Monday, August 15, 2005

Routing Enumeration

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cooler sections in Extreme Exploits covers ways to learn about a target network by looking at routes to those networks. I showed a few ways to use this data two years ago, but here's a more recent example.

Let's say I want to find out more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization hosting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Extreme Exploits Web site. First I resolve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hostname to an IP address.

host www.extremeexploits.com
www.extremeexploits.com has address 69.16.147.21

Now I use whois to locate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 owner's netblock.

whois 69.16.147.21
Puregig, Inc. PUREGIG1 (NET-69-16-128-0-1)
69.16.128.0 - 69.16.191.255
VOSTROM Holdings, Inc. PUREGIG1-VOSTROM1 (NET-69-16-147-0-1)
69.16.147.0 - 69.16.147.255

# ARIN WHOIS database, last updated 2005-08-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now I telnet to a route server and make queries about this netblock.

route-server.phx1>sh ip bgp 69.16.147.0
BGP routing table entry for 69.16.147.0/24, version 84120350
Bestpath Modifiers: always-compare-med, deterministic-med
Paths: (2 available, best #2)
Not advertised to any peer
22822 11588, (received & used)
67.17.64.89 from 67.17.81.24 (67.17.81.24)
Origin IGP, metric 0, localpref 300, valid, internal
Community: 3549:4044 3549:30840 22822:4012 22822:9120
Originator: 67.17.80.225, Cluster list: 0.0.0.11
22822 11588, (received & used)
67.17.64.89 from 67.17.80.251 (67.17.80.251)
Origin IGP, metric 0, localpref 300, valid, internal, best
Community: 3549:4044 3549:30840 22822:4012 22822:9120
Originator: 67.17.80.225, Cluster list: 0.0.0.11

I learn a few details:

  • The autonomous system for this network is truly a /24, as shown by "BGP routing table entry for 69.16.147.0/24"

  • The AS number for 69.16.147.0/24 is 11588. Its upstream provider AS is 22822. (AS data is read right-to-left.)

Now I want to find out if any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r networks belong to this AS.

route-server.phx1>sh ip bgp regexp _11588$
BGP table version is 97334640, local router ID is 67.17.81.28
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* i63.78.12.0/22 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.128.0/19 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.147.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.187.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i69.16.191.0/24 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i140.99.96.0/19 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i208.247.17.0 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i209.50.48.0/20 67.17.64.89 0 300 0 22822 11588 i
*>i 67.17.64.89 0 300 0 22822 11588 i
* i209.50.56.0/21 67.17.64.89 0 300 0 22822 11588 i
Network Next Hop Metric LocPrf Weight Path
*>i 67.17.64.89 0 300 0 22822 11588 i

We could cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n run queries on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new networks to learn more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, e.g.:

whois 63.78.12.0
UUNET Technologies, Inc. UUNET63 (NET-63-64-0-0-1)
63.64.0.0 - 63.127.255.255
ElDorado Sales, Inc. UU-63-78-12 (NET-63-78-12-0-1)
63.78.12.0 - 63.78.15.255

# ARIN WHOIS database, last updated 2005-08-14 19:10

One final cool tool: Victor has a project called Pwhois that provides prefix query information:
whois -h whois.pwhois.org 69.16.147.21
IP: 69.16.147.21
Origin-AS: 11588
Prefix: 69.16.147.0/24
AS-Path: 3356 11588
Cache-Date: 1122289900

I am a real newbie with this BGP and AS stuff. If anyone wants to comment (Trevor, Nate, etc.) I appreciate it.

6 comments:

Anonymous said...

The route server information can be much more intresting if you query a route server with many more views of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BGP table. route-views.oregon-ix.net is a popular one. You have a better chance of seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 multiple paths /providers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 destination network.

Regex extremely helpful too. _AS####_ may show ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r networks behind that network.


Querying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AS number at whois.arin.net or whois.ra.net (needs AS#####) can reveal more network information. Also querying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 netblock (ie. whois -h whois.arin.net NET-63-78-12-0-1) can provide contact and delegation information.

May have to hunt for where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir prefixes are registered if not at http://www.radb.net/. But many are.

John K

Anonymous said...

An awesome BGP site is http://www.bgp4.as/

Especially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection of links under
/BGP tools/utilities/software and /BGP/Looking Glasses

I've also found http://www.completewhois.com/
to be very useful.

Anonymous said...

Richard,

One thing you might find help is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IRR (Internet Routing Registy) and thier RADB (Routing Assests Database).. It can be easily accessed by pointing your whois client to whois.radb.net.. For instance:


# whois -h whois.radb.net 69.16.147.0
route: 69.16.128.0/19
descr: Puregig, Inc.
origin: AS11588
mnt-by: MAINT-AS11588
changed: shawn@eldosales.com 20040225
source: SAVVIS

route: 69.16.128.0/19
descr: LLNW
origin: AS11588
mnt-by: MAINT-LLNW
changed: bill@limelightnetworks.com 20040327
source: ALTDB

route: 69.16.147.0/24
descr: PH CBS TRANSIT
origin: AS22773
remarks: Change Ticket# 23327
notify: matt.williams@cox.com
notify: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365backbone@cox.com
notify: CCIATL-NOCEngineer@cox.com
mnt-by: CCINET-2-MNT
changed: david.burns@cox.com 20040505
source: LEVEL3

route: 69.16.147.0/24
descr: Proxy-registered route object
origin: AS11588
remarks: auto-generated route object
remarks: this next line gives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 robot something to recognize
remarks: L'enfer, c'est les autres
remarks:
remarks: This route object is for a Level 3 customer route
remarks: which is being exported under this origin AS.
remarks:
remarks: This route object was created because no existing
remarks: route object with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same origin was found, and
remarks: since some Level 3 peers filter based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se objects
remarks: this route may be rejected if this object is not created.
remarks:
remarks: Please contact routing@Level3.net if you have any
remarks: questions regarding this object.
mnt-by: LEVEL3-MNT
changed: roy@Level3.net 20050205
source: LEVEL3


You can also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n query that same database for information on eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "orgin:" or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "mnt-by:"... So you could do:

# whois -h whois.radb.net AS22773
# whois -h whois.radb.net MAINT-AS11588

-Mestizo

Trevor said...

Yeah, what Mestizo said. (He's ex-UU also so he's cheating) :)

Richard: Since "I got nuthin", you should look at this:

http://www.secsup.org/CustomerBlackHole/

Lots of customers get flooded and attacked a lot (shell servers, etc.). Imagine if you had an IP on your network that kept getting flooded... Well you can use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method described at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL above to black-hole-route your own IP's. By black hole, I mean you can inject routes into your provider's network that cause cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP to die at your provider's ingress points. Kinda a cool "firewall". Not only are you dropping ALL packets to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP is pretty much gone on your ISP's whole AS based on your command.

Of course, your ISP has to have clue to support this. This is helpful to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 router engineer as he doesn't have to wake up at 4am to null-route ANOTHER v-host that's under attack.

Anonymous said...

Ahh yes, UUNet... The good ol' days. I'll never forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I got Trevor a shiney new TACACS+ login of his very own, and taught him how to log into his very first backbone router. My, how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y grow up quick. :)

Anonymous said...
This comment has been removed by a blog administrator.