SHODAN for Penetration Testers – Michael “theprez98″ Schearer
What is SHODAN
SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.
A search engine of banners instead of content.
We can use this information to fingerprint the type and/or version of system
Accessible through the website –> http://www.shodanhq.com
There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.
The search engine supports standard things such as boolean operators, as you’d expect
Login –> Either a free access search (a few features restricted) or create an account for full access.
Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.
- Filters by text in the hostname or domain
- Specific IP range or subnet
Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.
The map is also interactive, showing the number of scanned hosts when you mouseover a country.
example: apache country:CH –> search for all systems in CH with the match on apache
Knowing what the banner returns is very helpful for finding systems you want to locate.
Other Examples :
- apache hostname:.nist.gov
- iss-5.0 hostname:.edu
- FTP 21
- SSH 22
- Telnet 23
- HTTP 80
- SNMP 161
- HTTPS 443 –> Requires an SSL add-on
The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.
Search history is optional and disabled by default
By creating an account you can have personal history and save searches that you wish to repeat.
Can export up to 1,000 results in XML format
Requires an account, and add-on
New section called Network Radar that shows newly added data.
Extended searches available with add-ons
Originally a marketing and research tool. However things have changed.
Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.
When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.
- CISCO Devices
- By searching for CISCO with a 200 OK, you will find devices without authentication
- Some of these are probably test labs….. but not ALL of them!
- 5-6,000 of such systems on the internet
- Default Passwords
- Search for the words “default password”
- Find… a printer accessible from the web using the default password as displayed in the headers
- Exclusion of all 4XX codes –> We just want 200 OK
- Most responses where all in the same Subnet
- Lots and lots of VoIP phones public facing
- However…. they needed a password. Most hauwei have easy to guess default passwords
- Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
- Infrastructure Exploitation… or “How to pwn an ISP”
- A number of CISCO devices discovered in the earlier section
- Allow LEVEL 15 access (full admin)
- Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
- ISP located in the US (small regional)
- VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
- SNMP server IP address and community strings
Other interesting info
- Some IIS searches
- iis/5 –> 362695
- iis/4 –> 9977
- iis/3 –> 381
- iis/2 –> 42
- iis/1 –> 152
- Wireless network cameras… with movement features
- In Firefox you can do snapshots..
- In IE you get an extra feature –> CONFIG!
Aggregates a lot of information not already available
Allows for some passive vulnerability analysis –> based on banner version information
Not going to take over the world, but a good tool for penetration testers