pen testing the web with firefox: shodan

8/14/2019 Pen Testing the Web With Firefox: SHODAN

1/58

Pen Testing the Webwith Firefox: SHODAN

Michael theprez98 Schearer


2/58

SHODAN

n What is SHODAN?n Basic Operationsn

Penetration Testingn Case Study 1: Cisco Devicesn Case Study 2: Default Passwordsn Other Examples

n Issues and Known Limitationsn Conclusions


3/58

What is SHODAN? (1)

n SHODAN is a computer search enginedesigned by web developer John

Materly (http://twitter.com/achillean)n While SHODAN is a search engine, it is

much different than content searchengines like Google, Yahoo or Bing

n
http://twitter.com/achilleanhttp://twitter.com/achillean


4/58

What is SHODAN? (2)

n Typical search engines crawl for data onweb pages and then index it for

searchingn SHODAN interrogates ports and grabs the

resulting banners, then indexes thebanners (rather than the web content)

for searching


5/58


6/58


7/58

SHODAN HelperFirefox Add-on

SHODAN Search ProviderFirefox Add-on


8/58

Basic Operations (1)

n Search terms are entered into a text box(seen below)

n Quotation marks can narrow a searchn Boolean operators + and can be used to

include and exclude query terms (+ is

implicit default)


9/58

Basic Operations (2)

n Search terms can begeneral (Apache) orspecific (Apache2.2.3)

n Further filtering isavailable by country

(two letter countrycode), IP/CIDR,hostname, and port(21, 22, 23, and 80)


10/58

Basic Operations (cont.)

Find all apache servers in Switzerland


11/58

Basic Operations (cont.)

Top four countries matching your query

Find apache servers running version 2.2.3


12/58

Basic Operations: Country Filter

n Filtering by country canalso be accomplishedby clicking on the

country map (which isavailable from theoptions drop downmenu)

n Mouse over a country forthe number of scannedhosts for a particularcountry


13/58

Basic Operations: Filters

n The net filter allows you to refine yoursearches by IP/CIDR notation

n The OS filter allows you to refine searchesby operating system

n Note that both the country filter and the

net filter require you to be signed inn


14/58

Basic Operations: Hostname Filter

Search results can be filtered using any portion ofa hostname or domain name

Find apache servers in the .nist.gov domain

Find iis-5.0 servers in the .edu domain


15/58

Basic Operations: Port Filter

n SHODAN can filter your search results byport

n Current collection is limited to ports 21(FTP), 22 (SSH), 23 (Telnet), and 80(HTTP), while the overwhelming majority

of collection is HTTPn More ports/services coming (send

requests to the developer via Twitter)


16/58

Pen Testing: Ethics (1)

n Is it acceptable under any circumstances to viewthe configuration of a device that requires noauthentication to view?

n What about viewing the configuration of a deviceusing a default username and password?

n What about viewing the configuration of a device

using a unique username and password?n Changing the configuration of any device?


17/58

Pen Testing: Ethics (2)

No authentication

Default username and password

Unique username and password

Changing configurations


18/58

Pen Testing: HTTP Status Codes

Status Code Description

200 OK Request succeeded

401 Unauthorized Request requires authentication

403 Forbidden Request is denied regardless ofauthentication


19/58

Pen Testing: Assumptions

n 200 OK banner results will load withoutany authentication (at least not initially)

n

401 Unauthorized banners with Www-authenticate indicate a username andpassword pop-up box (authentication ispossible but not yet accomplished, as

distinguished from 403 Forbidden)n Some banners advertise defaults


20/58

Case Study: Cisco Devices

Here is a typical 401 Unauthorized bannerwhen using the simple search term cisco:

Take note of the Www-authenticate linewhich indicates the requirement for ausername and password


21/58


Now consider an example of a 200 OKbanner which does not include the Www-

authenticate line:


22/58


A comparison of the two banners finds the second bannerto include the Last-modifiedline which does not appearwhen Www-authenticate appears:

In fact, among cisco results these two lines are more than99.9% mutually exclusive


23/58


24/58

Case Study: Cisco Results

n This suggests that Cisco 200 OKbanners that include the Last-modified

line do not require any authentication (atleast not initially)

n The results on the previous slide suggestthere are potentially 3,000+ Ciscodevices that do not requireauthentication


25/58

Surely these HTML links will require some additiona


26/58

Nope. No authentication required for Level 15! No authentication required forconfigur


27/58

No authentication required for Level 15 execcommands


28/58

show running-config show cdp neighbors


29/58


30/58


31/58


32/58


33/58


34/58


35/58


36/58


37/58


38/58


39/58


40/58


41/58


42/58


43/58


44/58


45/58

Case Study: Default Passwords (1)

n The default password search locatesservers that have those words in the

bannern This doesnt suggest that these results will

be using the defaults, but since theyreadvertising the defaults they wouldpotentially be the lowest hanging fruit


46/58


An example of a default password result:

The server line indicates this is likely to be aprint server; also note the 401 and Www-

authenticate which indicates the likelihood ofa username and password pop-up box


47/58


n This does not suggest that this device isusing the default password, but it does

mean that it is a possibilityn While no username is listed, a null

username or admin is always a goodguess

n And did it work?


48/58


49/58


50/58


51/58

javascript:SnapshotWin()client.html


52/58


53/58

system.htmlsecurity.htmlnetwork.htmlwireless.htmlddns.htmlaccesslist.html

audiovideo.htmlcameracontrol.htmlmailftp.htmlmotion.htmlapplication.htmlsyslog.htmlparafile.html

maintain.html


54/58


55/58


56/58

Conclusion

n SHODAN aggregates a significant amountof information that isnt already widely

available in an easy to understandformat

n Allows passive vulnerability analysis

er for penetration testers that will help shape the p


57/58


58/58

Pen Testing the Webwith Firefox: SHODAN

Michael theprez98 Schearer

pen testing the web with firefox: shodan

Documents