won't scan
those as hard." But this is pretty bad, because perhaps they forget to
give you the mainframe's IP and you crash it and then bloody fun ensues.

So a SmartList is like a blacklist, but instead of relying on things
you know before your scan starts, it uses information gathered during
your attacks to stop attacking anything it finds out matches a
particular set of features you've designated as sensitive.

For example, you can say "Don't attack anything where the netbios
server name is PROD.*" and none of your production servers will be
attacked once it learns their netbios name. Or you can say "Don't
attack any servers that GEOIP says have extradition treaties with the
United States." Or you can say "Don't attack any servers that are
running kerberos (aka,  domain controllers)." "Don't attack any
servers where a user "bob" is logged in". "Don't attack the Windows NT
4.0 machines". Etc.

Just doing the numbers here in my head, with a starting point of a
normal Linux laptop doing a full CANVAS attack on a class C in 10
minutes (we use 256 threads, so each IP gets attacked at once), a full
class B would take around 15 hours. That means about a day per class
B, so a full Internet scan, with 255 attacking machines, would take
255 days. So let's say once a year you can scan the entire Internet
space for all exploitable vulnerabilities and own everything ownable
for around 2,385,000 USD.

To get that number I added:
Bandwidth and hosting for 255 machines at $500 per month: 1,530,000
Machines themselves: 765,000
CANVAS Licenses (30 at 3K each. Each license allows for 10 installs) :
90,000
 
Two million might seem like a lot of money, but maybe you can get a
better deal on hosting than I can. And the second year you don't have
to buy the machines themselves. Even CANVAS is cheaper the second
year, not that it's a big part of your costs.
I estimate it costs you 1,788,750 yearly to do this every year. That's
today's prices, without any optimization on the process itself, of
which there are several I can think of right now that we haven't done
(new exploits come out, so you need to update intelligently, and there
are lots of dead IP spaces you can just ignore, for example).

Two million dollars is what the Navy spends per year on managing IDS
systems for every base, I'd guess. Let's take them out of one of the
bases and do this instead.

Alternatively, we can let organized crime do it for us. The process is
essentially free (although less reliable) if 255 people each donate a
box on a cable modem.

Just this morning's thoughts.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFXGrFB8JNm+PA+iURAi1fAJ4uH66oxmZqAwCaYKKWjCsIqHcacACfWkHs
iNqrikWWLB+z0GdVV2NzzKk=
=d9rO
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave