pen testing the web with firefox: shodan
TRANSCRIPT
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
1/58
Pen Testing the Webwith Firefox: SHODAN
Michael theprez98 Schearer
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
2/58
SHODAN
n What is SHODAN?n Basic Operationsn
Penetration Testingn Case Study 1: Cisco Devicesn Case Study 2: Default Passwordsn Other Examples
n Issues and Known Limitationsn Conclusions
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
3/58
What is SHODAN? (1)
n SHODAN is a computer search enginedesigned by web developer John
Materly (http://twitter.com/achillean)n While SHODAN is a search engine, it is
much different than content searchengines like Google, Yahoo or Bing
n
http://twitter.com/achilleanhttp://twitter.com/achillean -
8/14/2019 Pen Testing the Web With Firefox: SHODAN
4/58
What is SHODAN? (2)
n Typical search engines crawl for data onweb pages and then index it for
searchingn SHODAN interrogates ports and grabs the
resulting banners, then indexes thebanners (rather than the web content)
for searching
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
5/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
6/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
7/58
SHODAN HelperFirefox Add-on
SHODAN Search ProviderFirefox Add-on
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
8/58
Basic Operations (1)
n Search terms are entered into a text box(seen below)
n Quotation marks can narrow a searchn Boolean operators + and can be used to
include and exclude query terms (+ is
implicit default)
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
9/58
Basic Operations (2)
n Search terms can begeneral (Apache) orspecific (Apache2.2.3)
n Further filtering isavailable by country
(two letter countrycode), IP/CIDR,hostname, and port(21, 22, 23, and 80)
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
10/58
Basic Operations (cont.)
Find all apache servers in Switzerland
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
11/58
Basic Operations (cont.)
Top four countries matching your query
Find apache servers running version 2.2.3
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
12/58
Basic Operations: Country Filter
n Filtering by country canalso be accomplishedby clicking on the
country map (which isavailable from theoptions drop downmenu)
n Mouse over a country forthe number of scannedhosts for a particularcountry
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
13/58
Basic Operations: Filters
n The net filter allows you to refine yoursearches by IP/CIDR notation
n The OS filter allows you to refine searchesby operating system
n Note that both the country filter and the
net filter require you to be signed inn
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
14/58
Basic Operations: Hostname Filter
Search results can be filtered using any portion ofa hostname or domain name
Find apache servers in the .nist.gov domain
Find iis-5.0 servers in the .edu domain
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
15/58
Basic Operations: Port Filter
n SHODAN can filter your search results byport
n Current collection is limited to ports 21(FTP), 22 (SSH), 23 (Telnet), and 80(HTTP), while the overwhelming majority
of collection is HTTPn More ports/services coming (send
requests to the developer via Twitter)
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
16/58
Pen Testing: Ethics (1)
n Is it acceptable under any circumstances to viewthe configuration of a device that requires noauthentication to view?
n What about viewing the configuration of a deviceusing a default username and password?
n What about viewing the configuration of a device
using a unique username and password?n Changing the configuration of any device?
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
17/58
Pen Testing: Ethics (2)
No authentication
Default username and password
Unique username and password
Changing configurations
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
18/58
Pen Testing: HTTP Status Codes
Status Code Description
200 OK Request succeeded
401 Unauthorized Request requires authentication
403 Forbidden Request is denied regardless ofauthentication
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
19/58
Pen Testing: Assumptions
n 200 OK banner results will load withoutany authentication (at least not initially)
n
401 Unauthorized banners with Www-authenticate indicate a username andpassword pop-up box (authentication ispossible but not yet accomplished, as
distinguished from 403 Forbidden)n Some banners advertise defaults
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
20/58
Case Study: Cisco Devices
Here is a typical 401 Unauthorized bannerwhen using the simple search term cisco:
Take note of the Www-authenticate linewhich indicates the requirement for ausername and password
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
21/58
Case Study: Cisco Devices
Now consider an example of a 200 OKbanner which does not include the Www-
authenticate line:
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
22/58
Case Study: Cisco Devices
A comparison of the two banners finds the second bannerto include the Last-modifiedline which does not appearwhen Www-authenticate appears:
In fact, among cisco results these two lines are more than99.9% mutually exclusive
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
23/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
24/58
Case Study: Cisco Results
n This suggests that Cisco 200 OKbanners that include the Last-modified
line do not require any authentication (atleast not initially)
n The results on the previous slide suggestthere are potentially 3,000+ Ciscodevices that do not requireauthentication
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
25/58
Surely these HTML links will require some additiona
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
26/58
Nope. No authentication required for Level 15! No authentication required forconfigur
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
27/58
No authentication required for Level 15 execcommands
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
28/58
show running-config show cdp neighbors
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
29/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
30/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
31/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
32/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
33/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
34/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
35/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
36/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
37/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
38/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
39/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
40/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
41/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
42/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
43/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
44/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
45/58
Case Study: Default Passwords (1)
n The default password search locatesservers that have those words in the
bannern This doesnt suggest that these results will
be using the defaults, but since theyreadvertising the defaults they wouldpotentially be the lowest hanging fruit
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
46/58
Case Study: Default Passwords (2)
An example of a default password result:
The server line indicates this is likely to be aprint server; also note the 401 and Www-
authenticate which indicates the likelihood ofa username and password pop-up box
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
47/58
Case Study: Default Passwords (3)
n This does not suggest that this device isusing the default password, but it does
mean that it is a possibilityn While no username is listed, a null
username or admin is always a goodguess
n And did it work?
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
48/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
49/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
50/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
51/58
javascript:SnapshotWin()client.html
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
52/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
53/58
system.htmlsecurity.htmlnetwork.htmlwireless.htmlddns.htmlaccesslist.html
audiovideo.htmlcameracontrol.htmlmailftp.htmlmotion.htmlapplication.htmlsyslog.htmlparafile.html
maintain.html
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
54/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
55/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
56/58
Conclusion
n SHODAN aggregates a significant amountof information that isnt already widely
available in an easy to understandformat
n Allows passive vulnerability analysis
er for penetration testers that will help shape the p
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
57/58
-
8/14/2019 Pen Testing the Web With Firefox: SHODAN
58/58
Pen Testing the Webwith Firefox: SHODAN
Michael theprez98 Schearer