Talk about cross-surveying and mapping in cyberspace
Author: Heige(a.k.a Superhei) of KnownSec 404 Team 01/16/2021
Currently, the objects of cyberspace surveying and mapping are mainly around IPv4/IPv6/website/darkweb ，Of course most search engines only support IPv4/IPv6 addresses . In addition to ZoomEye that focuses on IPv4/IPv6/Website mapping, we have also developed a product for dark web mapping ,we call it “暗网雷达(DarkEye)”
A great significance for cyberspace surveying and mapping is to complete the mapping between cyberspace and real space, so IPv4/IPv6/Website/darkweb may point to devices in the same physical space at the same time, So I think cross-surveying and mapping can help trace the real world mapping.
Just a few days ago I saw a news: “A German-led police sting has taken down the “world’s largest” darknet marketplace” https://www.theguardian.com/technology/2021/jan/13/australian-man-arrested-in-germany-over-worlds-largest-darknet-marketplace it‘s the DarkMarket . In addition, I noticed that @SttyK found that they can search for some information about the DarkMarket host through ZoomEye.
I think this is a very interesting case, it is worthy of in-depth analysis and investigation.
Search through ZoomEye
ZoomEye dork: “Server: DarkMarket” https://www.zoomeye.org/searchResult?q=%22Server%3A%20DarkMarket%22
then we can find three IP:
220.127.116.11 Moldova 2019–10–30 11:00
18.104.22.168 United States, Los Angeles 2019–10–25 12:56
22.214.171.124 Germany, Frankfurt 2019–09–16 19:47
Then we cross-analyze the data in our dark web mapping product: “暗网雷达(DarkEye)”,Search for the string “Server: DarkMarket”, we successfully matched the tor domain name of DarkMarket:
It can be seen from the data that it did use the HTTP header “Server: DarkMarket” on July 13, 2019. We continue to analyze historical data and found that the http header was modified to “Server: nginx-V-ddos” in August 2019
Let’s return to ZoomEye to search https://www.zoomeye.org/searchResult?q=%22Server%3A%20nginx-V-ddos%22 got 1,517 results，It looks like a relatively general fingerprint, and the specificity is not obvious enough. Perhaps these data may include the DarkMarket host, of course, this requires further investigation.
Continue to track historical data, until June 2020, the data shows that the http header is changed to: “Server: nginx”, which is no longer specific.
It can be seen from news reports that DarkMarket has more than 20 servers distributed in multiple countries, but we only found three IPs from the online data of ZoomEye, because considering that the online data of ZoomEye adopts the “overwrite update” mode, is some data already covered? So we thought of enabling all historical data of ZoomEye, It is a pity that by selecting the time period from January 2019 to June 2020, all historical data crawled by ZoomEye for analysis results did not find more IP addresses.
So in the end, we can only focus on the three IPs we found. Judging from the distribution of countries, they are very in line with the list of countries that have joint law enforcement in news reports. Although we don’t know the specific details of the DarkMarket case, we can determine that cross-mapping is still very valuable for target traceability.
In fact, in addition to the dark web traceability, cross-surveying and mapping is equally meaningful.For example, we often need to find the source website IP protected by CDN in penetration test cases. You can use ZoomEye to search for characteristic strings, ssl certificates, DNS history records, etc. to determine the corresponding IP of the website.
Another example is cross-surveying and mapping of IPv4 and IPv6, There are more and more IPv6 deployments, but many security devices are relatively lagging and do not support IPv6 or the security defense of IPv6 interfaces is ignored, so IPv6 may become a new attack surface in penetration testing.
Finally, Finally, thanks to @SttyK and my colleagues.