3 comments

Large scale SSH port mapping

by Javantea
June 9, 2008

INTRODUCTION

Doing a bit of preliminary analysis, I found out that I could cheaply portscan a single port on every machine on the internet. To what end? Since I wrote a research virus that exploits weak passwords on SSH, it makes sense to know what servers exist and how likely an SSH attack would succeed against the network as a whole. Though I don't plan to unleash this attack and I don't expect that my virus adds to the already widespread SSH bruteforce attacks currently underway by malicious entities, I would definitely like to research and release data on who is using SSH. Since portscanning is quite easy, I started my server on the task. Note that I'm not releasing a tarball at this time since the software to do this can be printed in the usage section.

You might notice that my data is quite lacking. The final data count is 317 slash 16 (/16) networks mapped. My original plan was to work right through the numbers in random order, but my server went down without a good reason, so I backed off assuming that this much data was probably enough. I plan to finish the data at some point. It should only take a few months and a few hundred dollars that I'm already spending for hosting.

Thanks to the unwitting victims-- err test subjects of this portscan:
216.0.*.* XO Communications
64.0.*.* XO Communications
64.4.*.* MS Hotmail, etc
64.5.*.* PREFERRED COMMUNICATIONS, INC, etc
64.6.*.* Infobahn Outfitters, Inc., etc
...
77.0.*.* Telefonica Deutschland GmbH, etc
And many many more.

DATA

Calculation for cost of a large scale portscan:

Assuming no RST, SYN-ACK, or ICMP return
TCP SYN packet: 58 bytes
2^24 * 58/(1024*1024) = 928 MB for a /8
2^32 * 58/(1024*1024) = 238 GB for all hosts on the internet

