
SHODAN for Penetration Testers – Michael “theprez98” Schearer
What is SHODAN
SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.
A search engine of banners instead of content.
We can use this information to fingerprint the type and/or version of system
Basic Operations
Accessible through the website –> http://www.shodanhq.com
There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.
The search engine supports standard things such as boolean operators, as you’d expect
Login –> Either a free access search (a few features restricted) or create an account for full access.
Filters
Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.
- after/before
- country
- hostname
- Filters by text in the hostname or domain
- net
- Specific IP range or subnet
- os
- port
- SSL
Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.
The map is also interactive, showing the number of scanned hosts when you mouseover a country.
example: apache country:CH –> search for all systems in CH with the match on apache
Knowing what the banner returns is very helpful for finding systems you want to locate.
Other Examples :
- apache hostname:.nist.gov
- iss-5.0 hostname:.edu
Port filtering
- FTP 21
- SSH 22
- Telnet 23
- HTTP 80
- SNMP 161
- HTTPS 443 –> Requires an SSL add-on
The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.
Search history is optional and disabled by default
By creating an account you can have personal history and save searches that you wish to repeat.
Export
Can export up to 1,000 results in XML format
Requires an account, and add-on
New section called Network Radar that shows newly added data.
Extended searches available with add-ons
Penetration Testing
Originally a marketing and research tool. However things have changed.
Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.
When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.
CASE Studies
- CISCO Devices
- By searching for CISCO with a 200 OK, you will find devices without authentication
- Some of these are probably test labs….. but not ALL of them!
- 5-6,000 of such systems on the internet
- Default Passwords
- Search for the words “default password”
- Find… a printer accessible from the web using the default password as displayed in the headers
- HAUWEI
- Exclusion of all 4XX codes –> We just want 200 OK
- Most responses where all in the same Subnet
- Lots and lots of VoIP phones public facing
- However…. they needed a password. Most hauwei have easy to guess default passwords
- Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
- Infrastructure Exploitation… or “How to pwn an ISP”
- A number of CISCO devices discovered in the earlier section
- Allow LEVEL 15 access (full admin)
- Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
- ISP located in the US (small regional)
- VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
- SNMP server IP address and community strings
Other interesting info
- Some IIS searches
- iis/5 –> 362695
- iis/4 –> 9977
- iis/3 –> 381
- iis/2 –> 42
- iis/1 –> 152
- Wireless network cameras… with movement features
- In Firefox you can do snapshots..
- In IE you get an extra feature –> CONFIG!
Conclusions
Aggregates a lot of information not already available
Allows for some passive vulnerability analysis –> based on banner version information
Not going to take over the world, but a good tool for penetration testers
Links:
Like this:
Like Loading...
Related
Pingback: Tweets that mention [Defcon] SHODAN for Penetration Testers « ©атсн²² (in)sесuяitу -- Topsy.com
Pingback: [Defcon] Shodan For Penetration Testers (in)SUit
You can actually export up to 1 million hosts; 1,000 is the lowest amount possible.
And here are some more case studies performed by Chema Alonso (FOCA founder) looking into SCADA and VoIP systems:
http://elladodelmal.blogspot.com/2010/05/shodan-y-sistemas-scada.html
http://elladodelmal.blogspot.com/2010/05/shodan-y-ataques-telefonia-voip.html
PS: I’m the author of shodan and available on twitter @achillean
Thanks for the confirmation, and a special thank you for SHODAN. We all appreciate your hard work!
Thanks for the write-up, SHODAN is awesome 🙂