Introduction to Shodan

Transcript

1. Introduction to Shodan Aaron Blythe

2. Thank you to our BSidesKC 2017 sponsors!

3. @ablythe From talks by Shodan Creator, John Matherly

4. Aaron Blythe (@ablythe) • Lead Organizer @devopskc @devopsdayskc

5. @ablythe

6. @ablythe John Matherly - Internet Cartographer @achillean

7. @ablythe https://www.shodan.io/

8. @ablythe Nmap https://www.youtube.com/watch?v=0PxTAn4g20U

9. @ablythe https://nmap.org/book/legal-issues.html • When used properly, Nmap helps protect your

   network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP. Reduce your risk by reading this legal guide before launching Nmap.

10. @ablythe

11. @ablythe Shodan != Nmap

12. @ablythe

13. @ablythe Banner Apache Server Siemens S7 ICS Metadata Hostname Operating

    System Geo-Location Randomized 24/7 Crawler From Data Centers around the world

14. @ablythe What is indexed? Web Servers IoT ICS Databases

15. @ablythe http://www.dogparker.com/

16. @ablythe https://singularityhub.com/2017/04/13/this-drone-is-on-a-mission-to-rid-your-city-of-dog-poop/

17. @ablythe What is indexed? Web Servers IoT ICS Databases

18. @ablythe Reports: Heartbleed https://www.shodan.io/

19. @ablythe Demo https://www.shodan.io/

20. @ablythe Heartbleed If the service is vulnerable to Heartbleed then

    the banner contains 2 additional properties. opts.heartbleed contains the raw response from running the Heartbleed test against the service. Note that for the test
 the crawlers only grab a small overflow to confirm the service is affected by Heartbleed but it doesn’t grab enough data to leak private keys. The crawlers also added CVE-2014-0160 to the opts.vulns list if the device is vulnerable. However, if the device is not vulnerable then it adds “!CVE-2014-0160”. If an entry in opts.vulns is prefixed with a ! or - then the service is not vulnerable to the given CVE. {
 "opts": { "heartbleed": "... 174.142.92.126:8443 - VULNERABLE\n", "vulns": ["CVE-2014-0160"] } } Shodan also supports searching by the vulnerability information. For example, to search Shodan for devices in the USA that are affected by Heartbleed use: country:US vuln:CVE-2014-0160

21. @ablythe Reports: Heartbleed in Kansas City

22. @ablythe Reports: Heartbleed in Overland Park

23. @ablythe

24. @ablythe “Not for novice, need technical knowledge” - John Matherly

    From: https://danielmiessler.com/study/shodan/#gs.vY0dx58

25. @ablythe Krebs On Security - Sept 2016 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

26. @ablythe Krebs On Security - Oct 2016 https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

27. @ablythe https://www.shodan.io/explore/tag/iot

28. @ablythe Cisco Vault 7 Wikileaks Response https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco- sa-20170317-cmp

29. @ablythe Cisco Vault 7 Wikileaks Response •300+ Switch models •Put

    simply, turn off telnet

30. @ablythe Shodan search: “cisco port:23” https://www.shodan.io/search?query=product%3Acisco+port%3A23

31. @ablythe Telnet Search https://www.shodan.io/search?query=port%3A23%2C1023%2C2323

32. @ablythe Original Intent: Market Research Cisco HP

33. @ablythe https://images.shodan.io/?query=http https://www.shodan.io/host/172.113.166.53

34. @ablythe Limitations of the Free Versions • No more than

    5 pages deep on any search • No maps

35. @ablythe Cost for Individual

36. @ablythe Enterprise Access

37. @ablythe Is My Device on Shodan?

38. @ablythe Is My Device on Shodan? Currently the answer is

    likely ‘no’ Reason: Routers and IPv4 However… when IPv6?

39. @ablythe Is My Device on Shodan? http://iotscanner.bullguard.com/search

40. @ablythe Browser Plugin

41. @ablythe References • John Matherly 2016, National Cyber Summit: •

    https://www.youtube.com/watch?v=Fbjka5CfbzI • John Matherly 2014, NETEXPLO • https://www.youtube.com/watch?v=pqP0F8MAy1U

42. @ablythe https://leanpub.com/shodan

43. @ablythe Disclaimer • Use this information for positive purposes •

    Accessing or attempting to access someone else’s devices could be punishable by law • I tell you these things so you can protect your own assets

44. @ablythe

45. Help us get better! my talk http://bit.ly/BSidesKCT alkEval the conference

    http://bit.ly/ BSidesKCEventEval anything else http://bit.ly/IqT6zt Please provide feedback on…

46. http://aaronblythe.org/