Introduction to Shodan

Introduction to Shodan

Presentation at BSides KC 2017 at Think Big Partners, Downtown Kansas City on 5/20/2017

260a95e08b7880ecd76b964203f25c87?s=128

Aaron Blythe

May 20, 2017
Tweet

Transcript

  1. Introduction to Shodan Aaron Blythe

  2. Thank you to our BSidesKC 2017 sponsors!

  3. @ablythe From talks by Shodan Creator, John Matherly

  4. Aaron Blythe (@ablythe) • Lead Organizer @devopskc @devopsdayskc

  5. @ablythe

  6. @ablythe John Matherly - Internet Cartographer @achillean

  7. @ablythe https://www.shodan.io/

  8. @ablythe Nmap https://www.youtube.com/watch?v=0PxTAn4g20U

  9. @ablythe https://nmap.org/book/legal-issues.html • When used properly, Nmap helps protect your

    network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP. Reduce your risk by reading this legal guide before launching Nmap.
  10. @ablythe

  11. @ablythe Shodan != Nmap

  12. @ablythe

  13. @ablythe Banner Apache Server Siemens S7 ICS Metadata Hostname Operating

    System Geo-Location Randomized 24/7 Crawler From Data Centers around the world
  14. @ablythe What is indexed? Web Servers IoT ICS Databases

  15. @ablythe http://www.dogparker.com/

  16. @ablythe https://singularityhub.com/2017/04/13/this-drone-is-on-a-mission-to-rid-your-city-of-dog-poop/

  17. @ablythe What is indexed? Web Servers IoT ICS Databases

  18. @ablythe Reports: Heartbleed https://www.shodan.io/

  19. @ablythe Demo https://www.shodan.io/

  20. @ablythe Heartbleed If the service is vulnerable to Heartbleed then

    the banner contains 2 additional properties. opts.heartbleed contains the raw response from running the Heartbleed test against the service. Note that for the test
 the crawlers only grab a small overflow to confirm the service is affected by Heartbleed but it doesn’t grab enough data to leak private keys. The crawlers also added CVE-2014-0160 to the opts.vulns list if the device is vulnerable. However, if the device is not vulnerable then it adds “!CVE-2014-0160”. If an entry in opts.vulns is prefixed with a ! or - then the service is not vulnerable to the given CVE. {
 "opts": { "heartbleed": "... 174.142.92.126:8443 - VULNERABLE\n", "vulns": ["CVE-2014-0160"] } } Shodan also supports searching by the vulnerability information. For example, to search Shodan for devices in the USA that are affected by Heartbleed use: country:US vuln:CVE-2014-0160
  21. @ablythe Reports: Heartbleed in Kansas City

  22. @ablythe Reports: Heartbleed in Overland Park

  23. @ablythe

  24. @ablythe “Not for novice, need technical knowledge” - John Matherly

    From: https://danielmiessler.com/study/shodan/#gs.vY0dx58
  25. @ablythe Krebs On Security - Sept 2016 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

  26. @ablythe Krebs On Security - Oct 2016 https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

  27. @ablythe https://www.shodan.io/explore/tag/iot

  28. @ablythe Cisco Vault 7 Wikileaks Response https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco- sa-20170317-cmp

  29. @ablythe Cisco Vault 7 Wikileaks Response •300+ Switch models •Put

    simply, turn off telnet
  30. @ablythe Shodan search: “cisco port:23” https://www.shodan.io/search?query=product%3Acisco+port%3A23

  31. @ablythe Telnet Search https://www.shodan.io/search?query=port%3A23%2C1023%2C2323

  32. @ablythe Original Intent: Market Research Cisco HP

  33. @ablythe https://images.shodan.io/?query=http https://www.shodan.io/host/172.113.166.53

  34. @ablythe Limitations of the Free Versions • No more than

    5 pages deep on any search • No maps
  35. @ablythe Cost for Individual

  36. @ablythe Enterprise Access

  37. @ablythe Is My Device on Shodan?

  38. @ablythe Is My Device on Shodan? Currently the answer is

    likely ‘no’ Reason: Routers and IPv4 However… when IPv6?
  39. @ablythe Is My Device on Shodan? http://iotscanner.bullguard.com/search

  40. @ablythe Browser Plugin

  41. @ablythe References • John Matherly 2016, National Cyber Summit: •

    https://www.youtube.com/watch?v=Fbjka5CfbzI • John Matherly 2014, NETEXPLO • https://www.youtube.com/watch?v=pqP0F8MAy1U
  42. @ablythe https://leanpub.com/shodan

  43. @ablythe Disclaimer • Use this information for positive purposes •

    Accessing or attempting to access someone else’s devices could be punishable by law • I tell you these things so you can protect your own assets
  44. @ablythe

  45. Help us get better! my talk http://bit.ly/BSidesKCT alkEval the conference

    http://bit.ly/ BSidesKCEventEval anything else http://bit.ly/IqT6zt Please provide feedback on…
  46. http://aaronblythe.org/