Project Honeypot HTTP Blocklist Module

Wednesday, December 29, 2010

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

Most malicious IP lists focus on the client side threat, where servers (hosted or exploited) host client side exploits or evil scripting.

These don't really help the server admins very much. Project Honeypot does an amazing job at keeping detailed information on scanners / harvesters and brute forcers, the likes of which are the daily enemy of said admins. They offer a service called HTTP Block List or 'HTTP:BL'.

Another way this list differs from the rest is it isn't a list you can download. Its a DNS service. Simply put, you submit a query, it gives an (A) record that looks something like '127.3.5.1'.

Disregard the 127, but the rest of the details pertain to different details about the IP you requested. You can read the documentation here: http://www.projecthoneypot.org/httpbl_api.php for an explanation on exactly how it works, or you can read the code of the Metasploit module I wrote for it.

I wrote it in Metasploit for 2 reasons:

1) RangeWalker is awesome code, and allows you to query a list of IPs, a range, or a single IP with ease.

2) All of the other implementations of the API that they have listed are for CMSs (to actively block IPs that come back 'bad').

This will mostly come in useful for incident responders who are trying to get a bead on a bunch of hosts, or for web admins who want to pull the code out for an active blocking system of their own.

Here it is in action:

msf auxiliary(httpbl_lookup) > info

       Name: Http:BL lookup
    Version: xxxx
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:  Rob Fuller

Basic options:

  Name     Current Setting  Required  Description
  -------     ---------------  --------  -----------
  APIKEY   xxxxxxxxxxxx     yes       Your HTTP:BL api key
  RHOSTS   88.229.108.0/24  yes       The target address range or CIDR identifier
  THREADS  1                yes       The number of concurrent threads

Description:

  This module can be used to enumerate information about a IP
  addresses from Project HoneyPot's HTTP Block List.

References:

  link (http://www.projecthoneypot.org/httpbl_api.php)

msf auxiliary(httpbl_lookup) > run

[*]
[*] 88.229.108.0 resloves to 127.51.8.1 which means: Suspicious
[*] => it was last seen 51 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: http://www.projecthoneypot.org/ip_88.229.108.0

[*]
[*] 88.229.108.1 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: http://www.projecthoneypot.org/ip_88.229.108.1

[*]
[*] 88.229.108.2 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: http://www.projecthoneypot.org/ip_88.229.108.2

[*]
[*] 88.229.108.254 resloves to 127.51.8.1 which means: Suspicious
[*] => it was last seen 51 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: http://www.projecthoneypot.org/ip_88.229.108.254

[*]
[*] 88.229.108.255 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: http://www.projecthoneypot.org/ip_88.229.108.255

[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(httpbl_lookup) >

Cross-posted from Room362

Possibly Related Articles:
4977
Vulnerabilities
HTTP Security DNS Metasploit API HoneyPot
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.