SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine...
-
Upload
phungkhuong -
Category
Documents
-
view
217 -
download
0
Transcript of SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine...
![Page 1: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/1.jpg)
SHODANComputer Search Engine
University of Florida
5 November, 2013
Shawn MerdingerSecurity Analyst, HealthNetUF Health
![Page 2: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/2.jpg)
Outline
● Shodan– High-level technical overview
● Research Findings
![Page 3: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/3.jpg)
Shodan
● Computer Search Engine– John Matherly
● US based● Public late 2009
– “Search engine for service banners of pre-scanned devices that are accessible via the public Internet”
– Somewhat controversial...● Major media coverage, security conference talks, DHS
ICS-CERT advisories, political leaders naming as threat● Tool: utility and outcome are dependent on use and intent
![Page 4: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/4.jpg)
Shodan Scans
● Shodan's Scanning Process– Shodan servers scan Internet
● Services (web, telnet, snmp, ftp, mysql, rdp, etc.)● Ports (80, 8080, 443, 161, 21, 23, 3389, etc)
– Place scan results in DB
– Users search Shodan● Web interface or API● Free-text, port, org, hostname, country, city, CIDR, etc.
● Advanced Integration● Metasploit Modules (hat tip to John Sawyer :)● ExlpoitDB, Analysis with Maltego, geolocation mapping
![Page 5: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/5.jpg)
How We Use Shodan at UF&Shands
● Currently looking for “low-hanging fruit”– Printers on public IP
– Open Telnet → “Polycom Command Shell”
● Lots of ways to leverage more– Automation & deltas
– Application-level
● Limitations– External IP only
– Still worth it
![Page 6: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/6.jpg)
![Page 7: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/7.jpg)
![Page 8: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/8.jpg)
![Page 9: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/9.jpg)
Who Is Talking About Shodan?
If Joe Lieberman is talking about Shodan, you must know what it is.
![Page 10: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/10.jpg)
DHS ICS-CERT Shodan Advisories
● First issued October 2010● Several updates & references since
![Page 11: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/11.jpg)
10/25 DHS ICS-CERT Advisory
● Project SHINE: SHodan INtelligence Extraction
– Bob Radvanovsky & Jake Brodsky infracritical / scadasec● I provide volunteer research support, search terms, etc.
– Daily search feed to ICS-CERT
– +1,000,000 “sensitive” systems so far, 8K devices new daily
![Page 12: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/12.jpg)
Keeping Perspective...
● Scanning is old news– Attackers
● Constantly scanning you● Shodan just made scanning more
– Searchable + visible + accessible....without scanning
– Legitimate research● HD Moore's scanning project
– Hits select UDP ports of entire Internet every 7 hours .ru vps ● Academic researchers doing default credential checks!
– Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials● Scans.io
– Repository of raw scan data
HOT -->
![Page 13: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/13.jpg)
Research Findings
● Challenges– Of finding and reporting scary things
● “Do no harm” ground rules, intent, curiosity, outcomes ● What to do? Who to tell? How to go about it?● Perspectives
– “We will sue you” ↔ “Unethical” ↔ “Thank you” ↔ “No response”
– The invaluable value of the CERTs● I would not do this without them as resource. Period.● Find bad stuff, write-up threat evaluation, send to CERTs
– Leave them alone● Takes time, but mostly good results...mostly● Exceptions...
![Page 14: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/14.jpg)
S2 Security NetBox
● DefCon 2010 talk: “We don't need no stinkin' badges”
– Building Door Access Controllers (Web Based)
– Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, blocked my Twitter follow...
– Real value of Shodan● Proved not “deep inside corporate network” (Today 800+ )
“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare”
– John Moss, CEO of S2 Security
![Page 15: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/15.jpg)
VoIP Phones● Lots of VoIP phones, individual, conference (esp. Polycom)
● Late 2010 I focused on Snom
– VOIPSA blog● Remote Tap scripts, call via phone web server, record, etc.● Hard to find open Snom now – Exposure works?!?!
![Page 16: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/16.jpg)
No Auth Cisco Routers & Switches● "cisco-ios" "last-modified"
– 14,000+ devices with HTTP No authentication set
– Level 15 access via HTTP● “ip http authentication local” would lock down web server● Creative attacks – bit.ly and tinyurl.com w/ commands
![Page 17: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/17.jpg)
No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran
– Hrmm...might be interested in this?
![Page 18: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/18.jpg)
Banners Bite Back● Warning banners = easy fingerprinting
– When best practices....ain't
● Swisscom and hotel routers (1200+)– Warning banner has company name and hotel location
– Telnet. No SSH If they run their routers like this - what else?