SSH Ports open by IP
216.0.*.* 2900
64.0.*.*  1243
64.1.*.*  1230
64.2.*.*  1148
64.3.*.*  1663
64.4.*.* 378
64.5.*.* 782
64.6.*.* 728
64.7.*.* 631
64.8.*.* 1790
64.9.*.* 462
64.10.*.* 0
64.11.*.* 0
64.12.*.* 1515
64.13.*.* 14065
64.14.*.* 1122
64.15.*.* 2766
64.16.*.* 1261
64.17.*.* 2383
64.18.*.* 3282
64.19.*.* 2878
64.20.*.* 2174
64.21.*.* 4411
64.22.*.* 5644
64.23.*.* 2552
64.24.*.* 227
64.25.*.* 1348
64.26.*.* 4787
64.27.*.* 2942
64.28.*.* 2320
64.29.*.* 543
64.30.*.* 402
64.31.*.* 172
64.32.*.* 2673
64.33.*.* 9993
64.34.*.* 7485
64.35.*.* 74
64.36.*.* 0
64.37.*.* 1372
64.38.*.* 4472
64.39.*.* 835
64.40.*.* 4554
64.41.*.* 3318
64.42.*.* 722
64.43.*.* 13
64.44.*.* 16
64.45.*.* 394
64.46.*.* 4256
64.47.*.* 402
77.0.*.* 38
77.1.*.* 20
77.2.*.* 22
77.3.*.* 40
77.4.*.* 44
77.5.*.* 11
77.6.*.* 24
77.7.*.* 29
77.8.*.* 22
77.9.*.* 20
77.10.*.* 24
77.11.*.* 27
77.12.*.* 31
77.13.*.* 0
77.14.*.* 0
77.15.*.* 0
77.16.*.* 0
77.17.*.* 0
77.18.*.* 0
77.19.*.* 0
77.20.*.* 19
77.21.*.* 0
77.22.*.* 0
77.23.*.* 0
77.24.*.* 0
77.25.*.* 0
77.26.*.* 0
77.27.*.* 7
77.28.*.* 97
77.29.*.* 82
77.30.*.* 101
77.31.*.* 142
77.32.*.* 0
77.33.*.* 3
77.34.*.* 69
77.35.*.* 135
77.36.*.* 34
77.37.*.* 1966
77.38.*.* 167
77.39.*.* 123
77.40.*.* 148
77.41.*.* 120
77.42.*.* 8336
77.43.*.* 356
77.44.*.* 373
77.45.*.* 388
77.46.*.* 159
77.47.*.* 234
77.48.*.* 2279
77.49.*.* 521
77.50.*.* 23
77.51.*.* 997
77.52.*.* 31
77.53.*.* 30
77.54.*.* 136
77.55.*.* 0
77.56.*.* 214
77.57.*.* 268
77.58.*.* 37
77.59.*.* 116
77.60.*.* 269
77.61.*.* 258
77.62.*.* 59
77.63.*.* 66
77.64.*.* 62
77.65.*.* 60
77.66.*.* 273
77.67.*.* 1063
77.68.*.* 176
77.69.*.* 526
77.70.*.* 238
77.71.*.* 55
77.72.*.* 855
77.73.*.* 545
77.74.*.* 1192
77.75.*.* 1180
77.76.*.* 580
77.77.*.* 208
77.78.*.* 777
77.79.*.* 1369
77.80.*.* 0
77.81.*.* 54
77.82.*.* 60
77.83.*.* 20
77.84.*.* 38
77.85.*.* 229
77.86.*.* 89
77.87.*.* 653
77.88.*.* 123
77.89.*.* 81
77.90.*.* 1473
77.91.*.* 2517
77.92.*.* 4149
77.93.*.* 2948
77.94.*.* 705
77.95.*.* 511
77.96.*.* 33
77.97.*.* 34
77.98.*.* 27
77.99.*.* 44
77.100.*.* 38
77.101.*.* 52
77.102.*.* 38
77.103.*.* 61
77.104.*.* 1044
77.105.*.* 290
77.106.*.* 361
77.107.*.* 70
77.108.*.* 2387
77.109.*.* 169
77.110.*.* 166
SSH Ports closed by IP
216.0.*.* 3726
64.0.*.* 16857
64.1.*.*  2493
64.2.*.*  1724
64.3.*.*  2387
64.4.*.* 2304
64.5.*.* 1799
64.6.*.* 1695
64.7.*.* 5008
64.8.*.* 2309
64.9.*.* 1935
64.10.*.* 104
64.11.*.* 15
64.12.*.* 912
64.13.*.* 1498
64.14.*.* 3347
64.15.*.* 3707
64.16.*.* 4319
64.17.*.* 3248
64.18.*.* 2709
64.19.*.* 6389
64.20.*.* 6130
64.21.*.* 2220
64.22.*.* 5417
64.23.*.* 274
64.24.*.* 1250
64.25.*.* 2333
64.26.*.* 2837
64.27.*.* 3476
64.28.*.* 1524
64.29.*.* 2380
64.30.*.* 2400
64.31.*.* 1758
64.32.*.* 9034
64.33.*.* 2620
64.34.*.* 7580
64.35.*.* 578
64.36.*.* 0
64.37.*.* 3467
64.38.*.* 5024
64.39.*.* 1814
64.40.*.* 4871
64.41.*.* 1495
64.42.*.* 3946
64.43.*.* 29
64.44.*.* 60
64.45.*.* 3530
64.46.*.* 4352
64.47.*.* 1473
77.0.*.* 209
77.1.*.* 181
77.2.*.* 114
77.3.*.* 180
77.4.*.* 479
77.5.*.* 107
77.6.*.* 234
77.7.*.* 405
77.8.*.* 443
77.9.*.* 274
77.10.*.* 261
77.11.*.* 407
77.12.*.* 360
77.13.*.* 0
77.14.*.* 0
77.15.*.* 0
77.16.*.* 0
77.17.*.* 0
77.18.*.* 0
77.19.*.* 0
77.20.*.* 360
77.21.*.* 0
77.22.*.* 0
77.23.*.* 0
77.24.*.* 0
77.25.*.* 0
77.26.*.* 0
77.27.*.* 260
77.28.*.* 2115
77.29.*.* 2358
77.30.*.* 1823
77.31.*.* 2015
77.32.*.* 2
77.33.*.* 4
77.34.*.* 1287
77.35.*.* 1936
77.36.*.* 190
77.37.*.* 572
77.38.*.* 675
77.39.*.* 838
77.40.*.* 3316
77.41.*.* 2228
77.42.*.* 563
77.43.*.* 1247
77.44.*.* 2541
77.45.*.* 4484
77.46.*.* 9236
77.47.*.* 4597
77.48.*.* 2377
77.49.*.* 1859
77.50.*.* 181
77.51.*.* 5460
77.52.*.* 244
77.53.*.* 534
77.54.*.* 2431
77.55.*.* 0
77.56.*.* 4066
77.57.*.* 8065
77.58.*.* 1329
77.59.*.* 25817
77.60.*.* 2093
77.61.*.* 2235
77.62.*.* 526
77.63.*.* 573
77.64.*.* 958
77.65.*.* 160
77.66.*.* 2684
77.67.*.* 560
77.68.*.* 647
77.69.*.* 1449
77.70.*.* 1025
77.71.*.* 15503
77.72.*.* 2472
77.73.*.* 2721
77.74.*.* 3367
77.75.*.* 1421
77.76.*.* 1419
77.77.*.* 1004
77.78.*.* 1181
77.79.*.* 4168
77.80.*.* 0
77.81.*.* 3174
77.82.*.* 786
77.83.*.* 34
77.84.*.* 495
77.85.*.* 4884
77.86.*.* 2244
77.87.*.* 979
77.88.*.* 1243
77.89.*.* 642
77.90.*.* 505
77.91.*.* 1187
77.92.*.* 4134
77.93.*.* 10819
77.94.*.* 2791
77.95.*.* 959
77.96.*.* 1678
77.97.*.* 1585
77.98.*.* 1270
77.99.*.* 1312
77.100.*.* 1111
77.101.*.* 1465
77.102.*.* 1341
77.103.*.* 1592
77.104.*.* 4795
77.105.*.* 3523
77.106.*.* 3021
77.107.*.* 1539
77.108.*.* 2366
77.109.*.* 1514
77.110.*.* 736

