Home

Jon Hart edited this page Dec 30, 2016 · 11 revisions

Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the information security community.

Project Sonar gathers data by scanning public IPv4 addresses for common services and extracting useful information from these services. At no point does Sonar bypass any technical barriers or otherwise access non-public-facing computers. We make every effort reduce our impact on remote networks and we follow the best practices outlined by the ZMap developers.

All Project Sonar scans are sourced from one subnet, which can be whitelisted or blacklisted at your preference:

  • 71.6.216.32/27 (Hosted by CARI.net)

Project Sonar performs its collection activities from AWS EC2 nodes with non-static IP addresses, and as such cannot be readily whitelisted or blacklisted themselves, however it is sufficient to blacklist or whitelist the scan range listed above.

Sonar collects SSL Certificates, Web Server responses, DNS records, and responses from common UDP services. We use this data to identify large-scale misconfigurations and vulnerabilities in consumer, enterprise, and critical infrastructure systems.

All Sonar data is provided to the public free of charge in cooperation with the University of Michigan. You can find the data at Scans.IO.

Project Sonar employs a range of open-source tools, most notably the ZMap software developed by Zakir Durumeric, Eric Wustrow, and J. Alex Halderman at the University of Michigan. We publish a few of our own tools as well, including DAP and Recog, both of which are used in the processing stage of our scanning system.

Feel free to contact research[at]rapid7.com regarding further questions. We also appreciate any community analysis results and hope for your collaboration.

If you like to exclude your network from Project Sonar scans, please let us know by email via research[at]rapid7.com and provide a complete list of your organization's IP addresses and network blocks.