A couple of days ago someone (claiming to be) from Anonymous released a prepackaged Ubuntu distro with a whole bunch of tools pre installed. I decided to fire it up in a VM and check what it does on the wire. I would not trust this OS one bit as it is probably backdoored.
The first thing it does (naturally) is send out a DHCP request and once it gets an offer, it immediately tries to join the MDNS IGMP group (220.127.116.11) and then performs a whole slew of MDNS queries. Once it is done, with MDNS it will then send out SOA queries to get some information about to domain it lives on. Some more tedious NTP lookups and then we get to some interesting stuff.
At this point, it started scanning the network for Canon printers that ran BJNP (a USB over IP protocol for printing). I do not currently have a printer that uses this but would love to set one up to see exactly why it scans for printers. I am not seeing any current exploits in either exploit-db or Metasploit so your guess as to why it scans for these printers is as good as mine. It did cross my mind that they could throw a 0-day but looking at Anon’s track record this is highly unlikely.
Now, the most interesting thing part of this is that it does a geoip lookup using geoip.ubuntu.com. What it does with this info is again beyond me. As far as I could tell, it was not using this information as I could not see any of the information anywhere in the filesystem. Also keep in mind it does this before you have the option to launch tor. You are not so Anonymous when using this OS.
So far, it looks like a legit OS but I am concerned with why it is scanning for those printers and what it may do with the geoip information but I have not uncovered why it does this yet. I will dig in a little further later.