Usage

Instead of a package with tools and sample output, I decided to give you the script here. It outputs xml files which can be easily grepped for statistics such as the above. It requires root for the nmap Syn Scan, which doesn't send the syn-ack thus leaving the connection hanging and not complete. It won't show up in normal server logs. The -n is common sense, without the -n it will do a reverse lookup of every ip address giving it to you in the xml file. That would require a ton of network traffic and time wasted. Note that a lot of disk space is required to store the xml files, but once you have the ip and whether it's open, closed or filtered, you can delete the xml files.

# netscan3.sh
# by Javantea
# Feel free to copy with no license.

classA=64
if [ "$1" != "" ]; then
        classA=$1
fi

date

for i in $(seq 0 255); do
        sudo nmap -sS -p 22 -P0 -n -oX data2/ssh_$classA.$i.star2.xml $classA.$i.*.* >>g.txt
        echo -n "$classA.$i.*.*: "
        date
done

ANALYSIS

The incredibly large number of SSH ports is quite impressive. In fact, it suggests that the number of Linux and BSD machines is much larger than their competitor's number. If the numbers were equally large for all networks and we counted each as a single machine, we could forecast that 0.75% of all machines are SSH servers and that 32,388,900 SSH servers exist. This is probably not true since most servers listen on more than one IP address. Thus blocks and even IPs on their own could be owned by a server on a different IP. If a person wished to look at headers, versions, and TCP/IP options, they might be able to find more information on how many actual servers exist.

CONCLUSION

I am convinced that a well-maintained public list of all ports open on all machines in use is a positive security tool. Port scanning every machine on the internet all the time is currently too costly but if done by a consortium of vendors and interested third parties it could be done cheaply. Currently products and services exist to do this internally privately and without great consequence, but I don't know of any public port scanning project.

Companies are responsible for the security of their customers and security audits are a check and balance to ensure that basic security requirements are met. If a trained professional can get into your machines, you should guess that non-professionals are smart enough as well. In fact, it's more likely to find your SSH servers rooted by malicious entities than security professionals these days.

If you are interested in portmapping SSH, feel free to contact me.

Permalink

Comments: 3

Leave a reply »

 
  • Cynthia

    Have you ever considered writing an e-book or guest authoring on other blogs?
    I have a blog centered on the same subjects you discuss and would love to have you share
    some stories/information. I know my visitors would appreciate your work.
    If you are even remotely interested, feel free to shoot me an e-mail.

     
     
  • Frieda

    Hello, i think that i saw you visited my site thus i came to “return the favor”.I am attempting to find things to improve my website!I suppose its ok to use a few of your ideas!!

     
     
  • Everett

    Hi there! This post couldn't be written any better!
    Reading through this post reminds me off my good old room mate!
    He always kept chatting about this. I will forward this page
    to him. Pretty sure he will have a good read.

    Thank you for sharing!

     
     
  • Leave a Reply
    Your gravatar
    Your Name