SHODAN
Computer Search Engine
University of Florida
5 November, 2013
Shawn Merdinger
Security Analyst, HealthNet UF Health
Outline
●
Shodan
–
High-level technical overview
Shodan
●
Computer Search Engine
–
John Matherly
● US based
● Public late 2009
–
“Search engine for service banners of pre-scanned
devices that are accessible via the public Internet”
–
Somewhat controversial...
● Major media coverage, security conference talks, DHS
ICS-CERT advisories, political leaders naming as threat
Shodan Scans
●
Shodan's Scanning Process
–
Shodan servers scan Internet
● Services (web, telnet, snmp, ftp, mysql, rdp, etc.)
● Ports (80, 8080, 443, 161, 21, 23, 3389, etc)
–
Place scan results in DB
–
Users search Shodan
● Web interface or API
● Free-text, port, org, hostname, country, city, CIDR, etc.
●
Advanced Integration
● Metasploit Modules (hat tip to John Sawyer :)
How We Use Shodan at UF&Shands
●
Currently looking for “low-hanging fruit”
–
Printers on public IP
–
Open Telnet → “Polycom Command Shell”
●
Lots of ways to leverage more
–
Automation & deltas
–Application-level
●
Limitations
–
External IP only
–Still worth it
Who Is Talking About Shodan?
DHS ICS-CERT Shodan Advisories
●
First issued October 2010
10/25 DHS ICS-CERT Advisory
●
Project SHINE:
SH
odan
IN
telligence
E
xtraction
– Bob Radvanovsky & Jake Brodsky infracritical / scadasec
● I provide volunteer research support, search terms, etc.
– Daily search feed to ICS-CERT
Keeping Perspective...
●
Scanning is old news
–
Attackers
● Constantly scanning you
● Shodan just made scanning more
– Searchable + visible + accessible....without scanning
–
Legitimate research
● HD Moore's scanning project
– Hits select UDP ports of entire Internet every 7 hours .ru vps
● Academic researchers doing default credential checks!
– Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials
● Scans.io
– Repository of raw scan data
Research Findings
●
Challenges
–
Of finding and reporting scary things
● “Do no harm” ground rules, intent, curiosity, outcomes
● What to do? Who to tell? How to go about it?
● Perspectives
– “We will sue you” ↔ “Unethical” ↔ “Thank you” ↔ “No response”
–
The
invaluable
value of the CERTs
● I would not do this without them as resource. Period.
● Find bad stuff, write-up threat evaluation, send to CERTs
– Leave them alone
● Takes time, but mostly good results...mostly ● Exceptions...
S2 Security NetBox
●
DefCon 2010 talk: “We don't need no stinkin' badges”
– Building Door Access Controllers (Web Based)
– Multiple CVEs, complete compromise of device, S2 Security
vendor threatened to sue me, blocked my Twitter follow...
– Real value of Shodan
● Proved not “deep inside corporate network” (Today 800+ )
“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare”
VoIP Phones
●
Lots of VoIP phones, individual, conference (esp. Polycom)
●Late 2010 I focused on Snom
–
VOIPSA blog
● Remote Tap scripts, call via phone web server, record, etc.
No Auth Cisco Routers & Switches
●
"cisco-ios" "last-modified"
– 14,000+ devices with HTTP No authentication set
– Level 15 access via HTTP
● “ip http authentication local” would lock down web server ● Creative attacks – bit.ly and tinyurl.com w/ commands
No Auth Cisco Devices in Iran
●
“School of Particles and Accelerators”
in Tehran, Iran
Banners Bite Back
●
Warning banners = easy fingerprinting
– When best practices....ain't
●
Swisscom and hotel routers (1200+)
– Warning banner has company name and hotel location
Banners Bite Back
Open SMB Router Example
Telnet To Root On Linux Devices
●
TVs, DVRs, home wifi/routers, phones, refrigerators
●Telnet to root, no auth!
WebCams
●
Huge
numbers
, all kinds of uses
●
Personal, Office, Business, Security,
SCADA
●See
Dan Tentler's
talks and code
–
Camcreep.py
● Auto screenshot via CLI
“Watching the Watchers Watch”
Printers on Public IP
●
Technical Risks
–
MFP = Multi-function Printer (FAX, Scan, Email, Storage)
●
Advanced research (Andrei Costin, Ph.D - Milan, Italy)
– Access docs, change configs, attack via printed document
●
Risks
– Print from anywhere, Web printing, run out paper, ink
Printer Case Study: Penn State
Online Crematorium
● Siemens HMI - VNC 3 char default pass, no auth Telnet, MD5 passwords ● “pr0f” South Houston SCADA hack (11/2011)
Cisco Lawful Intercept
● Cisco routers with LI special code and SNMP public“LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
BlueCoat
● BlueCoat surveillance devices and human rights abuses
– Syria
● Tracking and interception of dissidents' communications ● From “Chilling effect” to “Killing effect”
– ITAR export violations
Econolite Traffic Light Controller
● Yes, it is what you think. Credit: Dan Tentler @vissRed Light Enforcement Cameras
● Delete those pesky speeding tickets!Embassy Devices
● Question: What's running telnet in country X with “embassy” in name? ● Cuts both ways...
Serial to Ethernet Controllers
●
Many of these are online
– Connected to anything that has a serial port
– Extra scary because don't know what it controls
● HVAC, lab stuff, etc.
●
Web, telnet, snmp
– Wide open
●
Legacy
– BACnet
Caterpiller VIMS
●
Web based remote monitoring (control?) over cell modem
●CAT 79X series = largest trucks in world
●
80+ in Alberta, Canada (working the tar sands)
●Poor vendor response...lawyers, not engineers
75+ US TV Stations' Antennas
● TV station digital antenna controllers w/ no auth (telnet/http)
– Remote sites, air-to-ground data links, marketed to MIL, LEO, broadcasters – On the wire looks like home NAS or DVR (embedded Windows)
● Multi-step search technique to find – (1) Shodan (2) scan for unique port
– Sent DHS ICS-CERT report of issues, IP, Geolocation, FCC info
● Major broadcast network with “C” in acronym name
● Asset Owner: “We'll take care of this after election” ● Vendor: “Should be deep in corporate network”
Gas Station Pumps
●
600+ in Turkey
–
Reported to Turkish CERT
–
Posted search & vendor doc to my Twitter feed
Wrapping up
●
Register for free Shodan account
●
Email John Matherly for moar access
●Read up on Shodan
–
Wikipedia
–
Shodan web site (help, filters, references)
●
Understand tool integration and new tools
–
