Hunting for Mastodon Servers
Since Elon Mush took control of Twitter, there has been considerable interest in alternative platforms to the micro-blogging network. Without certainty about Twitter's future, many people switched to the Mastodon[1] network. Most of the ISC Handlers are now present on this decentralized network. For example, I’m reachable via @xme@infosec.exchange[2]. You can find our addresses on the Contact page[3].
A new social network means that it could be interesting to track access to it from corporate networks and/or sensitive systems. If people are afraid about Twitter’s future, attackers too, and there are chances that we will see more and more C2 communications through Mastodon.
However, there is a significant difference with Twitter. Mastodon is a decentralized platform. Mastodon is a free software that allows you to run your instance of the social network. The server owner can join (or not) the federated social network to allow people from different servers to interact (hopefully!). So, someone using the server mastodon.nz will be able to discuss with me, using infosec.exchange.
The problem with this decentralized platform, the number of servers keeps growing, and there are many domain names to track to detect Mastodon traffic. Hopefully, it’s possible to generate the list of servers through an API call.
On instances.social, you can find a free API[4] to query Mastodon servers. Once you created your account, you can easily extract the list of existing servers. The JSON output can be processed using jq to produce a simple list:
curl -s --header "Authorization: Bearer <redacted>" 'https://instances.social/api/1.0/instances/list?count=0' | \ jq ".instances[].name" | \ tr -d '"'
This command returned 16853 FQDN! Not all servers are active and online. For best results, it could be interesting to filter them out. If you add the filter 'include_down=false', you will get 14824 hosts. Then, add the filter' include_closed=false', and the count will drop to 7544. Once you have extracted the list of servers, it's easy to integrate them into your SOC feeds and use them in your hunting rules.
For your convenience, I uploaded a full list of servers on pastebin[5].
[1] https://joinmastodon.org/servers
[2] https://infosec.exchange/@xme
[3] https://isc.sans.edu/handler_list.html
[4] https://instances.social/api/doc/
[5] https://pastebin.com/ERuM4srn
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago