shodan- that device search engine
TRANSCRIPT
That device search engine
Shameless ripoff of xkcd.com/1385/
What’s Shodan?
• Search engine for the Internet connected devices by John Matherly (@achillean).
• Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
• Has a powerful API, Python & Ruby libraries
• Integration with Maltego, Metasploit & Armitage.
Things Shodan can find
• Routers, Switches, Printers, Cameras, SCADA gear, Power plants, Wind farms, SSH servers, Telnet servers, Televisions, Refrigerators, Embedded devices, Gas station pumps yaddayadda.
• Essentially devices that are connected to the Internet for anyone to connect and spit out some kind of banners.
Cameras == Boring
Search Filters
• Country, City, Long & Lat(Geo)
• Hostname, OS, Port, Network(Net).
• Time frame(After/Before).
• SSL but only for $$$.
Applying Shodan?
»Penetration Testing
Applying Shodan?
»Penetration Testing
»Business Intelligence
Applying Shodan?
»Penetration Testing
»Business Intelligence
»Internet Cartography
Shodan – Penetration Testing
• Millions of widely open devices or awfully configured devices in the wild.
• A couple of well crafted searches & filters == thousands of vulnerable devices.
• Search for a combination of ports like port:502,22(modbus & ssh).
Shodan – Penetration Testing
• Search for most sold devices and brand(cameras, routers) in a region, understand the headers, craft a search query == thousands of devices with default login.
• Panasonic: admin/12345• Samsung Electronics: root/root or admin/4321• Samsung Techwin (old): admin/1111111• Samsung Techwin (new): admin/4321• Sony: admin/admin• TRENDnet: admin/admin• Toshiba: root/ikwd• Vivotek: root/<blank>• WebcamXP: admin/ <blank>
(Default password according to portforward.com)
Shodan – Penetration Testing
• If you want more trouble, Government tenders are a good place to understand what devices are being used by them
Business Intelligence
• For people to empirically measure who is using what sort of technology on the Internet.
• Shodan has amazing support for exporting data in various formats but the feature comes only with few $$$ tag.
Internet Cartography
• Some people do things for the fun!
• Pinging all MineCraft Servers:• https://www.shodan.io/search?query=port%3A25565+
product%3A%22Minecraft%22
Pinging all the devices on Internet
By Matherly
Industrial Control Systems on Internet
Shodan Metasploit
• Available auxiliary modules.
• auxiliary/gather/Shodansearch
• 50 results by default, 10000 for a paid account
Shodan Maltego
• Shodan maltego entities from https://static.Shodan.io/downloads/Shodan-maltego-entities.mtz
• Shodan seed: https://cetas.paterva.com/TDS/runner/showseed/Shodan
• 5 Transforms – searchShodan, searchShodanByDomain, searchShodanByNetblock, toShodanHost, searchExploits
• 2 Entities – Service, Exploit.
Shodan-Python
• $ easy_install shodan
• Shodan REST API is extremely powerful and the documentation is fairly good.
• Libraries for Ruby & Node.js exist
Shodan - Miscellaneous
• Shodan Maps
• Shodan Exploits
• Shodan Terminal
Shutting The Door On Shodan
• Allow only necessary communication, Don’t put everything on Internet just because you can, if you run web servers on SCADA gear..
• For devices you need to put on Internet, Sanitize banners and configure the devices properly.
• Access controls.
• Exhaustive discussion on the topic at : http://www.manufacturing.net/articles/2013/12/shutting-the-door-on-shodan
(Mandatory) Caution!!
• Be extremely cautious while using Shodan. You could find yourself doing something very illegal without even realizing.
• For Lawyers and most Businesses there isn’t a lot of distinction between curiosity & crime
•Questions?