People think of the internet as a host for services like banking websites, blogs and social networks. However, this is only a small part of everything connected. The internet is home to a big range of IoT systems and machines as well. These vary from simple “smart” light switches, to machinery used in industrial plants.
One of the concerns stated in the yearly publication by the Dutch government called “Cybersecuritybeeld Nederland” (2019) was the lack of insight into malicious digital (state sponsored) activity towards vital infrastructure. …
TL;DR: Managing the online exposure of systems can be difficult. Sometimes IPv6 network configurations get forgotten, leading to services unknowingly connected to the internet.
We’ve been (very) slowly adopting IPv6 since its introduction in 1995. This added protocol version allows computer systems to be available in two different address spaces (IPv4 and IPv6). This could possibly expand the attack surface of a system if it’s not managed properly. Fortunately, most firewalls will update user defined rules for both versions simultaneously. This blog-post goes further into finding exposed online services in the IPv6 space, which aren’t reachable via their IPv4 counterpart.
TL;DR: JARM is very useful fingerprinting tool, but can be deceived by replaying server hello’s from other services.
The JARM scanner created by @SalesforceEng is quite an effective tool for system fingerprinting. It uses the Server Hello responses from a TLS handshake to generate a signature. These can then be used to find similar software or services. Ideal for finding C2 or other malicious servers that implement TLS. So, It doesn’t come as a surprise that Shodan.io uses this fingerprinting mechanism in their scanners. Read the Salesforce post for more information about the JARM library, scanner and its uses.