Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.
Transcript of Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.
![Page 1: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/1.jpg)
Tim Jensen, CISSPCBI
www.cbihome.com
Shodan: The Hacker’s Search Engine
![Page 2: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/2.jpg)
Disclaimer• Following the steps in this document can get you into legal trouble. • Only connect to systems that you own or have written permission
to conduct testing on• I am not a lawyer, but generally I would say connecting to an HTTP
port and viewing what is there is ok. Entering credentials, brute forcing, exploiting vulnerabilities, or anything else to gain privileged access is illegal.• Reconfiguring systems is definitely illegal!• Disclosing vulnerabilities to companies can get you threatened,
even if you did nothing wrong. Leave it to the professionals if your not willing to go to jail for doing the right thing.• I am not responsible for anything you do, think, or say.
![Page 3: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/3.jpg)
![Page 4: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/4.jpg)
![Page 5: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/5.jpg)
Versions
Shodanhq.com
• HTTP only – creds visible across internet• Buggy if looking through
more than 1 page of results• Contains filter
documentation• API key easily shown on
Development page
Shodan.io - Recommended
• HTTPS by default• Considerable
improvements in stability• API key found in Account
Overview
![Page 6: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/6.jpg)
Filters
![Page 7: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/7.jpg)
Ports• Historically limited to HTTP, HTTPS, HTTP-ALT, SSH,
FTP, Telnet• Currently contains nearly all top nmap ports, if not all
![Page 8: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/8.jpg)
![Page 9: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/9.jpg)
![Page 10: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/10.jpg)
![Page 11: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/11.jpg)
![Page 12: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/12.jpg)
Polycom Systems• Churches• Consulting Firms• Fire Departments• Police Stations• SWAT Ready Room
• Court Houses• Judges Chambers• Jury Room (Epic Fail)
![Page 13: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/13.jpg)
![Page 14: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/14.jpg)
![Page 15: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/15.jpg)
![Page 16: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/16.jpg)
Speaking of Police…
![Page 17: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/17.jpg)
![Page 18: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/18.jpg)
![Page 19: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/19.jpg)
![Page 20: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/20.jpg)
Medical Devices• Scott Ervind gave a talk at DakotaCon 2015 about
using Shodan to locate medical devices. His research results:• Located over 65,000 devices using Shodan• Devices included pacemaker programmers, EKG, medical
pumps, MRI scanner stations, etc.• Not only could data be leaked, but equipment could be
destroyed or re-programed.• Worked with DHS to notify all parties.
![Page 21: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/21.jpg)
![Page 22: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/22.jpg)
![Page 23: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/23.jpg)
NetbiosInformation Gathering
![Page 24: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/24.jpg)
ludicrous_netbios.xps
![Page 25: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/25.jpg)
Brute ForcingUsername + SMB + Not Domain Joined =
![Page 26: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/26.jpg)
Port 137 – Locate UsernamePort 445 – Locate SMB share to brute forcePort 3389 – Alternately brute force remote desktop
username_w_smb_rdp.xps
![Page 27: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/27.jpg)
![Page 28: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/28.jpg)
Phone PBX for a good sized phone company
No authentication required
![Page 29: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/29.jpg)
![Page 30: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/30.jpg)
![Page 31: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/31.jpg)
Industrial Control Systems
![Page 32: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/32.jpg)
What is an Industrial Control System (ICS)• Controls ‘facilities’ or
physical equipment such as:• Door systems• Air Conditioning/Heating• Power Generators• Power Plants• Automation Machinery
(Manufacturing)• Lights• Security Alarm Systems
• Key Terms:• SCADA• PLC• PAC• DCS
![Page 33: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/33.jpg)
Project Aurora
![Page 34: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/34.jpg)
![Page 35: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/35.jpg)
![Page 36: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/36.jpg)
BACNETPort 47808
![Page 37: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/37.jpg)
![Page 38: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/38.jpg)
![Page 39: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/39.jpg)
![Page 40: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/40.jpg)
![Page 41: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/41.jpg)
![Page 42: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/42.jpg)
![Page 43: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/43.jpg)
![Page 44: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/44.jpg)
![Page 45: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/45.jpg)
![Page 46: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/46.jpg)
![Page 47: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/47.jpg)
The Military
![Page 48: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/48.jpg)
![Page 49: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/49.jpg)
11,004 printers$8 for a ream of paper
$88,032 for a single attack across all systems
![Page 50: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/50.jpg)
380,616 printers$8 for a ream of paper
$3,044,928 for a single attack across all systems
*Doesn’t include toner*
![Page 51: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/51.jpg)
Printers
![Page 52: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/52.jpg)
![Page 53: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/53.jpg)
![Page 54: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/54.jpg)
![Page 55: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/55.jpg)
![Page 56: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/56.jpg)
Cringe worthy
![Page 57: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/57.jpg)
![Page 58: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/58.jpg)
![Page 59: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/59.jpg)
![Page 60: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/60.jpg)
![Page 61: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/61.jpg)
![Page 62: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/62.jpg)
![Page 63: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/63.jpg)
API
![Page 64: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/64.jpg)
API• Multiple interfaces:• JSON• Python• Ruby• NodeJS
• Well documented
![Page 65: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/65.jpg)
Way to use API for good1. Create a baseline of your network2. Run daily to identify new hosts/ports which have
been exposed to the internet3. Track changes over time and create reports for
successful vs failed border changes
Results could be fed into a SIEM for easy reporting
![Page 66: Tim Jensen, CISSP CBI Shodan: The Hacker’s Search Engine.](https://reader036.fdocuments.in/reader036/viewer/2022062422/56649e8e5503460f94b916af/html5/thumbnails/66.jpg)
Ways to use API for bad1. Create query signature for known vulnerability2. Capture results3. Add IP’s to a file4. Feed IP’s into exploit5. Automate so you can be lazy6. Order Pizza7. Eat Pizza8. Dig through loot