Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[Defcon] SHODAN for Penetration Testers

SHODAN for Penetration Testers – Michael “theprez98” Schearer

What is SHODAN

SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.

A search engine of banners instead of content.

We can use this information to fingerprint the type and/or version of system

Basic Operations

Accessible through the website –> http://www.shodanhq.com

There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.

The search engine supports standard things such as boolean operators, as you’d expect

Login –> Either a free access search (a few features restricted) or create an account for full access.

Filters

Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.

  • after/before
    • Limit results by date
  • country
    • 2 letter country code
  • hostname
    • Filters by text in the hostname or domain
  • net
    • Specific IP range or subnet
  • os
  • port
  • SSL

Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.

The map is also interactive, showing the number of scanned hosts when you mouseover a country.

example: apache country:CH –> search for all systems in CH with the match on apache

Knowing what the banner returns is very helpful for finding systems you want to locate.

Other Examples :

  • apache hostname:.nist.gov
  • iss-5.0 hostname:.edu

Port filtering

  • FTP 21
  • SSH 22
  • Telnet 23
  • HTTP 80
  • SNMP 161
  • HTTPS 443 –> Requires an SSL add-on

The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.

Search history is optional and disabled by default

By creating an account you can have personal history and save searches that you wish to repeat.

Export

Can export up to 1,000 results in XML format

Requires an account, and add-on

New section called Network Radar that shows newly added data.

Extended searches available with add-ons

Penetration Testing

Originally a marketing and research tool. However things have changed.

Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.

When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.

CASE Studies

  • CISCO Devices
    • By searching for CISCO with a 200 OK, you will find devices without authentication
    • Some of these are probably test labs….. but not ALL of them!
    • 5-6,000 of such systems on the internet
  • Default Passwords
    • Search for the words “default password”
    • Find… a printer accessible from the web using the default password as displayed in the headers
  • HAUWEI
    • Exclusion of all 4XX codes –> We just want 200 OK
    • Most responses where all in the same Subnet
    • Lots and lots of VoIP phones public facing
    • However…. they needed a password. Most hauwei have easy to guess default passwords
    • Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
  • Infrastructure Exploitation… or “How to pwn an ISP”
    • A number of CISCO devices discovered in the earlier section
    • Allow LEVEL 15 access (full admin)
    • Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
    • ISP located in the US (small regional)
    • VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
    • SNMP server IP address and community strings

Other interesting info

  • Some IIS searches
    • iis/5 –> 362695
    • iis/4 –> 9977
    • iis/3 –> 381
    • iis/2 –> 42
    • iis/1 –> 152
  • Wireless network cameras… with movement features
    • In Firefox you can do snapshots..
    • In IE you get an extra feature –> CONFIG!

Conclusions

Aggregates a lot of information not already available

Allows for some passive vulnerability analysis –> based on banner version information

Not going to take over the world, but a good tool for penetration testers

Links:

5 responses to “[Defcon] SHODAN for Penetration Testers

  1. Pingback: Tweets that mention [Defcon] SHODAN for Penetration Testers « ©атсн²² (in)sесuяitу -- Topsy.com

  2. Pingback: [Defcon] Shodan For Penetration Testers (in)SUit

  3. achillean August 3, 2010 at 05:27

    You can actually export up to 1 million hosts; 1,000 is the lowest amount possible.

    And here are some more case studies performed by Chema Alonso (FOCA founder) looking into SCADA and VoIP systems:

    http://elladodelmal.blogspot.com/2010/05/shodan-y-sistemas-scada.html

    http://elladodelmal.blogspot.com/2010/05/shodan-y-ataques-telefonia-voip.html

    PS: I’m the author of shodan and available on twitter @achillean

  4. ChrisJohnRiley August 4, 2010 at 13:52

    Thanks for the confirmation, and a special thank you for SHODAN. We all appreciate your hard work!

  5. theprez98 August 5, 2010 at 02:02

    Thanks for the write-up, SHODAN is awesome 🙂

%d bloggers like this: