Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds ...
-
Upload
milo-hercules -
Category
Documents
-
view
242 -
download
2
Transcript of Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds ...
SHODAN“THE INTERNET OF THINGS”
Maxine MajorDecember 12, 2013
OVERVIEW
What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches
WHAT IS SHODAN?
Search engine http://www.shodanhq.com/ Finds anything connected to the internet Named after AI in System Shock 2 (1999)
“Sentient Hyper-Optimized Data Access Network “
Developed by John Matherly. Went live in 2009 Currently indexes over 500 million
connected devices monthly 10,000 Industrial Control Systems
HOW SHODAN SEARCHES
Web search engines index websites Shodan indexes metadata and banners
Port 21/TCP (FTP) Port 22/TCP (SSH) Port 23/TCP (Telnet) Port 80/TCP (HTTP)
“Tell me what you can tell me about yourself.”
LEGALITY
Publicly available data “public” in that it is unprotected
“Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly
TOUR OF SHODAN
TOUR OF SHODAN
TOUR OF SHODAN
TOUR OF SHODAN
TOUR OF SHODAN
NARROWING THE SEARCH
Search Filters city apache city:"Zürich“ country nginx country:DE geo apache geo:42.9693,-74.1224 hostname"Server: gws" hostname:google net net:216.219.143.0/24 os microsoft-iis os:"windows 2003" port 21 (FTP), 22 (SSH), 23 (Telnet)
ADDITIONAL FEATURES
Shodan API Integrate Shodan into your own software
Scanhub Make your own search engine built off
nmap scans Add Shodan to browser search engines
Note: Scans through Shodan are not real-time. They are produced from a crawler database.
WHAT SHODAN FINDS
144 million web servers on Shodan Microsoft’s IIS runs 8.5 million web servers Allegro Software’s RomPager: 22 million
servers OEM embedded web server Routers, switches, printers, etc.
WHAT SHODAN FINDS
Breakdown of Port Distribution (2012)
WHAT SHODAN FINDS
Cameras Webcams Security cameras
Home security systems Printers Refrigerators Caterpillar tractor control
panels Medical Devices Car Washes Hospital fetal monitoring
Critical infrastructure (water, sewage, dams,
Automobile assembly lines High School lighting
systems HVAC Power Dam Baby Monitors Traffic Control Systems
WHAT SHODAN FINDS
Baby Monitors August 2013 Baby monitor hacked
Marc Gilbert heard voices from 2-yr old’s room Verbal abuse from networked baby monitor Foscam video/two-way audio cam “admin” username default New user account had been added. “Root”
Likely Shodan used to discover monitor
WHAT SHODAN FINDS
WHAT SHODAN FINDS
Elementary School Heating System
WHAT SHODAN FINDS
Caterpillar controls
WHAT SHODAN FINDS
Webcams & Security Systems
WHAT SHODAN FINDS
Swimming pool acid pump Traffic control system
WHAT SHODAN FINDS
Wind turbines Heart monitors
WHAT SHODAN FINDS
Security guards Car washes
WHAT SHODAN FINDS
Not all systems found are legitimate Demos Honeypots
WATERWORKS HONEYPOT
Trend Micro created web-based simulation of an industrial control system (ICS) Water pump facility
Water pump supervisory control SCADA network Purpose: to measure attacks on real-world systems
Targeted 17 times in 4 months 12 to shut down water pump 5 to modify pump process
Attacks came via Google and Shodan
RESEARCH IN SHODAN
Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011) Intent to “allow defenders to assess their
attack surface and prioritise the required interventions in a timely manner”
Can also be used for auditing Research funded by BP
SIMILAR SEARCHES
VxWorks Platform developed by WindRiver Systems
(Intel) WDB agent – system level debugger
UDP Port 17185 (2010) Rapid7 developer wrote a scanner for
Metasploit to scan for WDB Surveyed over 3.1 billion IP addresses Discovered 250,000+ systems with WDB agent
exposed Discovered massive scan in 2006 by unknown party
SIMILAR SEARCHES
Universal Plug and Play (UPnP) UPnP Simple Object Access Protocol (SOAP)
2013 Rapid7 white paper “UPnP discovery requests were sent to every
routable IPv4 address approximately once a week from June 1 to November 17, 2012. “
81 million unique IPs responded 20% SOAP API Vulnerable to a single UDP packet for remote code
execution
SIMILAR SEARCHES
Internet Census 2012 (by “Carna Botnet”) Started as a joke:
telnet login root:root on random IPs Binary uploaded to insecure devices
Watchdog w/ lowest priority Scanned port 23 (Telnet) on IPv4 Stopped after a few days. Included a README
Binary ran on 420,000 devices 20% of unprotected devices found 1.2 million unique unprotected devices identified by
MAC Most common unprotected device is router
SIMILAR SEARCHES
Internet Census 2012 Ignored:
IPv6 Devices without ifconfig Devices without a shell 100k MIPS 4kce (embedded systems/game
consoles) Encountered Aidra botnet (malicious)
MINIMIZE SHODAN RISKS
Standard security practices Restrict public facing servers and devices Use VPN or IP filters for external access
(e.g., employee working from home wants to use company printer)
Always change password defaults Suppress/minimize verbose banners Test Shodan on your own devices
May not find you if you’re not already indexed
(esecurityplanet.com)
BEYOND SHODAN
Shodan is the first search engine of its kind.
It’s possible and likely that other search engines could be more powerful.
How long before society becomes aware of what makes something findable?
Need to rewire how people think about connected devices.
REFERENCES http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf http://www.shodanhq.com/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-th
e-internet/ https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-d
ont-play http://internetcensus2012.bitbucket.org/paper.html http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port
-servers https://speakerdeck.com/hdm/derbycon-2012-the-wild-west http://www.us-cert.gov/ncas/alerts/TA13-175A http://www.shodanhq.com/help/filters http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828-3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_ref
errer=https%3A%2F%2Fwww.google.com%2F http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-th
e-internet/ http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users http://www.slideshare.net/Shakacon/dan-tentler http://secanalysis.com/a-brief-analysis-of-shodan/ http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/ http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf