Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maxine Major December 12, 2013.  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches.

Similar presentations


Presentation on theme: "Maxine Major December 12, 2013.  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches."— Presentation transcript:

1 Maxine Major December 12, 2013

2  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches

3  Search engine   Finds anything connected to the internet  Named after AI in System Shock 2 (1999) “Sentient Hyper-Optimized Data Access Network “  Developed by John Matherly.  Went live in 2009  Currently indexes over 500 million connected devices monthly  10,000 Industrial Control Systems

4  Web search engines index websites  Shodan indexes metadata and banners  Port 21/TCP (FTP)  Port 22/TCP(SSH)  Port 23/TCP(Telnet)  Port 80/TCP(HTTP)  “Tell me what you can tell me about yourself.”

5  Publicly available data  “public” in that it is unprotected  “Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly

6

7

8

9

10

11  Search Filters  cityapache city:"Zürich“  country nginx country:DE  geoapache geo: ,  hostname"Server: gws" hostname:google  netnet: /24  osmicrosoft-iis os:"windows 2003"  port21 (FTP), 22 (SSH), 23 (Telnet)

12  Shodan API  Integrate Shodan into your own software  Scanhub  Make your own search engine built off nmap scans  Add Shodan to browser search engines  Note: Scans through Shodan are not real-time. They are produced from a crawler database.

13  144 million web servers on Shodan  Microsoft’s IIS runs 8.5 million web servers  Allegro Software’s RomPager: 22 million servers  OEM embedded web server  Routers, switches, printers, etc.

14 Breakdown of Port Distribution (2012)

15  Cameras  Webcams  Security cameras  Home security systems  Printers  Refrigerators  Caterpillar tractor control panels  Medical Devices  Car Washes  Hospital fetal monitoring  Critical infrastructure (water, sewage, dams,  Automobile assembly lines  High School lighting systems  HVAC  Power Dam  Baby Monitors  Traffic Control Systems

16  Baby Monitors  August 2013 Baby monitor hacked  Marc Gilbert heard voices from 2-yr old’s room  Verbal abuse from networked baby monitor  Foscam video/two-way audio cam  “admin” username default  New user account had been added. “Root”  Likely Shodan used to discover monitor

17

18  Elementary School Heating System

19  Caterpillar controls

20  Webcams & Security Systems

21  Swimming pool acid pump  Traffic control system

22  Wind turbines  Heart monitors

23  Security guards  Car washes

24  Not all systems found are legitimate  Demos  Honeypots

25  Trend Micro created web-based simulation of an industrial control system (ICS)  Water pump facility  Water pump supervisory control  SCADA network  Purpose: to measure attacks on real-world systems  Targeted 17 times in 4 months  12 to shut down water pump  5 to modify pump process  Attacks came via Google and Shodan

26  Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011)  Intent to “allow defenders to assess their attack surface and prioritise the required interventions in a timely manner”  Can also be used for auditing  Research funded by BP

27  VxWorks  Platform developed by WindRiver Systems (Intel)  WDB agent – system level debugger  UDP Port  (2010) Rapid7 developer wrote a scanner for Metasploit to scan for WDB  Surveyed over 3.1 billion IP addresses  Discovered 250,000+ systems with WDB agent exposed  Discovered massive scan in 2006 by unknown party

28  Universal Plug and Play (UPnP)  UPnP Simple Object Access Protocol (SOAP)  2013 Rapid7 white paper  “UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, “  81 million unique IPs responded  20% SOAP API  Vulnerable to a single UDP packet for remote code execution

29  Internet Census 2012 (by “Carna Botnet”)  Started as a joke:  telnet login root:root on random IPs  Binary uploaded to insecure devices  Watchdog w/ lowest priority  Scanned port 23 (Telnet) on IPv4  Stopped after a few days. Included a README  Binary ran on 420,000 devices  20% of unprotected devices found  1.2 million unique unprotected devices identified by MAC  Most common unprotected device is router

30  Internet Census 2012  Ignored:  IPv6  Devices without ifconfig  Devices without a shell  100k MIPS 4kce (embedded systems/game consoles)  Encountered Aidra botnet (malicious)

31  Standard security practices  Restrict public facing servers and devices  Use VPN or IP filters for external access  (e.g., employee working from home wants to use company printer)  Always change password defaults  Suppress/minimize verbose banners  Test Shodan on your own devices  May not find you if you’re not already indexed (esecurityplanet.com)

32  Shodan is the first search engine of its kind.  It’s possible and likely that other search engines could be more powerful.  How long before society becomes aware of what makes something findable?  Need to rewire how people think about connected devices.

33     https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/docs/DOC-2150  https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play    https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers  https://speakerdeck.com/hdm/derbycon-2012-the-wild-west https://speakerdeck.com/hdm/derbycon-2012-the-wild-west     3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_referrer=https%3A%2F%2Fwww.google.com%2F 3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_referrer=https%3A%2F%2Fwww.google.com%2F           


Download ppt "Maxine Major December 12, 2013.  What is Shodan?  How it Works  A Tour of Shodan  What Shodan Finds  Similar Searches."

Similar presentations


Ads by Google