Professional Documents
Culture Documents
Ready to
explore the
deep web?
What is
Riddler?
Riddler
is a tool for web topology mapping, attack
surface enumeration and web discovery. It is available as an
online search engine (riddler.io), a set of tools, an API, and as
a managed service. It is also available as an optional plugin for
F-Secure Radar.
This white paper will explain what Riddler is, how it works, and
what you can do with it. Well go on to detail a variety of use
cases that can be realized with Riddler, and provide you with
a list functions within your organization that we believe could
utilize the power of Riddler to their advantage.
The
story
behind
Riddler
Ready to explore the deep web? - Page 3
Banner grabbing
Riddle me this
Ready
R
Re
ead
dy to
oe
explore
x lo
xp
ore t
the
he d
he
deep
eep
ee
ep web?
web?
we
b - Page
Pag
age
e6
Close to 2,000,000,000,000
unique links?
When running the crawler, we noticed that
somewhere between and half and two-thirds of all
links processed by URLSeen() calls were unique.
At 70,000 new URLSeen() calls per second, we
estimate that roughly 35,000 are unique (so a bit
of a low estimate). Multiply that by the number of
seconds in an hour, the number of hours in a day,
and the number of days in a month (which well
set at 30) and we get 1.5 trillion. So the 2 trillion
number seems about right.
Riddler in
numbers
How
Riddler
works
Unlike
https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
Ready
Re
ead
ady
y to
oe
explore
xplo
xp
l re
lo
r t
the
he d
he
deep
eep
ee
p web?
web?
we
b? - Page
Page 10
following query will return all hosts with the word webmail in their FQDN
under the pay-level domain helsinki.:
pld:helsinki.fi host:webmail
The following query will return all Riddler results for the host www.f-secure.
com:
host:www.f-secure.com
The following query will nd all hosts on the internet where the FQDN
contains the substring f-secure:
host:f-secure
The following will return a list of hosts under the apple.com pay-level domain
that do not contain the word phobos in their FQDN.
pld:apple.com -host:phobos
Associative handlers
The handlers: friends, links and refers allow searches for sites that
link to and from a specic host. The links and refers handlers take an
FQDN or pld as input. The friends handler requires a specic FQDN as an
input parameter. For instance, the following query will list all sites that pages
under www.f-secure.com link to:
links:www.f-secure.com
On the other hand, this query shows all the sites that link to www.f-secure.
com:
refers:www.f-secure.com
Riddler
handlers
ip
pld
net
host
links
refers
friends
country
keyword
Finally, this query will return a list of sites that www.f-secure.com links to, and that link back to www.f-secure.com:
friends:www.f-secure.com
Metadata handlers
The keyword handler can be used to lter by a set of metadata collected during the crawling process. Keywords
include information about services running on each host. To familiarize yourself with the keywords available, its
useful to examine the output of some broader searches. This example query will return all servers under the apple.
com pay-level domain running Microsoft IIS:
pld:apple.com keyword:microsoft-iis
This query will return all servers under the microsoft.com pay-level domain running Apache:
pld:microsoft.com keyword:apache
Riddler
use cases
Defending against
misconfigurations and
exposed (internal) assets
At the time of writing this paper, we queried
Riddler for the number of hosts with the word
webmail in their FQDN from a variety of
countries. The results speak for themselves:
countty:fi
country:fr
country:gb
country:se
country:ee
country:dk
country:de
country:au
country:us
host:webmail
host:webmail
host:webmail
host:webmail
host:webmail
host:webmail
host:webmail
host:webmail
host:webmail
== 2140
== 4334
== 9460
== 1372
==
121
== 2347
== 8634
== 1845
== 42250
results
results
results
results
results
results
results
results
results
Server clean-up
A large enterprise customer of ours have been using both Radar and Riddler
to map out their organizations attack surface. They recently found around
10 hosts that they were immediately able to take oine due to the fact that
they were unneeded. This is a nice example of removing shadow IT.
Tracking fraudsters
By running the query tld:xxx country:dk, we were able to identify an
individual who was engaging in large-scale typo-squatting in Denmark. We
tracked the purchases of .xxx domains linked to several banks, insurance
companies, and even the police (politi.xxx). This particular miscreant was
easy to track with a single Riddler query.
Ready
Read
Re
a yt
ad
to
oe
explore
xplo
xp
ore
et
the
he
ed
deep
eep
ee
p web?
w b? - Page
we
Pag
age
e 17
Regu
Re
gula
larr vulnerability
vuln
vu
lner
erab
abililit
ityy scanning
scan
sc
anni
ning
ng and
and management
man
anag
agem
emen
entt sh
shou
ould
ld
Regular
should
l d be
b an integral
i t
l partt off your organizations
i ti security
it
already
Riddler is available in several dierent avors, depending culture. Adding the powerful combination of F-Secure
on your organizations needs, budget, and expertise.
Radar and Riddler will provide you with capabilities that
are a cut above other commercial threat assessment
Riddler Foundation
platforms.
Subscribing to the Riddler Foundation service gives your
organization access to the following:
Managed services
Up to 5000 results from any search query
Many of the use cases detailed in this paper are geared
A maximum of 2500 daily queries
around conguring Riddler to monitor specic sets of
Full access to the web interface at riddler.io
queries and either generate alerts or periodic reports.
Tools which include expanded functionality for This is where Riddler managed services shine. By working
mapping internal networks
with your organization, our experts can design, maintain,
Full access to Riddlers API
and manage monitoring systems, alerts and reporting
Choose the Riddler Foundation package if youre looking precisely tailored to your requirements. And theyll
to build your own tools based on Riddler or if youve got continue to work with you as your needs, or the landscape
experts in your organization who want to play around changes. All of the use cases detailed in this white paper
with Riddler queries by hand.
are available as managed services, and if you come up
with a use case that weve never even considered, wed
Radar integration
be more than happy to set that up for you!
The Riddler service is available as an optional Radar Choose Riddler managed services if youre looking to
plugin. With Riddler integrated into Radar, results from take a hands-o approach and have searches, alerts
network topology mapping can be fed directly into and reports delivered directly to you, if youre not sure
our fully-featured threat assessment tool. With the how you might use Riddler to generate the queries you
full riddler.io search syntax available directly in Radars have in mind, or if the number of queries you expect to
interface, administrators and security experts can quickly make are likely to exceed whats available in the Riddler
enumerate and assess their organizations attack surface. Foundation package.
Available
A
vaiilab
ble SServices
erviices
Who might be
interested in Riddler?
Your InfoSec department will probably be most interested
in using Riddler. Members of the IT department, security
experts, incident response teams, and crisis management
teams all need access to up-to-date threat surface
assessment reports.
Were
F-Secure
And weve been a part of
the cyber security industry
for over 25 years