Week in OSINT #2018–44

In this edition I am writing about a tool that I came across the other day. Are you familiar with Shodan, Censys or ZoomEye? Then definitely keep on reading!

Before I start I want to make clear that this edition is not sponsored. I did reach out to the developers for some support questions and they did provide my account with an upgrade so I could at least perform some more queries for this write-up. But this tool just needs a little bit more than just a small paragraph in my newsletter, that’s why I chose to give this tool it’s own article.

It was a few weeks ago that I read a tweet about a tool call Onyphe and I immediately noticed that this tool could fill a certain need regarding threat intel that other internet scanners couldn’t provide: Automatic fingerprinting of malware on servers and IoT devices.

Let’s start at the beginning. Onyphe is a tool that, just like the other IoT scanners, maps the internet and indexes everything they find. Nothing new here you would say. Well, there are a few differences that I am aware of. First of all, Onyphe is just capturing full bodies and headers during their scan, they also makes it possible for you to query for any kind of information in the dataset. Second of all they already identify and gather information about compromised devices and keep adding more threats over time. They simply tag these threats, so you can query for things like the Palevo worm, Zeus, the Mirai botnet or maybe want to know whether the device was found in a Locky tracker for instance.

During playing around with the tool I did find that the API documentation wasn’t fully clear and updated yet, so I had to reach out to their support to ask some questions about that. They did promise they would be working on that to update everything, but with a bit of trial and error a lot can be figured out already. So let’s go over some queries to see what can be found in Onyphe.

Basic information

Information that is free for everybody is a query on your own or any other IP address. The amount of technical information might not be as overwhelming as you get back in Censys or Shodan, but what is extremely interesting is the mention of the Pastebin paste where the IP address was found and the information in the ‘threatlist’, where it can be seen that this address shows up in the Zeus tracker of Abuse.ch.

Information on a single IP address

Things do start getting even more interesting when you register for free or even get the “Enthusiast plan”. Because you can start using some basic filters and query the whole dataset which can provide you with even more interesting information.

Querying the dataset

One of the things you can do when you have a paid membership (even the cheapest one) is querying the paste bin dataset by running a simple query. Let’s for instance look for the CIDR 202.74.242.0/24, after which we see that there are 98 mentions within Pastebin on IP addresses within that block.

The query used:

curl -G https://www.onyphe.io/api/search/pastries/ 

  ip:202.74.242.0/24 

  ?apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Result:
{
  "count": 10,
  "error": 0,
  "max_page": 10,
  "myip": "127.0.0.1",
  "page": 1,
  "results": [
    {
      "@category": "pastries",
      "@timestamp": "2018-11-03T19:16:18.000Z",
      "@type": "doc",
      "domain": [
        "com.np",
        "tikicbn.com",
        "co.id",
        "hinet.net",
        "dvois.com",
               ... cut ...
      ],
      "hostname": [
        "1.186.63.130.dvois.com",
        "node-gjw.pool-101-109.dynamic.totbb.net",
        "default-rdns.vocus.co.nz",
        "node-rxh.pool-101-51.dynamic.totbb.net",
        "node-buw.pool-1-10.dynamic.totbb.net",
               ... cut ...
      ],
      "ip": [
        "85.237.56.193",
        "62.209.198.92",
        "80.95.97.142",
        "91.104.255.111",
        "124.106.26.74",
               ... cut ...
      ],
      "key": "5p8Sggap",
      "seen_date": "2018-11-03",
      "source": "pastebin"
    },
    {
      "@category": "pastries",
      "@timestamp": "2018-11-03T16:42:33.000Z",
      "@type": "doc",
      "domain": [
        "mazedanetworks.net",
        "mchsi.com",
        "codyswaney.com",
        "intechonline.net",
        "googleusercontent.com",
               ... cut ...
  ],
  "status": "ok",
  "took": "0.183",
  "total": 98
}

When being curious how many Chinese devices are out there that are affiliated with the Mirai botnet and connect via Shandong Mobile we can run the following query towards the API, which results in just under 6,000 devices that are seemingly affiliated with the Mirai botnet:

curl -g https://www.onyphe.io/api/search/threatlist/ 

  threatlist:"ONYPHE - botnet/mirai" 

  country:CN 

  organization:"Shandong Mobile Communication Company Limited" 

  ?apikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

These are just sample queries and even though the amount of datafields or endpoints are somewhat restricted, there is a ton of information in Onyphe! A few basic examples can be found in their blog.

category:datascan product:Apache port:443 os:Windows
category:synscan port:23 country:FR os:Linux
category:synscan ip:46.105.48.0/21 os:Linux port:23
category:inetnum organization:"OVH SAS"
category:inetnum netname:APNIC-LABS
category:threatlist country:RU
category:threatlist ip:94.253.102.185
category:pastries ip:195.29.70.0/24
category:pastries domain:amazonaws.com
category:resolver ip:124.108.0.0/16
category:resolver domain:example.com

Digging Deeper

Besides all this easily visible information, Onyphe also collects certificate transparency logs, that can be queried with the right subscription. Even though there are free alternatives for this I can imagine there will be certain queries that you would like to incorporate the CTL. But that is not the most interesting bit in regards to the more ‘hidden’ information that Onyphe collects. That would be the sniffer.

The sniffer is the most important part of their threat intel machine and you can use the data they collect to perform your own queries. Onyphe looks closely at the traffic of the TCP or UDP protocol and particularly the data that is being sent. After identifying a certain type of malware of botnet, they run further scans and it is being tagged in the database with the appropriate tag. And every host that is indexed via this way will be tagged and searchable for the user.

What ports are indexed?

Onyphe does not scan all ports that are out there, but it restricts the data that is available to its users to a subset of the most important ports out there. The exact list of ports and protocols are as follows:

80/tcp (http)
443/tcp (https)
7547/tcp (tr069)
8080/tcp (http)
22/tcp (ssh)
21/tcp (ftp)
25/tcp (smtp)
53/tcp (dns)
110/tcp (pop3)
8000/tcp (http)
3306/tcp (mysql)
23/tcp (telnet)
3389/tcp (rdp)
554/tcp (rtsp)
111/tcp (rpc)
8888/tcp (http)
5000/tcp (upnp)
1521/tcp (oracle)
3128/tcp (http)
135/tcp (msrpc)
5555/tcp (adb)
5900/tcp (vnc)
9200/tcp (elasticsearch)
1433/tcp (mssql)
139/tcp (netbios)
2323/tcp (telnet)
445/tcp (smb)
502/tcp (modbus)
102/tcp (s7comm)
11211/tcp (memchached).

As stated earlier, you can only query an IP address with a free account. After registering you are able to query the API and after getting access to the perpetual paid account it is possible to start using the basic filters. These filters include the following things:

GET/api/myip
GET/api/geoloc/{IP}
GET/api/user/
GET/api/ip/{IP}
GET/api/inetnum/{IP}
GET/api/threatlist/{IP}
GET/api/pastries/{IP}
GET/api/synscan/{IP}
GET/api/datascan/{IP,string}
GET/api/reverse/{IP}
GET/api/forward/{IP}
GET/api/search/datascan/{query}
GET/api/search/synscan/{query}
GET/api/search/inetnum/{query}
GET/api/search/threatlist/{query}
GET/api/search/pastries/{query}
GET/api/search/resolver/{query}

Information for Law Enforcement

One extra thing that I have to mention is the fact that they are not just scanning the surface web, but also the dark web. They wanted to make this information public but after finding out that too much dangerous and illegal content would become visible, they decided to hide that information. But if you are working for law enforcement, you are able to get access to this data they have told me. An example of this data was found in their blog, that shows the server information and HTML content of a page related to “ Dream Market”:

Onyphe — Scraping the dark web

Conclusion

After playing around a little bit, running lots of different queries, I found that they index a lot of devices and provide really good insight and information. The downside is that the API documentation is not updated yet, so I did run into some issues trying certain queries. But with the endpoints that were available I was more than able to get a good overview of the information I was looking for.

Onyphe provides you with a simple search box on the website, but also has an API that can be queried in pretty much the same way. They also released a client last week, but that is built on the Metabrik platform. If you are familiar with Metabrik, please go and have a look at the client. Since I didn’t have so much time to dive into that, I stayed with curl and the browser for this write-up. So simple scripts is all that is needed to integrate Onyphe in your tool.

Talking about integration, it has already been incorporated in several tools and one of them is MISP:

So if you are into threat intel, security of IoT devices or even want to check your public facing network, do pay these guys a visit! There is some very useful information in there and it can absolutely provide some much needed insight in the world of malware.

And that is it for this week! Next week we continue with a regular episode of my Week in OSINT. I simply didn’t have the time to create a regular episode and this write-up on top, that is the reason for this special. If you have any ideas for an episode, of would like to share a bunch of links in a certain area of expertise, please contact me via DM on Twitter @sector035.

Have a good week and have a good search