Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: shodan

Shodan HTTP Header Survey

After a few months of back and forth, the first stage of our HTTP Header research is now live on the Shodan website.

A survey of Alexa’s top 10,000 websites on the Internet was conducted to measure the usage of security-related HTTP headers, mobile awareness and potential information leakage.

The HTTP Header Survey includes analysis of the top 10,000 websites using techniques I initially discussed with the UA-Tester tool. By gathering information on the top 10,000 websites we can begin to examine the different responses and usage of HTTP headers, including those specifically designed to assist in securing sites and browsers from attack.

The initial report covers some of the findings from this research, including the usage of security related headers, such as .:

  • X-XSS-Protection
  • X-Frame-Options
  • Access-Control-Allow-Origin
  • Strict-Transport-Security (where possible)

Click to view the complete survey

We also touch on some of the more interesting responses from servers that expose information regarding the background infrastructure, server types and software versions in use.

The data we’ve gathered still has a lot of secrets to give, but analysis takes time, and we wanted to get this first stage out in the public eye for comments and feedback. We also wanted to provide a direct link to the data we’ve collected to allow you to do your own analysis should you wish.

We hope you find the information useful.

Links:

[Defcon] SHODAN for Penetration Testers

SHODAN for Penetration Testers – Michael “theprez98” Schearer

What is SHODAN

SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.

A search engine of banners instead of content.

We can use this information to fingerprint the type and/or version of system

Basic Operations

Accessible through the website –> http://www.shodanhq.com

There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.

The search engine supports standard things such as boolean operators, as you’d expect

Login –> Either a free access search (a few features restricted) or create an account for full access.

Filters

Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.

  • after/before
    • Limit results by date
  • country
    • 2 letter country code
  • hostname
    • Filters by text in the hostname or domain
  • net
    • Specific IP range or subnet
  • os
  • port
  • SSL

Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.

The map is also interactive, showing the number of scanned hosts when you mouseover a country.

example: apache country:CH –> search for all systems in CH with the match on apache

Knowing what the banner returns is very helpful for finding systems you want to locate.

Other Examples :

  • apache hostname:.nist.gov
  • iss-5.0 hostname:.edu

Port filtering

  • FTP 21
  • SSH 22
  • Telnet 23
  • HTTP 80
  • SNMP 161
  • HTTPS 443 –> Requires an SSL add-on

The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.

Search history is optional and disabled by default

By creating an account you can have personal history and save searches that you wish to repeat.

Export

Can export up to 1,000 results in XML format

Requires an account, and add-on

New section called Network Radar that shows newly added data.

Extended searches available with add-ons

Penetration Testing

Originally a marketing and research tool. However things have changed.

Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.

When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.

CASE Studies

  • CISCO Devices
    • By searching for CISCO with a 200 OK, you will find devices without authentication
    • Some of these are probably test labs….. but not ALL of them!
    • 5-6,000 of such systems on the internet
  • Default Passwords
    • Search for the words “default password”
    • Find… a printer accessible from the web using the default password as displayed in the headers
  • HAUWEI
    • Exclusion of all 4XX codes –> We just want 200 OK
    • Most responses where all in the same Subnet
    • Lots and lots of VoIP phones public facing
    • However…. they needed a password. Most hauwei have easy to guess default passwords
    • Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
  • Infrastructure Exploitation… or “How to pwn an ISP”
    • A number of CISCO devices discovered in the earlier section
    • Allow LEVEL 15 access (full admin)
    • Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
    • ISP located in the US (small regional)
    • VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
    • SNMP server IP address and community strings

Other interesting info

  • Some IIS searches
    • iis/5 –> 362695
    • iis/4 –> 9977
    • iis/3 –> 381
    • iis/2 –> 42
    • iis/1 –> 152
  • Wireless network cameras… with movement features
    • In Firefox you can do snapshots..
    • In IE you get an extra feature –> CONFIG!

Conclusions

Aggregates a lot of information not already available

Allows for some passive vulnerability analysis –> based on banner version information

Not going to take over the world, but a good tool for penetration testers

Links: