Recently, we moved into our new offices in Munich! While setting everything up in our new home, we were faced with a number of administrative decisions, including the choice of a new ISP. After careful deliberation, we chose M-net, a Munich-based ISP. In this blog, we investigate the network infrastructure of M-net using Farsight Security’s DNSDB Transforms. Farsight’s DNSDB is a historical database containing mappings of hostnames to IP addresses. Using Farsight Security, we can run a Transform in Maltego that converts a Netblock to DNS hostnames. We will be using one of Farsight’s Transforms to look up DNS names given a Netblock to gain insights into M-net’s past and current network.
The advantage of using Farsight’s DNSDB is that reverse IP mappings are made available not just for the current situation, but for all the history of the IP address as well. Farsight’s Transforms allow us to query hostnames for an entire netblock at once, which makes the investigations scalable.
Since M-net is a large ISP, it is interesting to learn more about M-net customers. Through a quick Internet search, we learn that M-net provides Cable, DSL, and Fiber Internet to private customers and businesses. From the same search we also gather that M-net seems to own Autonomous System (AS) 8767, the collection of internet traffic routes under the control of a single organization. Armed with this information, we begin our investigation using Maltego.
Using Maltego Standard Transforms, we find that AS 8767 advertises routing blocks for IP ranges (see image below). For the sake of brevity, some results are not shown.
Since we already know that M-net is an ISP, we can expect that most of the IP addresses in the above blocks are allocated to home users as well as businesses to provide hosting services. Here we will use Farsight Security’s DNSDB to explore further what servers/services are behind these IP addresses. We apply the Transform - [DNSDB] To DNSNames with this value to the netblocks and observe that M-net has divided its netblocks to host the following entities:
- Websites of businesses (electrolux.com, adac.de)
- Static IP addresses for private users
- Dynamic IP addresses for private users
- An entire Netblock allocated for hosting Nameservers
- An entire Netblock allocated for hosting E-mail servers
One of the Netblocks of M-net is 126.96.36.199-188.8.131.52. In this Netblock we found some IP addresses, which resolved to hostnames ending with a .ru Top-Level Domain (TLD). In the same block, we also found IP addresses resolving to hostnames ending with a myfritz.net domain. It is important to note that these IP addresses may not resolve to them currently but may have resolved to them in the past, which DNSDB has recorded into its history. The date range that the data is valid for can be found in the Property View Window of the Maltego Desktop Client.
We conclude that hostnames ending with myfritz.net are DSL users, as this domain is used by FRITZ!Box to give a publicly accessible hostname to their DSL modems. A closer look at the hostnames ending with .ru TLD reveals that they all have a random prefix followed by a domain name alluding towards adult/dating websites. Since Botnets are known to create domains prefixed with random letters, it is not out of question that these domains might be related to Malware activity.
At this point, we would like to again stress that one cannot conclude with this investigation that there are Malware-infected hosts in M-net’s network. One possible explanation could be that M-Net bought this Netblock recently and due to historical records from DNSDB we have found these hostnames suggesting Malware. We would like to use this blog post as an example to inspire similar investigations into Malware with Maltego.
We would love to hear more about your own investigations with Maltego and Farsight DNSDB! Keep visiting our blog or follow our Twitter and LinkedIn pages for more interesting use cases and post your ideas, questions and comments.