Hunting for Mastodon Servers

Published: 2022-12-19
Last Updated: 2022-12-19 10:02:29 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Since Elon Mush took control of Twitter, there has been considerable interest in alternative platforms to the micro-blogging network. Without certainty about Twitter's future, many people switched to the Mastodon[1] network. Most of the ISC Handlers are now present on this decentralized network. For example, I’m reachable via @xme@infosec.exchange[2]. You can find our addresses on the Contact page[3].

A new social network means that it could be interesting to track access to it from corporate networks and/or sensitive systems. If people are afraid about Twitter’s future, attackers too, and there are chances that we will see more and more C2 communications through Mastodon.

However, there is a significant difference with Twitter. Mastodon is a decentralized platform. Mastodon is a free software that allows you to run your instance of the social network. The server owner can join (or not) the federated social network to allow people from different servers to interact (hopefully!). So, someone using the server mastodon.nz will be able to discuss with me, using infosec.exchange.

The problem with this decentralized platform, the number of servers keeps growing, and there are many domain names to track to detect Mastodon traffic. Hopefully, it’s possible to generate the list of servers through an API call.

On instances.social, you can find a free API[4] to query Mastodon servers. Once you created your account, you can easily extract the list of existing servers. The JSON output can be processed using jq to produce a simple list:

curl -s --header "Authorization: Bearer <redacted>" 'https://instances.social/api/1.0/instances/list?count=0' | \
jq ".instances[].name" | \
tr -d '"'

This command returned 16853 FQDN! Not all servers are active and online. For best results, it could be interesting to filter them out. If you add the filter 'include_down=false', you will get 14824 hosts. Then, add the filter' include_closed=false', and the count will drop to 7544. Once you have extracted the list of servers, it's easy to integrate them into your SOC feeds and use them in your hunting rules.

For your convenience, I uploaded a full list of servers on pastebin[5].

[1] https://joinmastodon.org/servers
[2] https://infosec.exchange/@xme
[3] https://isc.sans.edu/handler_list.html
[4] https://instances.social/api/doc/
[5] https://pastebin.com/ERuM4srn

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
ISC Stormcast For Monday, December 19th, 2022 https://isc.sans.edu/podcastdetail.html?id=8296

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives