maxine major december 12, 2013. what is shodan? how it works a tour of shodan what shodan finds ...
TRANSCRIPT
![Page 1: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/1.jpg)
SHODAN“THE INTERNET OF THINGS”
Maxine MajorDecember 12, 2013
![Page 2: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/2.jpg)
OVERVIEW
What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches
![Page 3: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/3.jpg)
WHAT IS SHODAN?
Search engine http://www.shodanhq.com/ Finds anything connected to the internet Named after AI in System Shock 2 (1999)
“Sentient Hyper-Optimized Data Access Network “
Developed by John Matherly. Went live in 2009 Currently indexes over 500 million
connected devices monthly 10,000 Industrial Control Systems
![Page 4: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/4.jpg)
HOW SHODAN SEARCHES
Web search engines index websites Shodan indexes metadata and banners
Port 21/TCP (FTP) Port 22/TCP (SSH) Port 23/TCP (Telnet) Port 80/TCP (HTTP)
“Tell me what you can tell me about yourself.”
![Page 5: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/5.jpg)
LEGALITY
Publicly available data “public” in that it is unprotected
“Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly
![Page 6: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/6.jpg)
TOUR OF SHODAN
![Page 7: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/7.jpg)
TOUR OF SHODAN
![Page 8: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/8.jpg)
TOUR OF SHODAN
![Page 9: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/9.jpg)
TOUR OF SHODAN
![Page 10: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/10.jpg)
TOUR OF SHODAN
![Page 11: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/11.jpg)
NARROWING THE SEARCH
Search Filters city apache city:"Zürich“ country nginx country:DE geo apache geo:42.9693,-74.1224 hostname"Server: gws" hostname:google net net:216.219.143.0/24 os microsoft-iis os:"windows 2003" port 21 (FTP), 22 (SSH), 23 (Telnet)
![Page 12: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/12.jpg)
ADDITIONAL FEATURES
Shodan API Integrate Shodan into your own software
Scanhub Make your own search engine built off
nmap scans Add Shodan to browser search engines
Note: Scans through Shodan are not real-time. They are produced from a crawler database.
![Page 13: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/13.jpg)
WHAT SHODAN FINDS
144 million web servers on Shodan Microsoft’s IIS runs 8.5 million web servers Allegro Software’s RomPager: 22 million
servers OEM embedded web server Routers, switches, printers, etc.
![Page 14: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/14.jpg)
WHAT SHODAN FINDS
Breakdown of Port Distribution (2012)
![Page 15: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/15.jpg)
WHAT SHODAN FINDS
Cameras Webcams Security cameras
Home security systems Printers Refrigerators Caterpillar tractor control
panels Medical Devices Car Washes Hospital fetal monitoring
Critical infrastructure (water, sewage, dams,
Automobile assembly lines High School lighting
systems HVAC Power Dam Baby Monitors Traffic Control Systems
![Page 16: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/16.jpg)
WHAT SHODAN FINDS
Baby Monitors August 2013 Baby monitor hacked
Marc Gilbert heard voices from 2-yr old’s room Verbal abuse from networked baby monitor Foscam video/two-way audio cam “admin” username default New user account had been added. “Root”
Likely Shodan used to discover monitor
![Page 17: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/17.jpg)
WHAT SHODAN FINDS
![Page 18: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/18.jpg)
WHAT SHODAN FINDS
Elementary School Heating System
![Page 19: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/19.jpg)
WHAT SHODAN FINDS
Caterpillar controls
![Page 20: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/20.jpg)
WHAT SHODAN FINDS
Webcams & Security Systems
![Page 21: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/21.jpg)
WHAT SHODAN FINDS
Swimming pool acid pump Traffic control system
![Page 22: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/22.jpg)
WHAT SHODAN FINDS
Wind turbines Heart monitors
![Page 23: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/23.jpg)
WHAT SHODAN FINDS
Security guards Car washes
![Page 24: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/24.jpg)
WHAT SHODAN FINDS
Not all systems found are legitimate Demos Honeypots
![Page 25: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/25.jpg)
WATERWORKS HONEYPOT
Trend Micro created web-based simulation of an industrial control system (ICS) Water pump facility
Water pump supervisory control SCADA network Purpose: to measure attacks on real-world systems
Targeted 17 times in 4 months 12 to shut down water pump 5 to modify pump process
Attacks came via Google and Shodan
![Page 26: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/26.jpg)
RESEARCH IN SHODAN
Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011) Intent to “allow defenders to assess their
attack surface and prioritise the required interventions in a timely manner”
Can also be used for auditing Research funded by BP
![Page 27: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/27.jpg)
SIMILAR SEARCHES
VxWorks Platform developed by WindRiver Systems
(Intel) WDB agent – system level debugger
UDP Port 17185 (2010) Rapid7 developer wrote a scanner for
Metasploit to scan for WDB Surveyed over 3.1 billion IP addresses Discovered 250,000+ systems with WDB agent
exposed Discovered massive scan in 2006 by unknown party
![Page 28: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/28.jpg)
SIMILAR SEARCHES
Universal Plug and Play (UPnP) UPnP Simple Object Access Protocol (SOAP)
2013 Rapid7 white paper “UPnP discovery requests were sent to every
routable IPv4 address approximately once a week from June 1 to November 17, 2012. “
81 million unique IPs responded 20% SOAP API Vulnerable to a single UDP packet for remote code
execution
![Page 29: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/29.jpg)
SIMILAR SEARCHES
Internet Census 2012 (by “Carna Botnet”) Started as a joke:
telnet login root:root on random IPs Binary uploaded to insecure devices
Watchdog w/ lowest priority Scanned port 23 (Telnet) on IPv4 Stopped after a few days. Included a README
Binary ran on 420,000 devices 20% of unprotected devices found 1.2 million unique unprotected devices identified by
MAC Most common unprotected device is router
![Page 30: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/30.jpg)
SIMILAR SEARCHES
Internet Census 2012 Ignored:
IPv6 Devices without ifconfig Devices without a shell 100k MIPS 4kce (embedded systems/game
consoles) Encountered Aidra botnet (malicious)
![Page 31: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/31.jpg)
MINIMIZE SHODAN RISKS
Standard security practices Restrict public facing servers and devices Use VPN or IP filters for external access
(e.g., employee working from home wants to use company printer)
Always change password defaults Suppress/minimize verbose banners Test Shodan on your own devices
May not find you if you’re not already indexed
(esecurityplanet.com)
![Page 32: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/32.jpg)
BEYOND SHODAN
Shodan is the first search engine of its kind.
It’s possible and likely that other search engines could be more powerful.
How long before society becomes aware of what makes something findable?
Need to rewire how people think about connected devices.
![Page 33: Maxine Major December 12, 2013. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches](https://reader035.vdocuments.net/reader035/viewer/2022081506/56649c7b5503460f9492f7a6/html5/thumbnails/33.jpg)
REFERENCES http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf http://www.shodanhq.com/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-th
e-internet/ https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-d
ont-play http://internetcensus2012.bitbucket.org/paper.html http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port
-servers https://speakerdeck.com/hdm/derbycon-2012-the-wild-west http://www.us-cert.gov/ncas/alerts/TA13-175A http://www.shodanhq.com/help/filters http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828-3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_ref
errer=https%3A%2F%2Fwww.google.com%2F http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-th
e-internet/ http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users http://www.slideshare.net/Shakacon/dan-tentler http://secanalysis.com/a-brief-analysis-of-shodan/ http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/ http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf