Netz: Scan the internet while drinking coffee

Netz lets you run internet-wide misconfigurations research easily and continuously. It supports infrastructure-as-code so you can put your plan in a config file, run the CLI, and get results. Netz also contains some more advanced features like making the scan BLAZING fast by using the PF_RING ZC (Zero Copy) kernel module.

What Netz gives you:

• Massive scan for intranet and internet
• Expands your pentesting toolbox
• Easy setup to PF_RING ZC (Zero Copy) kernel module
• A tool both for Red & Blue Teams

Since Netz is open sourced you can jump into it and make it even better!

WIIFM (What’s in it for me?)

In this post, you will find the macro and the micro of internet misconfigurations problem, and you will learn how Netz helped us understand the problem landscape as one of our research tools @ SpectralOps.

Now that Netz is open source— you can conduct such research as well!

The Common ways to Scan Scan Scan

The quickest way to detect a network asset that is publicly exposed to the internet is to use one of search engine services like Shodan, Censys or Zoomeye, and use the query language to see wide internet components. If you would like to do it manually instead of using an online service, or if you want to do a scan on internal networks, there are multiple ways to do it. The different types of scanning are between a small network or a big network, where a big network can scale up to the whole internet.

For scanning on a small scale, you can use the popular command nmap (which is available in the most advanced penetration testing distribution OS — kali). For larger-scale networks, the most popular are ZMap and masscan.

So how?

If you try to scan the whole internet with ZMap or masscan from your own computer, and you are curious about the results and can’t leave the computer, you should settle in because it’s going to take weeks. Why? Because those tools are aggressive by design to be able to scan the whole internet in a minimum of time. You could control the bandwidth capacity those tools are using and decrease it to be less aggressive, but then you will need to spend even longer at your computer.

Wait less

To shorten the wait, you can use a public cloud machine, but even then, the NIC (network interface controller) on a basic machine is limited for PPS (packets per second).

So what can you do? You can use a stronger machine with a stronger NIC and much more PPS. It will be much faster but even that could take hours to days. If you want to conduct many tests in minimum time, even the strongest machine with the best NIC type is limited. 

We can use 2 different approaches to split the workload:

• Distribute the scan to multiple machines, each machine scanning a dedicated CIDR subnet
• Use one strong machine with multiple NICs, and let the machine use the whole subnet

Just network or applicative scan as well?

If you would like to do more than just know what the open ports are and the metadata, and you want to do applicative actions against those ports while you scan, you need an application scanner. One of the most popular is ZGrab2.

Execution plan

So here is the execution plan workflow we want to achieve:

1. Scan some subnet as fast as possible
2. Pipe those IP/ports tuples to the applicative scanner to test various security issues in those ports
3. Goto beach 🙂

Get more than just Shodan view

Here are a few examples for application security scanning:

1. You want to test if an Elasticsearch server is not configured with admin access — we can test it by doing an HTTP call to `/_cat/indices`, and in case it returns 200 OK — that’s a problem.
2. You want to test if a web server is configured by mistake with the whole ‘.git’ directory, so someone can read it and expose all the good stuff you have there. A simple HTTP call to `/.git`, and in case it returns 200 OK — that’s a problem.
3. You want to test if Redis / Memcached / PostgreSQL / MySQL is configured without credentials — there are concrete applicative scanners in ZGrab2 so you can test it as well.

ZGrab2 is pluggable, so you can just write one small function in Golang to easily extend the tool abilities to fit your needs.

Why should I look for internet-wide misconfigurations

Most companies in the world today use different 3rd party SAAS, PAAS, and IAAS. On top of those “As-A-Service” solutions are data-pipelines tools; data-science frameworks; different open-source projects; and DevOps infrastructure & observability tools.

All these solutions use different configuration & secrets/credentials, including database connection strings; API keys; asymmetric keys; tokens; username/password combinations; admin, security, privacy settings; and much much more. 

Even the infrastructure today is controlled by code, which contains a lot of config types, and with it — more complexity. In some organizations, the complexity is even higher with multiple infrastructures in multiple public cloud vendors.

With all these cutting-edge technologies allowing us to move faster we must stop to consider: how do you make sure all of your company assets are secured?

So what now?

It’s easy to understand how misconfigurations or mishandling of any critical part of the supply chain could lead to a breach. The size of the mistakes is disproportionate to the damage, with one small mishap potentially costing a company millions of dollars in the “best case”. Worse cases can mean the end of a business.

The meaning of the project name: Netz

Netz in Hebrew means Hawk – a predator that can scan the ground for meals from miles up in the sky, and then dive in to catch it. This is an analogy for the way malefactors act in the digital world: they seek out vulnerabilities on the whole internet from miles away, then dive in for the kill. 

Second, the name contains Net (which is the network scanning part), and Z – the most critical type of security issue – Zero-day attacks.

Disclaimer

We strive to make the world a better and safer place. If you intend to use this information to cause harm, you are doing the opposite, and at your own risk.