![Page 19: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/19.jpg)
Banners Bite Back
● Swisscom Miami Conference Routers (7)
![Page 20: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/20.jpg)
Open SMB Router Example
● Netopia with Telnet open ready for setup (2500)
![Page 21: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/21.jpg)
Telnet To Root On Linux Devices
● TVs, DVRs, home wifi/routers, phones, refrigerators
● Telnet to root, no auth!
● Botnets (Carna, Aidra)
![Page 22: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/22.jpg)
WebCams
● Huge numbers, all kinds of uses● Personal, Office, Business, Security, SCADA● See Dan Tentler's talks and code
– Camcreep.py● Auto screenshot via CLI● wkhtmltoimage
![Page 23: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/23.jpg)
“Watching the Watchers Watch”
Credit: Dan Tentler @viss
![Page 24: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/24.jpg)
Printers on Public IP● Technical Risks
– MFP = Multi-function Printer (FAX, Scan, Email, Storage)
● Advanced research (Andrei Costin, Ph.D - Milan, Italy)– Access docs, change configs, attack via printed document
● Risks– Print from anywhere, Web printing, run out paper, ink
– Social engineering...but how bad could a printer be?
![Page 25: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/25.jpg)
Printer Case Study: Penn State
One line of code: cat jerrys_favorite_kids.img | nc target_ip 9100
![Page 26: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/26.jpg)
Online Crematorium● Siemens HMI - VNC 3 char default pass, no auth Telnet, MD5 passwords
● “pr0f” South Houston SCADA hack (11/2011)
![Page 27: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/27.jpg)
Cisco Lawful Intercept● Cisco routers with LI special code and SNMP public
“LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
![Page 28: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/28.jpg)
BlueCoat
● BlueCoat surveillance devices and human rights abuses
– Syria● Tracking and interception of dissidents' communications● From “Chilling effect” to “Killing effect”
– ITAR export violations
– Ethical questions, PR exposure
![Page 29: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/29.jpg)
CacheTalk Safes
![Page 30: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/30.jpg)
Econolite Traffic Light Controller● Yes, it is what you think. Credit: Dan Tentler @viss
![Page 31: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/31.jpg)
Red Light Enforcement Cameras● Delete those pesky speeding tickets!
![Page 32: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/32.jpg)
Embassy Devices● Question: What's running telnet in country X with “embassy” in name?
● Cuts both ways...
![Page 33: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/33.jpg)
Serial to Ethernet Controllers
● Many of these are online– Connected to anything that has a serial port
– Extra scary because don't know what it controls● HVAC, lab stuff, etc.
● Web, telnet, snmp– Wide open
● Legacy– BACnet
– “Hot-glued onto MB”
![Page 34: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/34.jpg)
Caterpiller VIMS
● Web based remote monitoring (control?) over cell modem
● CAT 79X series = largest trucks in world
● 80+ in Alberta, Canada (working the tar sands)
● Poor vendor response...lawyers, not engineers
![Page 35: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/35.jpg)
75+ US TV Stations' Antennas● TV station digital antenna controllers w/ no auth (telnet/http)
– Remote sites, air-to-ground data links, marketed to MIL, LEO, broadcasters
– On the wire looks like home NAS or DVR (embedded Windows)
● Multi-step search technique to find – (1) Shodan (2) scan for unique port
– Sent DHS ICS-CERT report of issues, IP, Geolocation, FCC info
● Major broadcast network with “C” in acronym name
● Asset Owner: “We'll take care of this after election”● Vendor: “Should be deep in corporate network”
● None have been secured as of today....
![Page 36: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/36.jpg)
Gas Station Pumps
● 600+ in Turkey– Reported to Turkish CERT
– Posted search & vendor doc to my Twitter feed
● Can be unattended gas stations, fully automated
![Page 37: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/37.jpg)
Gas Station Pumps
![Page 38: SHODAN - University of Floridajnw/cis4930fa13/Modules/Module49.pdf · Shodan Computer Search Engine – John Matherly US based Public late 2009 – “Search engine for service banners](https://reader031.fdocuments.in/reader031/viewer/2022022418/5a7569987f8b9aa3688c7ddc/html5/thumbnails/38.jpg)
Wrapping up
● Register for free Shodan account● Email John Matherly for moar access● Read up on Shodan
– Wikipedia
– Shodan web site (help, filters, references)
● Understand tool integration and new tools– Metasploit, Stach & Lui Diggity, Shi0San, etc.
● Be smart. Be responsible. Tell it like it is.