Tim Jensen, CISSPCBI
www.cbihome.com
Shodan: The Hacker’s Search Engine
Disclaimer• Following the steps in this document can get you into legal trouble. • Only connect to systems that you own or have written permission
to conduct testing on• I am not a lawyer, but generally I would say connecting to an HTTP
port and viewing what is there is ok. Entering credentials, brute forcing, exploiting vulnerabilities, or anything else to gain privileged access is illegal.• Reconfiguring systems is definitely illegal!• Disclosing vulnerabilities to companies can get you threatened,
even if you did nothing wrong. Leave it to the professionals if your not willing to go to jail for doing the right thing.• I am not responsible for anything you do, think, or say.
Versions
Shodanhq.com
• HTTP only – creds visible across internet• Buggy if looking through
more than 1 page of results• Contains filter
documentation• API key easily shown on
Development page
Shodan.io - Recommended
• HTTPS by default• Considerable
improvements in stability• API key found in Account
Overview
Filters
Ports• Historically limited to HTTP, HTTPS, HTTP-ALT, SSH,
FTP, Telnet• Currently contains nearly all top nmap ports, if not all
Polycom Systems• Churches• Consulting Firms• Fire Departments• Police Stations• SWAT Ready Room
• Court Houses• Judges Chambers• Jury Room (Epic Fail)
Speaking of Police…
Medical Devices• Scott Ervind gave a talk at DakotaCon 2015 about
using Shodan to locate medical devices. His research results:• Located over 65,000 devices using Shodan• Devices included pacemaker programmers, EKG, medical
pumps, MRI scanner stations, etc.• Not only could data be leaked, but equipment could be
destroyed or re-programed.• Worked with DHS to notify all parties.
NetbiosInformation Gathering
ludicrous_netbios.xps
Brute ForcingUsername + SMB + Not Domain Joined =
Port 137 – Locate UsernamePort 445 – Locate SMB share to brute forcePort 3389 – Alternately brute force remote desktop
username_w_smb_rdp.xps
Phone PBX for a good sized phone company
No authentication required
Industrial Control Systems
What is an Industrial Control System (ICS)• Controls ‘facilities’ or
physical equipment such as:• Door systems• Air Conditioning/Heating• Power Generators• Power Plants• Automation Machinery
(Manufacturing)• Lights• Security Alarm Systems
• Key Terms:• SCADA• PLC• PAC• DCS
Project Aurora
BACNETPort 47808
The Military
11,004 printers$8 for a ream of paper
$88,032 for a single attack across all systems
380,616 printers$8 for a ream of paper
$3,044,928 for a single attack across all systems
*Doesn’t include toner*
Printers
Cringe worthy
API
API• Multiple interfaces:• JSON• Python• Ruby• NodeJS
• Well documented
Way to use API for good1. Create a baseline of your network2. Run daily to identify new hosts/ports which have
been exposed to the internet3. Track changes over time and create reports for
successful vs failed border changes
Results could be fed into a SIEM for easy reporting
Ways to use API for bad1. Create query signature for known vulnerability2. Capture results3. Add IP’s to a file4. Feed IP’s into exploit5. Automate so you can be lazy6. Order Pizza7. Eat Pizza8. Dig through loot