Fingerprinting with Ports (Minecraft Edition)
So I was doing research the other day gathering some information that I could share with my students and I stumbled upon a random machine (I was using a technique mentioned previously here). I found a machine that was very clearly also being used for Minecraft. As I was thinking about how easily I found this machine I began to wonder if I could make it even easier with python.
I know folks who have hosted a Minecraft server (Bukkit) in the past. They followed the instructions on the website and various forums. They port forwarded on 25565 and they distributed their external IP address. I think back now to those friends and realize the world of hurt they were inviting into their lives. That's the past! Things are different now!
The recommendations are still pretty simple to set up a Minecraft server and unless you are mindful about how people are connecting into your network you will likely be using default settings.
So I created an experiment. It is small in scope but can be extrapolated to other areas simply enough.
Using port scanning and python I wanted to be able to fingerprint a machine's purpose based on it's ports. I don't want services. I don't want OS'. All I want is the ability to have an automated process where by I can, within a reasonable margin of error, make a guess at what the machines primary purpose is.
So for example on the internet ("clear-net") there are tons of firewalls. Which is fine, but what if I get a machine with some obscure ports open? What could it be?
So as it turns out it is actually possible with python. For our purposes I went with Minecraft and I scaled back a lot to present a proof of concept.
With python, check an IP address if it has port 25565 accepting tcp connections. I don't fully care if it is a Minecraft machine or not. What I care to find out is if this machine is worth digging into any deeper.
in addition, I wanted to use my list of scraped vulnerable IP addresses to see which of these potentially doubled as a Minecraft machine.
Above you will see my short python script. Essentially what is happening in the script is that I:
1. import nmap module
2. open file fed to script from terminal
3. strip out the newline from every list element and then I begin feeding the IPs to the scanner. If the there is a tcp connection on port 25565 append to list called "pc"
My results were staggering.
my list of vulnerable IPs currently stands at 13927.
Of this list of known compromised IP addresses a whopping 7299 were found to have a port 25565 accepting TCP connections.
That is 54%!!!!!!
So to be clear, did I go though and do a follow up scan to verify that each of these machines had a minecraft service running on this port. No. However port 25565 is an obscure enough port number that one can make a educated guess. Also I did do a random test on a healthy number of these machines to see if they had a Minecraft service on it.....They all did!
In conclusion, this experiment was small in scope. I was only looking for the results from 1 port. However it is conceivable that if we add more ports to the list and develop a profile off of that collection of ports one could quickly fingerprint a machine to fish out of it what it's primary purpose or role is.
Thanks hope you enjoyed!