Skip to main content

Posts

Showing posts from February, 2013

Maltego Tungsten...

Video of alpha release -- soon...

RT

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to 0.0.0.0:



Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. O…

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:


Somehow related - the gov.cn zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the …