Host in CIDR Range Missed

praetorian-inc / chariot-ui

Chariot Offensive Security Platform

https://preview.chariot.praetorian.com

MIT License

21 stars 7 forks source link

Host in CIDR Range Missed #274

Closed Ameston closed 1 month ago

Ameston commented 1 month ago

For more information: https://praetorianlabs.slack.com/archives/C06RDPMGZJS/p1720712261141599

noah-tutt-praetorian commented 1 month ago

Individual hosts of high interest can be explicitly added. We've also added additional ports to the shortlist.

Ameston commented 1 month ago

Individual hosts of high interest can be explicitly added.

I think the concern here is that hosts of interest are not known until a CIDR is scanned and analyzed, so we wouldn't know we are missing a host that needs to be explicitly added (false negative).

We've also added additional ports to the shortlist.

I believe you're talking about the liveness shortlist. Even after adding this host as an individual IP, our scanning pattern was too intense and did not pick up the open port for several days.

I'd like to keep the ticket open to brainstorm solutions to improving liveness and service detection.

noah-tutt-praetorian commented 1 month ago

We have a separate ticket opened for scanning intensity

Ameston commented 1 month ago

Roger, thanks for the reminder! I'll defer to you. We can keep this ticket open separately to track liveness improvements or combine both tickets into one. Thanks!

peter-kwan commented 1 month ago

The liveness check in New Chariot discovers fewer live hosts. It is "it pings" OR "open ports in 22,80,443,445,3389,8080,8443".
vs. Old Chariot the list of open ports checked is the NMAP top 1000.

praetorian-harry commented 1 month ago

We have discussed this issue as a team and decided on a phased approach to resolution. We will begin with the simplest comprehensive option, which is to scan every port for every IP address in the CIDR range.

Subsequent phases will depend on the impact on our scanning performance and cost. We will likely update our scanning logic to re-scan IP addresses we deem to be "dead" (no open ports) at a decreased frequency.

praetorian-harry commented 1 month ago

We have a PR open to address this issue: https://github.com/praetorian-inc/chaos/pull/1105

We are still reviewing the PR and may tweak the frequency of full port scans for CIDR ranges to decrease the load on the scan queue. I will continue to update this issue as changes are made and deployed. Thank you!

privateducky commented 1 month ago

Made a few adjustments:

We'll now port scan (full, 65k) all CIDR ranges, of any size
We'll split ranges up until they're all /24's, then we'll run jobs for each
If a host has > 25 open ports, we'll add a honeypot attribute, as an indicator the WAF is likely evading us.

This will get deployed this week

privateducky commented 1 month ago

closing, to track in https://github.com/praetorian-inc/chariot-ui/issues/472