SHODANComputer Search Engine

University of Florida

5 November, 2013

Shawn MerdingerSecurity Analyst, HealthNetUF Health

Outline

● Shodan– High-level technical overview

● Research Findings

Shodan

● Computer Search Engine– John Matherly

● US based● Public late 2009

– “Search engine for service banners of pre-scanned devices that are accessible via the public Internet”

– Somewhat controversial...● Major media coverage, security conference talks, DHS

ICS-CERT advisories, political leaders naming as threat● Tool: utility and outcome are dependent on use and intent

Shodan Scans

● Shodan's Scanning Process– Shodan servers scan Internet

● Services (web, telnet, snmp, ftp, mysql, rdp, etc.)● Ports (80, 8080, 443, 161, 21, 23, 3389, etc)

– Place scan results in DB

– Users search Shodan● Web interface or API● Free-text, port, org, hostname, country, city, CIDR, etc.

● Advanced Integration● Metasploit Modules (hat tip to John Sawyer :)● ExlpoitDB, Analysis with Maltego, geolocation mapping

How We Use Shodan at UF&Shands

● Currently looking for “low-hanging fruit”– Printers on public IP

– Open Telnet → “Polycom Command Shell”

● Lots of ways to leverage more– Automation & deltas

– Application-level

● Limitations– External IP only

– Still worth it

Who Is Talking About Shodan?

If Joe Lieberman is talking about Shodan, you must know what it is.

DHS ICS-CERT Shodan Advisories

● First issued October 2010● Several updates & references since

10/25 DHS ICS-CERT Advisory

● Project SHINE: SHodan INtelligence Extraction

– Bob Radvanovsky & Jake Brodsky infracritical / scadasec● I provide volunteer research support, search terms, etc.

– Daily search feed to ICS-CERT

– +1,000,000 “sensitive” systems so far, 8K devices new daily

Keeping Perspective...

● Scanning is old news– Attackers

● Constantly scanning you● Shodan just made scanning more

– Searchable + visible + accessible....without scanning

– Legitimate research● HD Moore's scanning project

– Hits select UDP ports of entire Internet every 7 hours .ru vps ● Academic researchers doing default credential checks!

– Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials● Scans.io

– Repository of raw scan data

HOT -->

Research Findings

● Challenges– Of finding and reporting scary things

● “Do no harm” ground rules, intent, curiosity, outcomes ● What to do? Who to tell? How to go about it?● Perspectives

– “We will sue you” ↔ “Unethical” ↔ “Thank you” ↔ “No response”

– The invaluable value of the CERTs● I would not do this without them as resource. Period.● Find bad stuff, write-up threat evaluation, send to CERTs

– Leave them alone● Takes time, but mostly good results...mostly● Exceptions...

S2 Security NetBox

● DefCon 2010 talk: “We don't need no stinkin' badges”

– Building Door Access Controllers (Web Based)

– Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, blocked my Twitter follow...

– Real value of Shodan● Proved not “deep inside corporate network” (Today 800+ )

“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare”

– John Moss, CEO of S2 Security

VoIP Phones● Lots of VoIP phones, individual, conference (esp. Polycom)

● Late 2010 I focused on Snom

– VOIPSA blog● Remote Tap scripts, call via phone web server, record, etc.● Hard to find open Snom now – Exposure works?!?!

No Auth Cisco Routers & Switches● "cisco-ios" "last-modified"

– 14,000+ devices with HTTP No authentication set

– Level 15 access via HTTP● “ip http authentication local” would lock down web server● Creative attacks – bit.ly and tinyurl.com w/ commands

No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran

– Hrmm...might be interested in this?

Banners Bite Back● Warning banners = easy fingerprinting

– When best practices....ain't

● Swisscom and hotel routers (1200+)– Warning banner has company name and hotel location

– Telnet. No SSH If they run their routers like this - what else?

Banners Bite Back

● Swisscom Miami Conference Routers (7)

Open SMB Router Example

● Netopia with Telnet open ready for setup (2500)

Telnet To Root On Linux Devices

● TVs, DVRs, home wifi/routers, phones, refrigerators

● Telnet to root, no auth!

● Botnets (Carna, Aidra)

WebCams

● Huge numbers, all kinds of uses● Personal, Office, Business, Security, SCADA● See Dan Tentler's talks and code

– Camcreep.py● Auto screenshot via CLI● wkhtmltoimage

“Watching the Watchers Watch”

Credit: Dan Tentler @viss

Printers on Public IP● Technical Risks

– MFP = Multi-function Printer (FAX, Scan, Email, Storage)

● Advanced research (Andrei Costin, Ph.D - Milan, Italy)– Access docs, change configs, attack via printed document

● Risks– Print from anywhere, Web printing, run out paper, ink

– Social engineering...but how bad could a printer be?

Printer Case Study: Penn State

One line of code: cat jerrys_favorite_kids.img | nc target_ip 9100

Online Crematorium● Siemens HMI - VNC 3 char default pass, no auth Telnet, MD5 passwords

● “pr0f” South Houston SCADA hack (11/2011)

Cisco Lawful Intercept● Cisco routers with LI special code and SNMP public

“LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.

BlueCoat

● BlueCoat surveillance devices and human rights abuses

– Syria● Tracking and interception of dissidents' communications● From “Chilling effect” to “Killing effect”

– ITAR export violations

– Ethical questions, PR exposure

CacheTalk Safes

Econolite Traffic Light Controller● Yes, it is what you think. Credit: Dan Tentler @viss

Red Light Enforcement Cameras● Delete those pesky speeding tickets!

Embassy Devices● Question: What's running telnet in country X with “embassy” in name?

● Cuts both ways...

Serial to Ethernet Controllers

● Many of these are online– Connected to anything that has a serial port

– Extra scary because don't know what it controls● HVAC, lab stuff, etc.

● Web, telnet, snmp– Wide open

● Legacy– BACnet

– “Hot-glued onto MB”

Caterpiller VIMS

● Web based remote monitoring (control?) over cell modem

● CAT 79X series = largest trucks in world

● 80+ in Alberta, Canada (working the tar sands)

● Poor vendor response...lawyers, not engineers

75+ US TV Stations' Antennas● TV station digital antenna controllers w/ no auth (telnet/http)

– Remote sites, air-to-ground data links, marketed to MIL, LEO, broadcasters

– On the wire looks like home NAS or DVR (embedded Windows)

● Multi-step search technique to find – (1) Shodan (2) scan for unique port

– Sent DHS ICS-CERT report of issues, IP, Geolocation, FCC info

● Major broadcast network with “C” in acronym name

● Asset Owner: “We'll take care of this after election”● Vendor: “Should be deep in corporate network”

● None have been secured as of today....

Gas Station Pumps

● 600+ in Turkey– Reported to Turkish CERT

– Posted search & vendor doc to my Twitter feed

● Can be unattended gas stations, fully automated

Gas Station Pumps

Wrapping up

● Register for free Shodan account● Email John Matherly for moar access● Read up on Shodan

– Wikipedia

– Shodan web site (help, filters, references)

● Understand tool integration and new tools– Metasploit, Stach & Lui Diggity, Shi0San, etc.

● Be smart. Be responsible. Tell it like it is.

Thanks!

● Contact– Email: shawnmer@ufl.edu – Twitter @shawnmer– LinkedIN

● MedSec