chaos

[Cha]tGPT [O]rigin IP [S]canner

Image of ChatGPT generating ASCII art used for this project

ChatGPT generated ASCII art used as inspiration in our project :)

There are two stories here, but one is for a future post.  For now we'll focus on the first milestone from our recent work with ChatGPT, which is the open source release of chaos !

chaos is an 'origin' IP scanner developed by RST in collaboration with ChatGPT. We're releasing this utility as Open-Source Software, and hope that someone other than us will find it useful :)

Why does anyone want this?

Many modern web applications are protected by layers of 3rd party services that sit between the production web server and normal internet users. 

Let's pretend the organization EXAMPLE CORP has a server www.example.com, and owns the public IP space 100.1.1.0/24. They are running their main web application using the Fully Qualified Domain Name (FQDN) www.example.com on the internet at 100.1.1.1 (the 'origin' IP address).

They also have a non-production version of the application for pre-release testing running as www-test.example.com at 100.1.1.20.

When a user requests www.example.com the DNS resolves to the server IP 100.1.1.1 and the user connects directly to the server

Maybe the company wants to protect their main web site from common malicious traffic, so they hire a 3rd party company ACME SERVICES that offers those types of services. In order to protect their web site, they alter the DNS address for www.example.com to point to ACME SERVICES public IP address at 200.201.202.234.  

When an internet user wants to visit www.example.com, the DNS record resolves to 200.201.202.234 and then after ACME SERVICES does whatever they do they pass the traffic along with 100.1.1.1 where the web application resides.

The EXAMPLE CORP uses ACME SERVICES to filter web traffic by altering their DNS entries to point to ACME appliances


EXAMPLE CORP may take a number of steps to try to ensure that the general internet does not know that their applications reside in the 100.1.1.0/24 address range, because they want ACME SERVICES to filter their traffic to protect the company and it's users.

So when bad guys try to attack www.example.com ACME SERVICES gets a chance to filter the traffic before it gets to the actual web site.

And when bug hunters or penetration testers try to find bugs in www.example.com they might be frustrated by same security provided by ACME SERVICES, which is why they might be interested in finding the 'origin' IP for a web application.

You'd think that EXAMPLE CORP would use a firewall to prevent anyone from connecting directly to 100.1.1.1, but it turns out there's a lot of real-world operational reasons why the entire internet probably has direct access to the server on the 'origin' IP, and so that gets us to 'chaos': 

Help menu for chaos v0.9.4

Help options menu for chaos v0.9.4

chaos in action

chaos was rapidly prototyped from idea to functional proof-of-concept in less than 24 hours using DevOps principles we developed through trial and error doing development work with ChatGPT.

The version released today is far more capable and flexible than that first proof-of-concept, but the core code and algorithm persist from that initial development effort:

Disclaimer: No public web services were harmed during the making of this video

chaos utility checks IPs to see how they respond to different FQDNs

chaos directly scanning an IP block of interest with different FQDN values in the HTTP Host header

chaos allows the user to bypass the DNS entry and find out how services on specific IP blocks respond when they get requests with different FQDNs in the HTTP Host header.

Sometimes the ‘origin’ IP will respond properly to the request, and other times it may be a little more complicated to get content from the ‘origin’ server. In either case, the chaos user is able to rapidly find information that otherwise may take a significant amount of time to gather.

Chaos features

Collaborative development with ChatGPT has resulted in the most flexible and feature-rich software we’ve ever produced:

Multi-Threaded

Takes advantage of multiple threads / cores / vCPUs for scanning larger network segments

Real-Time Updates

Progress bars and real-time messages give users insight into the state of the scan, with verbose output available

Dataset Reduction

Default preparation scan option identifies live services before iterating through user-provided FQDNs for drastic reduction in test datasets and quick access to relevant data

Useful Output

Options to save console output (minus progress bars*) to file, as well as CSV output with response header and content details

Flexible User Options

Supporting users in a variety of scenarios:

  • Sleep, Jitter, Timeout, & Randomize to control the rate, timing, and nature of scans as needed

  • Custom User-Agent to advertise yourself per the terms of the bug bounty program :)

  • Output to file and CSV to store and use the information you’ve acquired !

  • Optional forward and reverse DNS lookups, because why not?

  • And more

Closing

chaos is released without warranty for public research and authorized use.

There are many updates and tweaks to continue improvement on chaos, but we also have a number of other efforts in the pipeline for future release, so please reach out if there’s anything you’d like us to prioritize on this project

Please keep an eye on our blog and github for future releases and updates!

Until next time!!