Scanning my audience (split).

March 13, 2007 on 8:34 pm | In Hacking, Security

Followup of the article; Howto: A more secure OS X before Leopard. I split this article from the followup of the earlier link, because it’s really two things apart.

It’s been a ‘diggy’ day yesterday; There was a considerable amount of traffic.

Wow, what a friendly inauguration of my blog! As you can see, I’ve transferred a neat 6 gig in one day. I was silently hoping for this, because the follow-up required at least some people of who I could verify that they had read it. First off, more pretty figures and graphs.

Mac User total: 10122
Mac Users that have been on the page for more than 5 minutes: 5238 (51,75%)

Now, what am I getting at with all these stats? Well, raw access logs, like any webserver generates, contain information that the readers’ browsers sent to me. I am not into the whole American-ISP thing (I’m Dutch, myself), but it seemed to me a big share of the readers was American, and a whoppping 0,8% used Tor, which means 81 people (I think that is a lot, actually). Anyway, it wasn’t all that important, since last time I checked, portscanning was legal. What, Sebastiaan, you scanned these people? Yep. Let me first say a few words about this.

When I want to determine if people, say, followed my leads, and put their firewall on, put on UDP filtering, or even deleted the two rules that allowed in UDP traffic from the two magical ports; CUPS and Bonjour. Unfortunately, UDP is a very difficult protocol to do portscanning with, as it’s workings differ very much from TCP - a connection-based protocol. I need to use packets that ’speak the language’ of the protocol I am trying to find. I know my target services, namely NTP (Network Time), CUPS (Printing Daemon), and Bonjour. So, it would be difficult to enumerate what hosts have enabled their firewall (there isn’t really a way to tell what is dropping the packet, or I’d have to do a traceroute with every scan, which is possible, but a bit unwieldy). It is, however, easy to enumerate people who have not enabled UDP scanning, or have specifically removed the rules that allow UDP traffic into these ports (recieving an ICMP packet with port unreachable or administratively prohibited assumed in this test, by me, that it was blocked at the source). Thus, I can test the amount of people who have taken the advice and don’t need Bonjour and CUPS.

For this particular purpose of mass-scanning (don’t do this at home), I used a tailored and proven tool, scanrand. It’s a port scanner by Dan Kaminsky and it’s blazing fast. It uses SYN packets, like Nmap can deal out with the -sS option, and these TCP semi-connections go mostly unnoticed, especially by the OS X built-in firewall. Scanrand actually is able to output results in SQL, which is very handy, as you can just query your results. Hey, I can do that with my access logs too. I haven’t feeded the SQL data into scanrand, but did manage to distill a list of the Mac users that have been reading for more than 5 minutes, with the IP addresses. After making sure it’s bandwidth was limited, I set it free.
The results? People use firewalls! Most connections fail by virtue of the host in question being behind NAT (which means a router with a LAN behind it). However, a significant number still allows me to verify. Oohh, output.

That’s scanrand having fun, to see if people are online or not. Results; out of the 5238 users, a few hours later, 59,55% (3119) is online. After a cursory analysis of the scans’ packet dump, I can determine by MAC address what computer is a Mac without a router before it, or a router of some sorts. Time to go on to the second phase, detecting services. For this, I use unicornscan, the former udpscan, which has very nice UDP scanning, and database support. unicornscan -B631 (or 5353 for Bonjour) -r200 -mU $target:631 (or 5353) -E >> ~/scanresults.tmp does the job here, with a basic script that greps ps and does a count of the amount of unicornscan processes. -r defines rate, as unicornscan is blazing, and must be limited, -mU is UDP scanning, and -E shows unreachable ports as well. I cap at about ten concurrent scans. The address goes into $target, naturally. It’s great, because this stuff simply doesn’t show a line of output, it just runs, and after a few hours, I got my results. Results.

Now for the numbers;

Eligible Readers: 3119
Readers with NAT: 2304
Readers without NAT: 815
Readers with open ports: 479
Readers with closed ports: 336
Readers already offline or Blocked: 6

What is there to say, apart from the not so shocking statistic that very few people switch off their router or Mac, is that a very cool 41.23% has followed my advice thoroughly and deleted those rules. Way to go, baby (provided these UDP scans are in any way accurate)! I am glad there are a lot of people who found this how-to useful and checked over their OS X.

digg this!