Hunting for Mastodon Servers

Published: 2022-12-19. Last Updated: 2022-12-19 10:02:29 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Since Elon Mush took control of Twitter, there has been considerable interest in alternative platforms to the micro-blogging network. Without certainty about Twitter's future, many people switched to the Mastodon[1] network. Most of the ISC Handlers are now present on this decentralized network. For example, I’m reachable via @xme@infosec.exchange[2]. You can find our addresses on the Contact page[3].

A new social network means that it could be interesting to track access to it from corporate networks and/or sensitive systems. If people are afraid about Twitter’s future, attackers too, and there are chances that we will see more and more C2 communications through Mastodon.

However, there is a significant difference with Twitter. Mastodon is a decentralized platform. Mastodon is a free software that allows you to run your instance of the social network. The server owner can join (or not) the federated social network to allow people from different servers to interact (hopefully!). So, someone using the server mastodon.nz will be able to discuss with me, using infosec.exchange.

The problem with this decentralized platform, the number of servers keeps growing, and there are many domain names to track to detect Mastodon traffic. Hopefully, it’s possible to generate the list of servers through an API call.

On instances.social, you can find a free API[4] to query Mastodon servers. Once you created your account, you can easily extract the list of existing servers. The JSON output can be processed using jq to produce a simple list:

curl -s --header "Authorization: Bearer <redacted>" 'https://instances.social/api/1.0/instances/list?count=0' | \
jq ".instances[].name" | \
tr -d '"'

This command returned 16853 FQDN! Not all servers are active and online. For best results, it could be interesting to filter them out. If you add the filter 'include_down=false', you will get 14824 hosts. Then, add the filter' include_closed=false', and the count will drop to 7544. Once you have extracted the list of servers, it's easy to integrate them into your SOC feeds and use them in your hunting rules.

For your convenience, I uploaded a full list of servers on pastebin[5].

[1] https://joinmastodon.org/servers
[2] https://infosec.exchange/@xme
[3] https://isc.sans.edu/handler_list.html
[4] https://instances.social/api/doc/
[5] https://pastebin.com/ERuM4srn

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Feed Hunting Mastodon Servers API SOC
1 comment(s)
ISC Stormcast For Monday, December 19th, 2022 https://isc.sans.edu/podcastdetail.html?id=8296

Comments

Login here to join the discussion.


Diary Archives