Where I work, we have a decentsizedIP space and scanning can be problematic. Within our IP space, we can have ~20 Million IPs available. Traditional scanning using NMAP, while effective, can take a long time even with aggressive scan setting. By leveraging new scanning technologies like Masscan (hxxps://github.com/robertdavidgraham/masscan), this scanning can be done in minutes. With moderate settings, I dont want to crash firewalls, it takes about 15 min per port.

While this example is specific to Heartbleed, I use this technique for any of the exploit-of-the-day. By using a fast port scanner to reduce the number of hosts to only the systems running the service in question, you can dramatically speed up your scan time. Additionally, within the first couple of days of an exploit, you may be using a custom script to scan rather than a plugin from an enterprise solution.

Another use case is a vulnerability found during incident response. If I determine a specific vulnerability was used to compromise a server, I then use this technique to determine other possible compromised systems. If they were not compromised, then we have them patch.


Installing ">">"> make install

uid-3de19289-448f-0de0-ddd6-274fde0bc9df">Masscan uses a similar command line to nmap.

masscan -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000 -oG 10-scan-ssl - -max-rate 10000

">--make-rate sets the speed of the scan

Once Masscan has quickly identified targets for deeper inspection, you can use your more specific tool to determine if the system is vulnerable. In this example, its an nmap plugin.


cd /tmp

svn co https://svn.nmap.org/nmap

cd nmap

make install

To get the input file in the correct format, use the following command to get just a file with a single IP per line.

grep -v # 10-scan-443 |awk {print $2} /tmp/nmap

">nmap -p 443,448,456,563,614,636,989,990,992,993,994,995,8080,10000 --script=ssl-heartbleed.nse -iL /tmp/nmap -oA /tmp/ssl-vul-test

Ive had mixed results with other scanners (scanrand ect..). Any other large scale scanners with which you have had good success?


Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISSA tackles workforce gap with career lifecycle program
SC Magazine
A nonprofit organization for infosec pros has launched an initiative that aims to close the widening workforce gap and educate security practitioners on career advancement opportunities. On Thursday, the Cybersecurity Career Lifecycle (CSCL) program ...

systemd-shim Local Denial of Service Vulnerability
Microsoft Windows CVE-2014-6352 OLE Remote Code Execution Vulnerability

Ive received several reports of what appears to be shellshock exploit attempts via SMTP. The sources so far have all be webhosting providers, so Im assuming these are compromised systems." />

The payload is an IRC perl bot with simple DDoS commands and the ability to fetch and execute further code.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple Mac OS X CVE-2014-4391 Security Bypass Vulnerability
Centreon and Centreon Enterprise Server CVE-2014-3828 Multiple SQL Injection Vulnerabilities
Oracle Java SE CVE-2014-6562 Remote Security Vulnerability
Oracle Java SE CVE-2014-6457 Remote Security Vulnerability
Oracle Java SE CVE-2014-6512 IP Address Spoofing Vulnerability
[ MDVSA-2014:209 ] java-1.7.0-openjdk
[ MDVSA-2014:208 ] phpmyadmin
[ MDVSA-2014:207 ] ejabberd
[ MDVSA-2014:206 ] ctags

Cellular communications provider Verizon Wireless is adding cookie-like tokens to Web requests traveling over its network. These tokens are being used to build a detailed picture of users’ interests and to help clients tailor advertisements, according to researchers and Verizon’s own documentation.

The profiling, part of Verizon’s Precision Market Insights division, kicked off more than two years ago and expanded to cover all Verizon Wireless subscribers as part of the company’s Relevant Mobile Advertising service. It appends a per-device token known as the Unique Identifier Header (UIDH) to each Web request sent through its cellular network from a particular mobile device, allowing Verizon to link a website visitor to its own internal profiles. The service aims to allow client websites to target advertising at specific segments of the consumer market.

While the company started piloting the service two years ago, privacy experts only began warning of the issue this week, arguing that the service is essentially tracking users and that companies paid for a fundamental service that should not be using the data for secondary purposes.

Read 13 remaining paragraphs | Comments

[SECURITY] [DSA 3055-1] pidgin security update
PHP 'exif_thumbnail()' Function Heap Based Buffer Overflow Vulnerability
[KIS-2014-11] TestLink <= 1.9.12 (execSetResults.php) PHP Object Injection Vulnerability
[ MDVSA-2014:205 ] lua
[slackware-security] pidgin (SSA:2014-296-02)
[ MDVSA-2014:202 ] php
APPLE-SA-2014-10-22-1 QuickTime 7.7.6

I wanted to perform a little unscientific information gathering, Im working with a small group who think theyre being specifically targeted by these, while I think its more widespread and opportunitistic. If youve recently received these no content probe emails, or a simple Hi message, please send a simple comment below in this format:

  • Industry
  • Order of magnitued in size (e.g. 10, 100, 1000)
  • Sending domain

Feel free to use our comment page to add extra analysis comments here: https://isc.sans.edu/contact.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Operational Resilience- Not Just Technology Security- Drives Competitive ...
... leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance state-of-the-art information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in ...

Pidgin CVE-2014-3695 Denial of Service Vulnerability
Pidgin CVE-2014-3696 Denial of Service Vulnerability
Pidgin XMPP Protocol 'stringprep()' Function Information Disclosure Vulnerability
Pidgin CVE-2014-3694 SSL Certificate Validation Security Bypass Vulnerability
Internet Storm Center Infocon Status