Tim Jensen, CISSPCBI

www.cbihome.com

Shodan: The Hacker’s Search Engine

Disclaimer• Following the steps in this document can get you into legal trouble. • Only connect to systems that you own or have written permission

to conduct testing on• I am not a lawyer, but generally I would say connecting to an HTTP

port and viewing what is there is ok. Entering credentials, brute forcing, exploiting vulnerabilities, or anything else to gain privileged access is illegal.• Reconfiguring systems is definitely illegal!• Disclosing vulnerabilities to companies can get you threatened,

even if you did nothing wrong. Leave it to the professionals if your not willing to go to jail for doing the right thing.• I am not responsible for anything you do, think, or say.

Versions

Shodanhq.com

• HTTP only – creds visible across internet• Buggy if looking through

more than 1 page of results• Contains filter

documentation• API key easily shown on

Development page

Shodan.io - Recommended

• HTTPS by default• Considerable

improvements in stability• API key found in Account

Overview

Filters

Ports• Historically limited to HTTP, HTTPS, HTTP-ALT, SSH,

FTP, Telnet• Currently contains nearly all top nmap ports, if not all

Polycom Systems• Churches• Consulting Firms• Fire Departments• Police Stations• SWAT Ready Room

• Court Houses• Judges Chambers• Jury Room (Epic Fail)

Speaking of Police…

Medical Devices• Scott Ervind gave a talk at DakotaCon 2015 about

using Shodan to locate medical devices. His research results:• Located over 65,000 devices using Shodan• Devices included pacemaker programmers, EKG, medical

pumps, MRI scanner stations, etc.• Not only could data be leaked, but equipment could be

destroyed or re-programed.• Worked with DHS to notify all parties.

NetbiosInformation Gathering

ludicrous_netbios.xps

Brute ForcingUsername + SMB + Not Domain Joined =

Port 137 – Locate UsernamePort 445 – Locate SMB share to brute forcePort 3389 – Alternately brute force remote desktop

username_w_smb_rdp.xps

Phone PBX for a good sized phone company

No authentication required

Industrial Control Systems

What is an Industrial Control System (ICS)• Controls ‘facilities’ or

physical equipment such as:• Door systems• Air Conditioning/Heating• Power Generators• Power Plants• Automation Machinery

(Manufacturing)• Lights• Security Alarm Systems

• Key Terms:• SCADA• PLC• PAC• DCS

Project Aurora

BACNETPort 47808

The Military

11,004 printers$8 for a ream of paper

$88,032 for a single attack across all systems

380,616 printers$8 for a ream of paper

$3,044,928 for a single attack across all systems

*Doesn’t include toner*

Printers

Cringe worthy

API

API• Multiple interfaces:• JSON• Python• Ruby• NodeJS

• Well documented

Way to use API for good1. Create a baseline of your network2. Run daily to identify new hosts/ports which have

been exposed to the internet3. Track changes over time and create reports for

successful vs failed border changes

Results could be fed into a SIEM for easy reporting

Ways to use API for bad1. Create query signature for known vulnerability2. Capture results3. Add IP’s to a file4. Feed IP’s into exploit5. Automate so you can be lazy6. Order Pizza7. Eat Pizza8. Dig through loot