$30 off During Our Annual Pro Sale. View Details »

Introduction to Shodan

Introduction to Shodan

Presentation at BSides KC 2017 at Think Big Partners, Downtown Kansas City on 5/20/2017

Aaron Blythe

May 20, 2017
Tweet

More Decks by Aaron Blythe

Other Decks in Technology

Transcript

  1. Introduction to Shodan
    Aaron Blythe

    View Slide

  2. Thank you to our BSidesKC 2017 sponsors!

    View Slide

  3. @ablythe
    From talks by Shodan Creator, John Matherly

    View Slide

  4. Aaron Blythe (@ablythe)
    • Lead Organizer
    @devopskc
    @devopsdayskc

    View Slide

  5. @ablythe

    View Slide

  6. @ablythe
    John Matherly - Internet Cartographer
    @achillean

    View Slide

  7. @ablythe
    https://www.shodan.io/

    View Slide

  8. @ablythe
    Nmap
    https://www.youtube.com/watch?v=0PxTAn4g20U

    View Slide

  9. @ablythe
    https://nmap.org/book/legal-issues.html
    • When used properly, Nmap helps protect
    your network from invaders. But when
    used improperly, Nmap can (in rare
    cases) get you sued, fired, expelled,
    jailed, or banned by your ISP. Reduce
    your risk by reading this legal guide
    before launching Nmap.

    View Slide

  10. @ablythe

    View Slide

  11. @ablythe
    Shodan !=
    Nmap

    View Slide

  12. @ablythe

    View Slide

  13. @ablythe
    Banner
    Apache Server
    Siemens S7 ICS
    Metadata
    Hostname Operating System
    Geo-Location
    Randomized 24/7 Crawler
    From Data Centers around the world

    View Slide

  14. @ablythe
    What is indexed?
    Web Servers IoT ICS
    Databases

    View Slide

  15. @ablythe
    http://www.dogparker.com/

    View Slide

  16. @ablythe
    https://singularityhub.com/2017/04/13/this-drone-is-on-a-mission-to-rid-your-city-of-dog-poop/

    View Slide

  17. @ablythe
    What is indexed?
    Web Servers IoT ICS
    Databases

    View Slide

  18. @ablythe
    Reports: Heartbleed
    https://www.shodan.io/

    View Slide

  19. @ablythe
    Demo
    https://www.shodan.io/

    View Slide

  20. @ablythe
    Heartbleed
    If the service is vulnerable to Heartbleed then the banner contains 2 additional properties. opts.heartbleed
    contains the raw response from running the Heartbleed test against the service. Note that for the test

    the crawlers only grab a small overflow to confirm the service is affected by Heartbleed
    but it doesn’t grab enough data to leak private keys. The crawlers also added CVE-2014-0160 to
    the opts.vulns list
    if the device is vulnerable. However, if the device is not vulnerable then it adds “!CVE-2014-0160”. If an entry
    in opts.vulns is prefixed with a ! or - then the service is not vulnerable to the given CVE.
    {

    "opts": {
    "heartbleed": "... 174.142.92.126:8443 - VULNERABLE\n",
    "vulns": ["CVE-2014-0160"]
    }
    }
    Shodan also supports searching by the vulnerability information. For example, to search Shodan for devices in
    the USA that are affected by Heartbleed use:
    country:US vuln:CVE-2014-0160

    View Slide

  21. @ablythe
    Reports: Heartbleed in Kansas City

    View Slide

  22. @ablythe
    Reports: Heartbleed in Overland Park

    View Slide

  23. @ablythe

    View Slide

  24. @ablythe
    “Not for novice, need technical knowledge”
    - John Matherly
    From: https://danielmiessler.com/study/shodan/#gs.vY0dx58

    View Slide

  25. @ablythe
    Krebs On Security - Sept 2016
    https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

    View Slide

  26. @ablythe
    Krebs On Security - Oct 2016
    https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    View Slide

  27. @ablythe
    https://www.shodan.io/explore/tag/iot

    View Slide

  28. @ablythe
    Cisco Vault 7 Wikileaks Response
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
    sa-20170317-cmp

    View Slide

  29. @ablythe
    Cisco Vault 7 Wikileaks
    Response
    •300+ Switch models
    •Put simply, turn off telnet

    View Slide

  30. @ablythe
    Shodan search:
    “cisco port:23”
    https://www.shodan.io/search?query=product%3Acisco+port%3A23

    View Slide

  31. @ablythe
    Telnet Search
    https://www.shodan.io/search?query=port%3A23%2C1023%2C2323

    View Slide

  32. @ablythe
    Original Intent: Market Research
    Cisco HP

    View Slide

  33. @ablythe
    https://images.shodan.io/?query=http
    https://www.shodan.io/host/172.113.166.53

    View Slide

  34. @ablythe
    Limitations of the Free Versions
    • No more than 5 pages deep on any
    search
    • No maps

    View Slide

  35. @ablythe
    Cost for Individual

    View Slide

  36. @ablythe
    Enterprise Access

    View Slide

  37. @ablythe
    Is My Device on Shodan?

    View Slide

  38. @ablythe
    Is My Device on Shodan?
    Currently the answer is likely ‘no’
    Reason: Routers and IPv4
    However… when IPv6?

    View Slide

  39. @ablythe
    Is My Device on Shodan?
    http://iotscanner.bullguard.com/search

    View Slide

  40. @ablythe
    Browser Plugin

    View Slide

  41. @ablythe
    References
    • John Matherly 2016, National Cyber Summit:
    • https://www.youtube.com/watch?v=Fbjka5CfbzI
    • John Matherly 2014, NETEXPLO
    • https://www.youtube.com/watch?v=pqP0F8MAy1U

    View Slide

  42. @ablythe
    https://leanpub.com/shodan

    View Slide

  43. @ablythe
    Disclaimer
    • Use this information for positive purposes
    • Accessing or attempting to access someone
    else’s devices could be punishable by law
    • I tell you these things so you can protect your
    own assets

    View Slide

  44. @ablythe

    View Slide

  45. Help us get better!
    my talk
    http://bit.ly/BSidesKCT
    alkEval
    the conference
    http://bit.ly/
    BSidesKCEventEval
    anything else
    http://bit.ly/IqT6zt
    Please provide feedback on…

    View Slide

  46. http://aaronblythe.org/

    View Slide