Full Report
After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses. It’s called Yeti and it is a cross-platform, Java application. It’s predecessor, BidiBlah, was only available on Windows platforms and hopefully with Yeti we can now offer Internet intelligence gathering to everyone. So what does Yeti do: Top level domain expansion (tld expand) Forward lookups (mx,ns,a,cname and zone transfers) Reverse lookups (ptr records) Cert Extraction (getting the common name, and domain from ssl certificates) Bing IP/Site searches Report exports to xls format We invite you all to visit the Yeti community blog and to participate in either testing the tool or just to add comments. Usage instructions can be found on the spyeti blogspot.
Analysis Summary
# Tool/Technique: Yeti
## Overview
Yeti is a cross-platform Java application designed for network footprinting and Internet intelligence gathering. It functions as a reconnaissance tool used to gather information about target domains and IP addresses.
## Technical Details
- Type: Tool
- Platform: Cross-platform (Java application)
- Capabilities: TLD expansion, DNS lookups (A, MX, NS, CNAME, Zone Transfers), Reverse lookups (PTR), SSL Certificate extraction, Bing searches, XLS report exports.
- First Seen: Announced February 15, 2011 (predecessor was BidiBlah on Windows)
## MITRE ATT&CK Mapping
Since Yeti is a reconnaissance tool used for information gathering prior to execution, the primary relevant tactic is Reconnaissance.
- [TA0043 - Reconnaissance]
- [T1598 - Gather Victim Identity Information]
- T1598.003 - Email Accounts
- [T1596 - Gather Victim Host Information]
- T1596.002 - IP Address Range
- [T1595 - Active Scanning]
- T1595.002 - Port Scanning (Implied via zone transfers/lookups)
*Note: Specific MITRE mappings are based on the general functions described (e.g., DNS lookups fall under host information gathering).*
## Functionality
### Core Capabilities
* **Top Level Domain Expansion (TLD Expand):** Discovering related domains based on TLDs.
* **Forward Lookups:** Performing standard DNS queries (A, MX, NS, CNAME records) and attempting Zone Transfers.
* **Reverse Lookups:** Resolving IP addresses to hostnames (PTR records).
* **Bing IP/Site Searches:** Utilizing Bing search engine for intelligence gathering related to IPs or sites.
### Advanced Features
* **Cert Extraction:** Extracting details from installed SSL/TLS certificates, specifically the Common Name (CN) and domain information.
* **Report Exports:** Generating output reports in XLS (Excel) format.
## Indicators of Compromise
As a publicly released freeware tool used for passive/active reconnaissance:
- File Hashes: N/A (Not provided in context)
- File Names: yeti.jar (Inferred execution file name)
- Registry Keys: N/A
- Network Indicators: N/A (The tool generates outbound DNS/HTTP queries to public resolvers and Bing, rather than proprietary C2 infrastructure.)
- Behavioral Indicators: High volume of standard DNS queries directed at a specific target domain/IP range during a short window.
## Associated Threat Actors
The article indicates this tool was released by researchers/security professionals (SensePost), not explicitly attributed to known cybercriminal groups or APTs at the time of release.
## Detection Methods
- **Signature-based detection:** Signature creation for the specific Yeti executable file (once hashes become available).
- **Behavioral detection:** Monitoring systems for high-frequency, automated DNS queries characteristic of enumeration tools like those performed by Yeti.
## Mitigation Strategies
- **Restrict DNS Query Amplification:** Implement rate limiting on internal DNS servers to detect automated enumeration activities.
- **Monitor External Search Engine Queries:** Flag repeated programmatic queries against search engines (like Bing, based on tool capabilities) originating from internal assets.
- **Network Segmentation:** Limit the scope of reconnaissance that can be successfully performed against internal assets.
## Related Tools/Techniques
* BidiBlah (Predecessor tool, Windows-only)
* Nmap (General port scanning/service enumeration)
* DNS enumeration utilities (e.g., dig, host)