WEAPONISING SHODAN FOR FUN AND PROFIT By Jeya Seelan S KNOW HOW EP 1

WHO AM I? Jeya Seelan Security Researcher focusing on Offensive Security Co-Lead At WAP Chennai Lazy Bug Hunter

AGENDA SHODAN 101 DEMO TIME SEARCH QUERY FUNDAMENTALS HOW SHODAN WORKS? ACCESSING SHODAN SEARCH USING HASHES QUESTION TIME

Shodan is a Search Engine for Internet-connected devices. Its Completely different from a Normal search Engines such as Google,Yahoo etc.. A Normal Web Search Engines Crawls and Indexes only the Websites.

Shodan scans the whole Internet and Indexes the services and metadata that are publicly accessible on each and every IP address. Shodan gathers information about all devices directly connected to the Internet from small desktops up to nuclear power plants

How Shodan Works? A Distributed Banner Grabber Banner grabbing is the art of Gathering Metadata Information about a system or a service. Here Shodan Uses large and widely distributed Banners Grabbers (aka Crawlers) that scans for all possible IP addresses and Ports. FYI : IPV4 address - 4,294,967,296 Ports - 65535

How Shodan Works? Example Banner Grabbing

How Shodan Works? Crawlers Algorithm 1. Generate a random IPv4 address 2. Generate a random port to test from the list of ports that Shodan understands 3. Check the random IPv4 address on the random port and grab a banner 4. Goto 1

How Shodan Works? Meta Data Gathering In Addition to Banner Grabbing Techniques Shodan also collects and indexes Meta-data about a particular IP and services. These are Hostname ASN Number Organisation Info ISP Details IP Uptime SSL Properties SSH Properties Location Details Product details HTML Details

SEARCH QUERY FUNDAMENTALS Initially, When you search in Shodan it searches only Text not the Meta-data In order to search the meta-data there is something called as Search Filters Eg: If you search for Tesla it will search in the banner for the text not the Assets owned by Tesla

SEARCH QUERY FUNDAMENTALS Filters Filters are used to narrow down the search results. Let's see some Filters org: shows results organization that owns the IP Ex: org:"Google Inc" inet: shows results under the given IP Range Ex: inet:69.36.132.0/24

SEARCH QUERY FUNDAMENTALS os: Filters based upon Operating system Ex: os: Ubuntu vuln: Filters based on CVE-ID Ex: vuln: CVE- product: Filters results about a specific product http.title: Shows matching HTTP Title ssl: Searches SSL data

WEB INTERFACE ACCESSING SHODAN 3 DIFFERENT WAYS SHODAN CLI SHODAN API easy_install shodan

DEMO TIME

DISCLAIMER !!! All the Upcoming Demos are for Informational and Educational purposes only. The author is not Responsible for any misuse of the given information.

EXAMPLES TESLA ENERGY STATION http.title:"Tesla Energy" http.title:"Tesla PowerPack System"

EXAMPLES wIND TURBINES http.title:"Nordex Control" 3d pRINTERS title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

EXAMPLES MONGODB DATABASE "Set-Cookie: mongo-express=" "200 OK" ELECTRONIC BILLBOARDS "Server: Prismview Player"

EXAMPLES WEBCAMS ("webcam 7" OR "webcamXP") http.component:"mootools" -401 OPEN FTP SERVERS "220" "230 Login successful." port:21

EXAMPLES PRINTERS "Serial Number:" "Built:" "Server: HP HTTP" There are Endless Possibilities on what you can find on shodan. As results depend upon what you search for and How you use the filters

SEARCH USING HASHES Every banner contains a hash property which is the numeric hash. This can be utilized to search relative hosts with same hash value. Some of the commonly used methods are FAVICON HASH HTML HASH SECURITY TXT HASH

FAVICON HASH A favicon, also known as a shortcut icon, website icon, associated with a particular website or web page. These are icons present in every sites. By calculating the hash value for this we can find more related assets.

FAVICON HASH import mmh3 import requests import codecs response = requests.get('https://www.google.com/favicon.ico') favicon = codecs.encode(response.content,"base64") hash = mmh3.hash(favicon) print(hash) PYTHON CODE

FOr Further References https://github.com/jakejarvis/awesome-shodan-queries 1 https://developer.shodan.io/ 2 https://www.amazon.in/Complete-Guide-Shodan-Visualize- Intelligence-ebook/dp/B01CDIU880 3

QUESTIONS TIME

Reach me on ! @j.e.y.a_s.e.e.l.a.n @jeyaseelans @jeyaseelans86 @dramatic_admin

THANK YOU ! TEAM WE ARE PLYMOUTHS