shodan - university of floridajnw/cis4930fa13/modules/module49.pdf · shodan computer search engine...
TRANSCRIPT
SHODANComputer Search Engine
University of Florida
5 November, 2013
Shawn MerdingerSecurity Analyst, HealthNetUF Health
Outline
● Shodan– High-level technical overview
● Research Findings
Shodan
● Computer Search Engine– John Matherly
● US based● Public late 2009
– “Search engine for service banners of pre-scanned devices that are accessible via the public Internet”
– Somewhat controversial...● Major media coverage, security conference talks, DHS
ICS-CERT advisories, political leaders naming as threat● Tool: utility and outcome are dependent on use and intent
Shodan Scans
● Shodan's Scanning Process– Shodan servers scan Internet
● Services (web, telnet, snmp, ftp, mysql, rdp, etc.)● Ports (80, 8080, 443, 161, 21, 23, 3389, etc)
– Place scan results in DB
– Users search Shodan● Web interface or API● Free-text, port, org, hostname, country, city, CIDR, etc.
● Advanced Integration● Metasploit Modules (hat tip to John Sawyer :)● ExlpoitDB, Analysis with Maltego, geolocation mapping
How We Use Shodan at UF&Shands
● Currently looking for “low-hanging fruit”– Printers on public IP
– Open Telnet → “Polycom Command Shell”
● Lots of ways to leverage more– Automation & deltas
– Application-level
● Limitations– External IP only
– Still worth it
Who Is Talking About Shodan?
If Joe Lieberman is talking about Shodan, you must know what it is.
DHS ICS-CERT Shodan Advisories
● First issued October 2010● Several updates & references since
10/25 DHS ICS-CERT Advisory
● Project SHINE: SHodan INtelligence Extraction
– Bob Radvanovsky & Jake Brodsky infracritical / scadasec● I provide volunteer research support, search terms, etc.
– Daily search feed to ICS-CERT
– +1,000,000 “sensitive” systems so far, 8K devices new daily
Keeping Perspective...
● Scanning is old news– Attackers
● Constantly scanning you● Shodan just made scanning more
– Searchable + visible + accessible....without scanning
– Legitimate research● HD Moore's scanning project
– Hits select UDP ports of entire Internet every 7 hours .ru vps ● Academic researchers doing default credential checks!
– Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials● Scans.io
– Repository of raw scan data
HOT -->
Research Findings
● Challenges– Of finding and reporting scary things
● “Do no harm” ground rules, intent, curiosity, outcomes ● What to do? Who to tell? How to go about it?● Perspectives
– “We will sue you” ↔ “Unethical” ↔ “Thank you” ↔ “No response”
– The invaluable value of the CERTs● I would not do this without them as resource. Period.● Find bad stuff, write-up threat evaluation, send to CERTs
– Leave them alone● Takes time, but mostly good results...mostly● Exceptions...
S2 Security NetBox
● DefCon 2010 talk: “We don't need no stinkin' badges”
– Building Door Access Controllers (Web Based)
– Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, blocked my Twitter follow...
– Real value of Shodan● Proved not “deep inside corporate network” (Today 800+ )
“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare”
– John Moss, CEO of S2 Security
VoIP Phones● Lots of VoIP phones, individual, conference (esp. Polycom)
● Late 2010 I focused on Snom
– VOIPSA blog● Remote Tap scripts, call via phone web server, record, etc.● Hard to find open Snom now – Exposure works?!?!
No Auth Cisco Routers & Switches● "cisco-ios" "last-modified"
– 14,000+ devices with HTTP No authentication set
– Level 15 access via HTTP● “ip http authentication local” would lock down web server● Creative attacks – bit.ly and tinyurl.com w/ commands
No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran
– Hrmm...might be interested in this?
Banners Bite Back● Warning banners = easy fingerprinting
– When best practices....ain't
● Swisscom and hotel routers (1200+)– Warning banner has company name and hotel location
– Telnet. No SSH If they run their routers like this - what else?
Banners Bite Back
● Swisscom Miami Conference Routers (7)
Open SMB Router Example
● Netopia with Telnet open ready for setup (2500)
Telnet To Root On Linux Devices
● TVs, DVRs, home wifi/routers, phones, refrigerators
● Telnet to root, no auth!
● Botnets (Carna, Aidra)
WebCams
● Huge numbers, all kinds of uses● Personal, Office, Business, Security, SCADA● See Dan Tentler's talks and code
– Camcreep.py● Auto screenshot via CLI● wkhtmltoimage
“Watching the Watchers Watch”
Credit: Dan Tentler @viss
Printers on Public IP● Technical Risks
– MFP = Multi-function Printer (FAX, Scan, Email, Storage)
● Advanced research (Andrei Costin, Ph.D - Milan, Italy)– Access docs, change configs, attack via printed document
● Risks– Print from anywhere, Web printing, run out paper, ink
– Social engineering...but how bad could a printer be?
Printer Case Study: Penn State
One line of code: cat jerrys_favorite_kids.img | nc target_ip 9100
Online Crematorium● Siemens HMI - VNC 3 char default pass, no auth Telnet, MD5 passwords
● “pr0f” South Houston SCADA hack (11/2011)
Cisco Lawful Intercept● Cisco routers with LI special code and SNMP public
“LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
BlueCoat
● BlueCoat surveillance devices and human rights abuses
– Syria● Tracking and interception of dissidents' communications● From “Chilling effect” to “Killing effect”
– ITAR export violations
– Ethical questions, PR exposure
CacheTalk Safes
Econolite Traffic Light Controller● Yes, it is what you think. Credit: Dan Tentler @viss
Red Light Enforcement Cameras● Delete those pesky speeding tickets!
Embassy Devices● Question: What's running telnet in country X with “embassy” in name?
● Cuts both ways...
Serial to Ethernet Controllers
● Many of these are online– Connected to anything that has a serial port
– Extra scary because don't know what it controls● HVAC, lab stuff, etc.
● Web, telnet, snmp– Wide open
● Legacy– BACnet
– “Hot-glued onto MB”
Caterpiller VIMS
● Web based remote monitoring (control?) over cell modem
● CAT 79X series = largest trucks in world
● 80+ in Alberta, Canada (working the tar sands)
● Poor vendor response...lawyers, not engineers
75+ US TV Stations' Antennas● TV station digital antenna controllers w/ no auth (telnet/http)
– Remote sites, air-to-ground data links, marketed to MIL, LEO, broadcasters
– On the wire looks like home NAS or DVR (embedded Windows)
● Multi-step search technique to find – (1) Shodan (2) scan for unique port
– Sent DHS ICS-CERT report of issues, IP, Geolocation, FCC info
● Major broadcast network with “C” in acronym name
● Asset Owner: “We'll take care of this after election”● Vendor: “Should be deep in corporate network”
● None have been secured as of today....
Gas Station Pumps
● 600+ in Turkey– Reported to Turkish CERT
– Posted search & vendor doc to my Twitter feed
● Can be unattended gas stations, fully automated
Gas Station Pumps
Wrapping up
● Register for free Shodan account● Email John Matherly for moar access● Read up on Shodan
– Wikipedia
– Shodan web site (help, filters, references)
● Understand tool integration and new tools– Metasploit, Stach & Lui Diggity, Shi0San, etc.
● Be smart. Be responsible. Tell it like it is.