That device search engine

Shameless ripoff of xkcd.com/1385/

What’s Shodan?

• Search engine for the Internet connected devices by John Matherly (@achillean).

• Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners

• Has a powerful API, Python & Ruby libraries

• Integration with Maltego, Metasploit & Armitage.

Things Shodan can find

• Routers, Switches, Printers, Cameras, SCADA gear, Power plants, Wind farms, SSH servers, Telnet servers, Televisions, Refrigerators, Embedded devices, Gas station pumps yaddayadda.

• Essentially devices that are connected to the Internet for anyone to connect and spit out some kind of banners.

Cameras == Boring

Search Filters

• Country, City, Long & Lat(Geo)

• Hostname, OS, Port, Network(Net).

• Time frame(After/Before).

• SSL but only for $$$.

Applying Shodan?

»Penetration Testing

Applying Shodan?

»Penetration Testing

»Business Intelligence

Applying Shodan?

»Penetration Testing

»Business Intelligence

»Internet Cartography

Shodan – Penetration Testing

• Millions of widely open devices or awfully configured devices in the wild.

• A couple of well crafted searches & filters == thousands of vulnerable devices.

• Search for a combination of ports like port:502,22(modbus & ssh).

Shodan – Penetration Testing

• Search for most sold devices and brand(cameras, routers) in a region, understand the headers, craft a search query == thousands of devices with default login.

• Panasonic: admin/12345• Samsung Electronics: root/root or admin/4321• Samsung Techwin (old): admin/1111111• Samsung Techwin (new): admin/4321• Sony: admin/admin• TRENDnet: admin/admin• Toshiba: root/ikwd• Vivotek: root/<blank>• WebcamXP: admin/ <blank>

(Default password according to portforward.com)

Shodan – Penetration Testing

• If you want more trouble, Government tenders are a good place to understand what devices are being used by them

Business Intelligence

• For people to empirically measure who is using what sort of technology on the Internet.

• Shodan has amazing support for exporting data in various formats but the feature comes only with few $$$ tag.

Internet Cartography

• Some people do things for the fun!

• Pinging all MineCraft Servers:• https://www.shodan.io/search?query=port%3A25565+

product%3A%22Minecraft%22

Pinging all the devices on Internet

By Matherly

Industrial Control Systems on Internet

Shodan Metasploit

• Available auxiliary modules.

• auxiliary/gather/Shodansearch

• 50 results by default, 10000 for a paid account

Shodan Maltego

• Shodan maltego entities from https://static.Shodan.io/downloads/Shodan-maltego-entities.mtz

• Shodan seed: https://cetas.paterva.com/TDS/runner/showseed/Shodan

• 5 Transforms – searchShodan, searchShodanByDomain, searchShodanByNetblock, toShodanHost, searchExploits

• 2 Entities – Service, Exploit.

Shodan-Python

• $ easy_install shodan

• Shodan REST API is extremely powerful and the documentation is fairly good.

• Libraries for Ruby & Node.js exist

Shodan - Miscellaneous

• Shodan Maps

• Shodan Exploits

• Shodan Terminal

Shutting The Door On Shodan

• Allow only necessary communication, Don’t put everything on Internet just because you can, if you run web servers on SCADA gear..

• For devices you need to put on Internet, Sanitize banners and configure the devices properly.

• Access controls.

• Exhaustive discussion on the topic at : http://www.manufacturing.net/articles/2013/12/shutting-the-door-on-shodan

(Mandatory) Caution!!

• Be extremely cautious while using Shodan. You could find yourself doing something very illegal without even realizing.

• For Lawyers and most Businesses there isn’t a lot of distinction between curiosity & crime

•Questions?