Scan the whole internet while drinking coffee

Netz 🚀

Hawk :: Netz
  • Expands your penetration testing toolbox easily with one CLI tool
  • Easy setup to PF_RING ZC (Zero Copy) kernel module
  • A tool both for Red Team & Blue Team

It’s Fully Open Source!

You can find the project here Netz, and you are more than welcome to jump into it and make it even better!💃

WIIFM ($> What’s in it for me?)

In this post, you will find the macro and the micro of internet misconfigurations problem, and you will learn how Netz helped us to understand the problem landscape as one of our research tools @ SpectralOps.
Now that Netz is open source— you can do such research as well!
Soon we will release more data from our research, and we will release more tools from our cybersecurity research arsenal.

The Common ways to Scan Scan Scan

The quickest way to detect a network asset that is publicly exposed to the internet is to use one of search engine services like Shodan, Censys or Zoomeye, and use the query language to see wide internet components. If you would like to do it manually instead of using an online service, or if you want to do a scan on internal networks, there are multiple ways to do it. The different types of scanning are between a small network or a big network, where a big network can scale up to the whole internet.

So how am I going to do it?

So, you are on a research mission, and you want to scan the whole internet (or some of it) — how are you going to use those tools? Great question!

Improve the time to wait

To improve the time to wait, you can use a public cloud machine, but even then, the NIC (network interface controller) on a basic machine is limited for PPS (packets per second).

  • Use one strong machine with multiple NICs, and let the machine use the whole subnet.

Just network, or applicative scan as well?

Until now we talked about network scanning, but like I mentioned earlier if you would like to do more than just know what are the open ports and the metadata, and you want to do applicative actions against those ports while you scan, you need an application scanner. One of the most popular is ZGrab2.

Execution plan

So here is the execution plan workflow we want to achieve:

  1. Pipe those IP/ports tuples to the applicative scanner to test various security issues in those ports
  2. Goto beach :)

Get more than just Shodan view

Here are a few examples for application security scanning:

  1. You want to test if a web server is configured by mistake with the whole ‘.git’ directory, so someone can read it and expose all the good stuff you have there. A simple HTTP call to `/.git`, and in case it returns 200 OK — that’s a problem.
  2. You want to test if Redis / Memcached / PostgreSQL / MySQL is configured without credentials — there are concrete applicative scanners in ZGrab2 so you can test it as well.

Why should I look for internet-wide misconfigurations

I would like to start with a game: How would you feel if I told you that your home router is open to the internet for internal access..? Sounds a bit scary, but the first thing that pops into your head is that: do I have something I need to protect? Most of the time the answer will be — nahhh, nothing special. For those that answer nahhh, I will challenge you with the famous story of hackers breaching baby monitors, and I will let you imagine what happened next 😅

How do we get to that problem?

Down to earth

So what now?

Now that we are on the same page, and the complexity is crystal clear, it’s easy to understand how misconfigurations or mishandling of any critical part of the supply chain could lead to a breach. The size of the mistakes is disproportionate to the damage, with one relatively small mistake that could cause a company to lose millions of dollars in the “best case”, or out of business in the worst case.

What is the meaning of the project name:: Netz

The word has a dual meaning, first, when you are saying this word, you said in Hebrew the word Hawk 🦅. Hawk is a predator that can scan the ground for meals from miles up in the sky, and then goes to catch it — which is an analogy for the way bad hackers act in the world: they are looking for open and free holes from miles away on the whole internet, and go to catch it. Second, the word contains Net which is the network scanning part, and Z which are the most critical security issue called Zero-day attacks.

Final Disclaimer

I am diverse technology enthusiast, hacker in my soul, tech lead and system architect. I live and breathe computers and programming since I was a child.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store