SHODAN Computer Search Engine University of Florida 5 November, 2013 Shawn Merdinger Security Analyst, HealthNet UF Health
Outline Shodan High-level technical overview Research Findings
Shodan Computer Search Engine John Matherly US based Public late 2009 Search engine for service banners of pre-scanned devices that are accessible via the public Internet Somewhat controversial... Major media coverage, security conference talks, DHS ICS-CERT advisories, political leaders naming as threat Tool: utility and outcome are dependent on use and intent
Shodan Scans Shodan's Scanning Process Shodan servers scan Internet Place scan results in DB Users search Shodan Services (web, telnet, snmp, ftp, mysql, rdp, etc.) Ports (80, 8080, 443, 161, 21, 23, 3389, etc) Web interface or API Free-text, port, org, hostname, country, city, CIDR, etc. Advanced Integration Metasploit Modules (hat tip to John Sawyer :) ExlpoitDB, Analysis with Maltego, geolocation mapping
How We Use Shodan at UF&Shands Currently looking for low-hanging fruit Printers on public IP Open Telnet Polycom Command Shell Lots of ways to leverage more Automation & deltas Application-level Limitations External IP only Still worth it
Who Is Talking About Shodan? If Joe Lieberman is talking about Shodan, you must know what it is.
DHS ICS-CERT Shodan Advisories First issued October 2010 Several updates & references since
10/25 DHS ICS-CERT Advisory Project SHINE: SHodan INtelligence Extraction Bob Radvanovsky & Jake Brodsky infracritical / scadasec I provide volunteer research support, search terms, etc. Daily search feed to ICS-CERT +1,000,000 sensitive systems so far, 8K devices new daily
Keeping Perspective... Scanning is old news Attackers Constantly scanning you Shodan just made scanning more Searchable + visible + accessible...without scanning Legitimate research HD Moore's scanning project Academic researchers doing default credential checks! HOT --> Hits select UDP ports of entire Internet every 7 hours.ru vps Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials Scans.io Repository of raw scan data
Research Findings Challenges Of finding and reporting scary things Do no harm ground rules, intent, curiosity, outcomes What to do? Who to tell? How to go about it? Perspectives We will sue you Unethical Thank you No response The invaluable value of the CERTs I would not do this without them as resource. Period. Find bad stuff, write-up threat evaluation, send to CERTs Leave them alone Takes time, but mostly good results...mostly Exceptions...
S2 Security NetBox DefCon 2010 talk: We don't need no stinkin' badges Building Door Access Controllers (Web Based) Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, blocked my Twitter follow... Real value of Shodan Proved not deep inside corporate network (Today 800+ ) When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare John Moss, CEO of S2 Security
VoIP Phones Lots of VoIP phones, individual, conference (esp. Polycom) Late 2010 I focused on Snom VOIPSA blog Remote Tap scripts, call via phone web server, record, etc. Hard to find open Snom now Exposure works?!?!
No Auth Cisco Routers & Switches "cisco-ios" "last-modified" 14,000+ devices with HTTP No authentication set Level 15 access via HTTP ip http authentication local would lock down web server Creative attacks bit.ly and tinyurl.com w/ commands
No Auth Cisco Devices in Iran School of Particles and Accelerators in Tehran, Iran Hrmm...might be interested in this?
Banners Bite Back Warning banners = easy fingerprinting When best practices...ain't Swisscom and hotel routers (1200+) Warning banner has company name and hotel location Telnet. No SSH If they run their routers like this - what else?
Banners Bite Back Swisscom Miami Conference Routers (7)
Open SMB Router Example Netopia with Telnet open ready for setup (2500)
Telnet To Root On Linux Devices TVs, DVRs, home wifi/routers, phones, refrigerators Telnet to root, no auth! Botnets (Carna, Aidra)
WebCams Huge numbers, all kinds of uses Personal, Office, Business, Security, SCADA See Dan Tentler's talks and code Camcreep.py Auto screenshot via CLI wkhtmltoimage
Watching the Watchers Watch Credit: Dan Tentler @viss
Printers on Public IP Technical Risks Advanced research (Andrei Costin, Ph.D - Milan, Italy) MFP = Multi-function Printer (FAX, Scan, Email, Storage) Access docs, change configs, attack via printed document Risks Print from anywhere, Web printing, run out paper, ink Social engineering...but how bad could a printer be?
Printer Case Study: Penn State One line of code: cat jerrys_favorite_kids.img nc target_ip 9100
Online Crematorium Siemens HMI - VNC 3 char default pass, no auth Telnet, MD5 passwords pr0f South Houston SCADA hack (11/2011)
Cisco Lawful Intercept Cisco routers with LI special code and SNMP public LI User = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
BlueCoat BlueCoat surveillance devices and human rights abuses Syria Tracking and interception of dissidents' communications From Chilling effect to Killing effect ITAR export violations Ethical questions, PR exposure
CacheTalk Safes
Econolite Traffic Light Controller Yes, it is what you think. Credit: Dan Tentler @viss
Red Light Enforcement Cameras Delete those pesky speeding tickets!
Embassy Devices Question: What's running telnet in country X with embassy in name? Cuts both ways...
Serial to Ethernet Controllers Many of these are online Connected to anything that has a serial port Extra scary because don't know what it controls Web, telnet, snmp HVAC, lab stuff, etc. Wide open Legacy BACnet Hot-glued onto MB
Caterpiller VIMS Web based remote monitoring (control?) over cell modem CAT 79X series = largest trucks in world 80+ in Alberta, Canada (working the tar sands) Poor vendor response...lawyers, not engineers
75+ US TV Stations' Antennas TV station digital antenna controllers w/ no auth (telnet/http) Remote sites, air-to-ground data links, marketed to MIL, LEO, broadcasters On the wire looks like home NAS or DVR (embedded Windows) Multi-step search technique to find (1) Shodan (2) scan for unique port Sent DHS ICS-CERT report of issues, IP, Geolocation, FCC info Major broadcast network with C in acronym name Asset Owner: We'll take care of this after election Vendor: Should be deep in corporate network None have been secured as of today...
Gas Station Pumps 600+ in Turkey Reported to Turkish CERT Posted search & vendor doc to my Twitter feed Can be unattended gas stations, fully automated
Gas Station Pumps
Wrapping up Register for free Shodan account Email John Matherly for moar access Read up on Shodan Wikipedia Shodan web site (help, filters, references) Understand tool integration and new tools Metasploit, Stach & Lui Diggity, Shi0San, etc. Be smart. Be responsible. Tell it like it is.
Thanks! Contact Email: shawnmer@ufl.edu Twitter @shawnmer LinkedIN MedSec