Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maxine Major December 12, 2013.  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches.

Similar presentations


Presentation on theme: "Maxine Major December 12, 2013.  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches."— Presentation transcript:

1 Maxine Major December 12, 2013

2  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches

3  Search engine  http://www.shodanhq.com/ http://www.shodanhq.com/  Finds anything connected to the internet  Named after AI in System Shock 2 (1999) “Sentient Hyper-Optimized Data Access Network “  Developed by John Matherly.  Went live in 2009  Currently indexes over 500 million connected devices monthly  10,000 Industrial Control Systems

4  Web search engines index websites  Shodan indexes metadata and banners  Port 21/TCP (FTP)  Port 22/TCP(SSH)  Port 23/TCP(Telnet)  Port 80/TCP(HTTP)  “Tell me what you can tell me about yourself.”

5  Publicly available data  “public” in that it is unprotected  “Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly

6

7

8

9

10

11  Search Filters  cityapache city:"Zürich“  country nginx country:DE  geoapache geo:42.9693,-74.1224  hostname"Server: gws" hostname:google  netnet:216.219.143.0/24  osmicrosoft-iis os:"windows 2003"  port21 (FTP), 22 (SSH), 23 (Telnet)

12  Shodan API  Integrate Shodan into your own software  Scanhub  Make your own search engine built off nmap scans  Add Shodan to browser search engines  Note: Scans through Shodan are not real-time. They are produced from a crawler database.

13  144 million web servers on Shodan  Microsoft’s IIS runs 8.5 million web servers  Allegro Software’s RomPager: 22 million servers  OEM embedded web server  Routers, switches, printers, etc.

14 Breakdown of Port Distribution (2012)

15  Cameras  Webcams  Security cameras  Home security systems  Printers  Refrigerators  Caterpillar tractor control panels  Medical Devices  Car Washes  Hospital fetal monitoring  Critical infrastructure (water, sewage, dams,  Automobile assembly lines  High School lighting systems  HVAC  Power Dam  Baby Monitors  Traffic Control Systems

16  Baby Monitors  August 2013 Baby monitor hacked  Marc Gilbert heard voices from 2-yr old’s room  Verbal abuse from networked baby monitor  Foscam video/two-way audio cam  “admin” username default  New user account had been added. “Root”  Likely Shodan used to discover monitor

17

18  Elementary School Heating System

19  Caterpillar controls

20  Webcams & Security Systems

21  Swimming pool acid pump  Traffic control system

22  Wind turbines  Heart monitors

23  Security guards  Car washes

24  Not all systems found are legitimate  Demos  Honeypots

25  Trend Micro created web-based simulation of an industrial control system (ICS)  Water pump facility  Water pump supervisory control  SCADA network  Purpose: to measure attacks on real-world systems  Targeted 17 times in 4 months  12 to shut down water pump  5 to modify pump process  Attacks came via Google and Shodan

26  Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011)  Intent to “allow defenders to assess their attack surface and prioritise the required interventions in a timely manner”  Can also be used for auditing  Research funded by BP

27  VxWorks  Platform developed by WindRiver Systems (Intel)  WDB agent – system level debugger  UDP Port 17185  (2010) Rapid7 developer wrote a scanner for Metasploit to scan for WDB  Surveyed over 3.1 billion IP addresses  Discovered 250,000+ systems with WDB agent exposed  Discovered massive scan in 2006 by unknown party

28  Universal Plug and Play (UPnP)  UPnP Simple Object Access Protocol (SOAP)  2013 Rapid7 white paper  “UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. “  81 million unique IPs responded  20% SOAP API  Vulnerable to a single UDP packet for remote code execution

29  Internet Census 2012 (by “Carna Botnet”)  Started as a joke:  telnet login root:root on random IPs  Binary uploaded to insecure devices  Watchdog w/ lowest priority  Scanned port 23 (Telnet) on IPv4  Stopped after a few days. Included a README  Binary ran on 420,000 devices  20% of unprotected devices found  1.2 million unique unprotected devices identified by MAC  Most common unprotected device is router

30  Internet Census 2012  Ignored:  IPv6  Devices without ifconfig  Devices without a shell  100k MIPS 4kce (embedded systems/game consoles)  Encountered Aidra botnet (malicious)

31  Standard security practices  Restrict public facing servers and devices  Use VPN or IP filters for external access  (e.g., employee working from home wants to use company printer)  Always change password defaults  Suppress/minimize verbose banners  Test Shodan on your own devices  May not find you if you’re not already indexed (esecurityplanet.com)

32  Shodan is the first search engine of its kind.  It’s possible and likely that other search engines could be more powerful.  How long before society becomes aware of what makes something findable?  Need to rewire how people think about connected devices.

33  http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf  http://www.shodanhq.com/ http://www.shodanhq.com/  http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/  https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/docs/DOC-2150  https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play  http://internetcensus2012.bitbucket.org/paper.html http://internetcensus2012.bitbucket.org/paper.html  http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set  https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers  https://speakerdeck.com/hdm/derbycon-2012-the-wild-west https://speakerdeck.com/hdm/derbycon-2012-the-wild-west  http://www.us-cert.gov/ncas/alerts/TA13-175A http://www.us-cert.gov/ncas/alerts/TA13-175A  http://www.shodanhq.com/help/filters http://www.shodanhq.com/help/filters  http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers  http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828- 3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_referrer=https%3A%2F%2Fwww.google.com%2F http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828- 3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_referrer=https%3A%2F%2Fwww.google.com%2F  http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html  http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html  http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/ http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/  http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/  http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png  http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html  http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users  http://www.slideshare.net/Shakacon/dan-tentler http://www.slideshare.net/Shakacon/dan-tentler  http://secanalysis.com/a-brief-analysis-of-shodan/ http://secanalysis.com/a-brief-analysis-of-shodan/  http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/ http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/  http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf


Download ppt "Maxine Major December 12, 2013.  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches."

Similar presentations


Ads by Google