I discovered a kind of cool trick the other day with the Google safe browsing service. When doing a client vulnerability assessment or pen-test, if the customer has an assigned AS number, you can quickly check the Google safe browsing list to see all the sites from their network, found to be serving up malware in the past 90 days. For example, if you were doing an assessment for a customer than owned the AS number 11643, you would use the URL in the following format:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:11643
As your customer is probably not knowingly going to host malware, identifying these sites proves valuable as it is probably still exploitable. More often than not, I have discovered that these sites have been compromised through weak/ easily guessable FTP or SSH usernames and passwords.
Taking this a couple steps further, I noticed that Google has published an API for this service.
An interesting application of this would be to take all the discovered host names, when enumerating a client's IP space with something like Fierce Domain Scan, and feeding each of those sites into the Google Safe Browsing list.
There are several other applications of this. Say for instance you are a web hosting provider. You can semi-monitor your hosted customers and notify them when they ended up on the "bad list". This can either be done by plugging in your AS number or by enumerating all the sites and plugging those into the API.
Another application for this, could be for a security company to identify potential customers. For example, working for a security vendor here in Thailand, all I would need to do is identify a few Thailand specific AS numbers, and away we go:
AS 7470 , AS 9737 , and AS 9931
Please note, for those who are not familiar with the naming conventions in the .th TLD, go.th is reserved for government sites and mi.th is reserved for military sites. With that knowledge, the results above are sort of shocking, no?
