What they should have done
* have a real full example file
* do not publish the data online but send it to mail or something like that
* do not publish all the data in the report - generalize it - or send the technical detailed report only to the people responsable for the network or host (after signing an agreement online etc....)
* contact Google to empty their cache
* destroy all online information from networks and computers
after having read all this (and more to come) it is incredible that privacy activists didn't have anything "privacy preserving" methods included in their report or website
when you go to http://netalyzr.icsi.berkeley.edu/ the online privacyblogs and activists say you can discover what is blocked or captured by the Isp or other networkinterference between you and the internet
and it is true when you see the report after that the java applet has been installed on your computer it is just amazing
networkpeople and securitypeople in networks would just love to have that information in one screen at hand
you will need to read a lot paper to understand it fully as a networkperson
but as a securityperson you will see immediately which are the rights of the machine through the firewall and what is the role the proxy and other security-installations (you will see how 'exposed' the computer is and which ports are open and if the local IP address is known or not)
this is a sample report http://netalyzr.icsi.berkeley.edu/restore/id=example-session
than we look at the FAQ http://netalyzr.icsi.berkeley.edu/faq.html
okay lets ask Google
Google Dork site:netalyzr.icsi.berkeley.edu/ NAT detected
so these are computers that are behind a network of a company or institution and we have about 2300 full reports online
First their NAT address is discovered and published "Your global IP address is 18.104.22.168 while your local one is (none of your business). You are behind a NAT."
secondly you have all the ports that are open between the firewall and the specific client
so take that for example (based on the example report) that we want to attack port 139
site:netalyzr.icsi.berkeley.edu/ NAT detected "access to remote NetBIOS servers (port 139) is allowed"
yes, we have now about 773 networks that allow a direct communication between their posts and the port 139 and where the securitypeople didn't read anything about securing a network the last 10 years.
If they leave that port open you can assume that you can do a whole lot of other things
so lets go a bit furtherand use not only the port 139 but also the port 445 for a full attack
site:netalyzr.icsi.berkeley.edu/ NAT detected "access to remote NetBIOS servers (port 139) is allowed" AND "access to remote SMB servers (port 445) is allowed"
like we thought most of them allowed both
but you can extend the Google dork with any port that is in the example or service that you want to use that is being monitored. some networks won't give all the information so you may have to test it.
okay let's now also limit the country. This is not perfect but it can be done because it sometimes also gives the Isp address of the IP address and in that address you will sometimes find the country domainextension
the best way to do that is by using the name of the isp
dslextreme.com for example (4 networks ) dslextreme.com site:netalyzr.icsi.berkeley.edu/ NAT detected
You can also work with ipranges in which you will only use the first series
hey there is even more even more crazy stuff you can discover which is NOT in the example file (which is by the way not a real example file at all because the tests are much more comprehensive (and intrusive) as the more or less 'innocent' example file shows (and misleads in a way, sorry guys). Transparancy.
these are some of the ports that are checked and can be dorked
if you want to see if others are tested and found you just add "port xxx)" to the dork
Direct TCP access to remote OpenVPN servers (port 1194) is allowed.
Direct TCP connections to remote PPTP Control servers (port 1723)
Direct TCP access to remote TOR servers (port 9001) is allowed.
for UDP there are also interesting dorks to make
The applet was able to send fragmented UDP traffic.
The applet was able to receive fragmented UDP traffic.
Direct UDP access to remote DNS servers (port 53) is allowed.
Direct UDP access to remote NTP servers (port 123) is allowed.
Direct UDP access to remote OpenVPN servers (port 1194) is allowed.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
so imagine what kind of dorks you can make with a combination of open tcp and open udp ports to infiltrate and inject and to extract
Even better on some networks you get a real internal traceroute - no joke
this is an example (there are 360 traceroutes of internal networks)
ip-10-114-184-3.ec2.internal (0 ms)
ip-10-1-50-41.ec2.internal (0 ms)
ip-10-1-34-78.ec2.internal (0 ms)
22.214.171.124 (0 ms)
dca-edge-18.inet.qwest.net (8 ms)
dcp-brdr-03.inet.qwest.net (6 ms)
xe-9-1-0.edge1.washington4.level3.net (4 ms)
ae-71-71.ebr1.Washington1.Level3.net (4 ms)
ae-91-91.ebr1.Washington1.Level3.net (4 ms)
ae-7-7.ebr3.Dallas1.Level3.net (36 ms)
ae-7-7.ebr3.Dallas1.Level3.net (35 ms)
ae-73-73.csw2.Dallas1.Level3.net (36 ms)
ae-3-80.edge3.Dallas1.Level3.net (36 ms)
WINDSTREAM.edge3.Dallas1.Level3.net (37 ms)
h126.96.36.199.static.ip.windstream.net (35 ms)
h188.8.131.52.static.ip.windstream.net (37 ms)
h184.108.40.206.static.ip.windstream.net (42 ms)
h220.127.116.11.static.ip.windstream.net (43 ms)
h18.104.22.168.static.ip.windstream.net (47 ms)
h22.214.171.124.static.ip.windstream.net (51 ms)
sedivy.com (58 ms)
you can in fact check all these things (but them behind " " in your googledork with AND if you want to see ports open and a - if you don't want to treat with a proxy to block your online attackscripts
yes, you can filter all the networks that have no proxy to filter those webbased attacks
if these filters are not present you get these results (for about a 1000 networks here)
Address-based HTTP proxy detection : OK
Content-based HTTP proxy detection : OK
HTTP proxy detection via malformed requests : OK
Filetype-based filtering : OK
HTTP caching behavior : OK
OK here means that there is NOTHING that you can pass even with malformed packages, that there is NOTHING in between, that the route is all clear to go attacker
and if you want to be sure of even less security add -OPENDNs (only 54 networks here use it so no great loss) and off course that have no DNssec ("It does not validate DNSSEC")
but you can also check for open or insecure dns servers
you can try this "DNS resolver port randomization (?): Danger" for DNs poisioning there are 11 victims here
more to come
oh you thought this was all (wait for this .....)