Having just left the OWASP Cambridge, BCS Cybercrime IoT & ICS/SCADA Forensics Workshop and been astounded that there are IT and OT ‘people’ out there who have not heard of Shodan I thouht it might be worth putting pen to paper on the subject of device and vulnerability search engines.
What is Shodan?
Shodan is “the world’s first search engine for Internet-connected devices”. It is a tool for searching for devices, instead of indexing web content like Google it indexes banner information. Banner information is provided by a server and can include information on the OS, the application, the IP address, location, hosting service, ISP, and ports that the device is using and a whole lot more.
How is that useful?
Well suppose you want to find all the Westermo devices connected to the Internet because they manufacture industrial data communications products. If you use Google you get ~156,000 hits which are web pages with Westermo in the metadata. Using Shodan you get the IP addresses of the ~4,500 Westermo devices, because the banner contains the text ‘Westermo’:
Still not sure how that is useful
Well, if you were ‘up to no good’ you could now try and log into those devices and thus gain access to someone else’s network – maybe an industrial control network connected to Critical National Infrastructure. I only use Westermo as that is a search that I have performed for a client. It is not the manufacturers fault that these devices are visible on the Internet, people fail to secure their networks. There are dozens of stories of web cams being hijacked because consumers do not change the default username and password and have insecure home networks. In October 2016 the Mirai botnet that impacted Dyn, Spotify, Twitter and Netflix, amongst others, leveraged the Internet of Things and the abysmal security, or lack of, that plagues these devices.
How long has this ‘tool’ be available?
Wikipedia has the ‘Launched’ date for Shodan as 2009. Having used Googles custom filters we see posts from Def Con in February 2010 referring to Shodan as a tool for Black/gray/white box testing, Ethical hacking, Security auditing, Vulnerability assessment, Standards compliance and Training. By October 2010 ICS-CERT had issued an Alert warning of ‘Control System Internet Accessibility’ and describing how Shodan is being used by researchers to ‘discover Internet facing SCADA systems using potentially insecure mechanisms for authentication and authorization’.
Tell me more please.
I am not going to insult your intelligence and describe here how to use Shodan, you could purchase the guide for $1 or there are a thousand other websites that will do that. What I am going to do though is introduce you to four device and vulnerability search engines that I use.
The original but maybe not the best. Interestingly Shodan uses its own port scanner as opposed to Nmap, ZMap or ZGrab, which is what Censys uses. You will need to register, for free, to use filters, which are a requirement otherwise it is a very blunt tool. To really leverage the potential of Shodan the $49 lifetime membership is a steal, but be aware that you will need to then buy Export, Query and Scan credits. There is a very good API that allows you to develop scripts and really get some great results. Additionally it not all Evil and Black Hat hackers, Shodan has been used for good and it is possible for researchers to identify Malware Command and Control servers. I find it hard to understand why the law enforcement authorities not do the same and shut them down?
Lastly cast your mind back to the start of this piece, Shodan uses the banner information. Banners can be modified, spoofed and faked. As we will see in a post I am working on for social engineering using Telnet to send unauthorised spoof emails from unauthenticated accounts, changing the banner is wise if you run a server of any kind.
An academic project that started in 2015. There is no cost to get full access, however they do throttle the data access and rates to prevent abuse. If you are a ‘genuine’ researcher you can contact them to get special access. As noted above Censys uses Zmap and Zgrab to index the Internet. There is a nice API that allows you to use Python to script searches and thus get really good results. The WhoIs tab on the results is useful, though you do have to be logged in to access this feature. It is worth noting that the syntax of the query differs from that of Shodan.
A command line tool written in Ruby that may be of interest. It requires the import of API keys for both tools to get the best results through the use of filters. Shocens written by the developer to solve his own problem. I have used it but personally I write my own Python scripts to get the results I am looking for.
One might think that, given the name, Shocens performs concurrent searches on Shodan and Censys and gives a combined output. That idea would be an interesting project but would requires some work around the API syntax. Should anyone want such a tool I code for a fee!
The third of my ‘go to’ tools, and in my opinion the most powerful. Zoomeye is developed by a Chinese security firm, therefore use it with care. It always takes a long time to load the initial page – is that because its doing something naughty? No idea but I ALWAYS run Zoomeye in a VM sandbox just in case. It has a great tab in the results area: ‘Vulnerability’. This allows the user to see what known vulnerabilities are applicable to the servers in the results area. This vulnerability information is as a result of the developers using WMAP for their indexing. The drill down will eventually take you to the National Vulnerability Database where they helpfully publish details on how to exploit the majority of the vulnerabilities. The search syntax is simple and once you have performed a simple search there are filters on the left that allow you to really drill down to specifics without having to know the minutia of the syntax. Again it has a nice API so you can really get some good results.
More of a physical intelligence gathering tool, this consolidates location and information of wireless networks world-wide to a central database. It has desktop and web applications that can map, query and update the database via the web. Use it before visiting a client to determine if they are broadcasting their SSID and if it is mapped. If they are that is a nice opener for discussions. I am well aware that there are tools that will expose hidden SSID’s. However if you talk to clients about their Wi-Fi SSID being on a publicly accessible map it gets their attention.