Tweet
Tweet

Slide 1

Slide 1 text

Introduction to Shodan Aaron Blythe

Slide 2

Slide 2 text

Thank you to our BSidesKC 2017 sponsors!

Slide 3

Slide 3 text

@ablythe From talks by Shodan Creator, John Matherly

Slide 4

Slide 4 text

Aaron Blythe (@ablythe) • Lead Organizer @devopskc @devopsdayskc

Slide 5

Slide 5 text

@ablythe

Slide 6

Slide 6 text

@ablythe John Matherly - Internet Cartographer @achillean

Slide 7

Slide 7 text

@ablythe https://www.shodan.io/

Slide 8

Slide 8 text

@ablythe Nmap https://www.youtube.com/watch?v=0PxTAn4g20U

Slide 9

Slide 9 text

@ablythe https://nmap.org/book/legal-issues.html • When used properly, Nmap helps protect your network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP. Reduce your risk by reading this legal guide before launching Nmap.

Slide 10

Slide 10 text

@ablythe

Slide 11

Slide 11 text

@ablythe Shodan != Nmap

Slide 12

Slide 12 text

@ablythe

Slide 13

Slide 13 text

@ablythe Banner Apache Server Siemens S7 ICS Metadata Hostname Operating System Geo-Location Randomized 24/7 Crawler From Data Centers around the world

Slide 14

Slide 14 text

@ablythe What is indexed? Web Servers IoT ICS Databases

Slide 15

Slide 15 text

@ablythe http://www.dogparker.com/

Slide 16

Slide 16 text

@ablythe https://singularityhub.com/2017/04/13/this-drone-is-on-a-mission-to-rid-your-city-of-dog-poop/

Slide 17

Slide 17 text

@ablythe What is indexed? Web Servers IoT ICS Databases

Slide 18

Slide 18 text

@ablythe Reports: Heartbleed https://www.shodan.io/

Slide 19

Slide 19 text

@ablythe Demo https://www.shodan.io/

Slide 20

Slide 20 text

@ablythe Heartbleed If the service is vulnerable to Heartbleed then the banner contains 2 additional properties. opts.heartbleed contains the raw response from running the Heartbleed test against the service. Note that for the test
 the crawlers only grab a small overflow to confirm the service is affected by Heartbleed but it doesn’t grab enough data to leak private keys. The crawlers also added CVE-2014-0160 to the opts.vulns list if the device is vulnerable. However, if the device is not vulnerable then it adds “!CVE-2014-0160”. If an entry in opts.vulns is prefixed with a ! or - then the service is not vulnerable to the given CVE. {
 "opts": { "heartbleed": "... 174.142.92.126:8443 - VULNERABLE\n", "vulns": ["CVE-2014-0160"] } } Shodan also supports searching by the vulnerability information. For example, to search Shodan for devices in the USA that are affected by Heartbleed use: country:US vuln:CVE-2014-0160

Slide 21

Slide 21 text

@ablythe Reports: Heartbleed in Kansas City

Slide 22

Slide 22 text

@ablythe Reports: Heartbleed in Overland Park

Slide 23

Slide 23 text

@ablythe

Slide 24

Slide 24 text

@ablythe “Not for novice, need technical knowledge” - John Matherly From: https://danielmiessler.com/study/shodan/#gs.vY0dx58

Slide 25

Slide 25 text

@ablythe Krebs On Security - Sept 2016 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

Slide 26

Slide 26 text

@ablythe Krebs On Security - Oct 2016 https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

Slide 27

Slide 27 text

@ablythe https://www.shodan.io/explore/tag/iot

Slide 28

Slide 28 text

@ablythe Cisco Vault 7 Wikileaks Response https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco- sa-20170317-cmp

Slide 29

Slide 29 text

@ablythe Cisco Vault 7 Wikileaks Response •300+ Switch models •Put simply, turn off telnet

Slide 30

Slide 30 text

@ablythe Shodan search: “cisco port:23” https://www.shodan.io/search?query=product%3Acisco+port%3A23

Slide 31

Slide 31 text

@ablythe Telnet Search https://www.shodan.io/search?query=port%3A23%2C1023%2C2323

Slide 32

Slide 32 text

@ablythe Original Intent: Market Research Cisco HP

Slide 33

Slide 33 text

@ablythe https://images.shodan.io/?query=http https://www.shodan.io/host/172.113.166.53

Slide 34

Slide 34 text

@ablythe Limitations of the Free Versions • No more than 5 pages deep on any search • No maps

Slide 35

Slide 35 text

@ablythe Cost for Individual

Slide 36

Slide 36 text

@ablythe Enterprise Access

Slide 37

Slide 37 text

@ablythe Is My Device on Shodan?

Slide 38

Slide 38 text

@ablythe Is My Device on Shodan? Currently the answer is likely ‘no’ Reason: Routers and IPv4 However… when IPv6?

Slide 39

Slide 39 text

@ablythe Is My Device on Shodan? http://iotscanner.bullguard.com/search

Slide 40

Slide 40 text

@ablythe Browser Plugin

Slide 41

Slide 41 text

@ablythe References • John Matherly 2016, National Cyber Summit: • https://www.youtube.com/watch?v=Fbjka5CfbzI • John Matherly 2014, NETEXPLO • https://www.youtube.com/watch?v=pqP0F8MAy1U

Slide 42

Slide 42 text

@ablythe https://leanpub.com/shodan

Slide 43

Slide 43 text

@ablythe Disclaimer • Use this information for positive purposes • Accessing or attempting to access someone else’s devices could be punishable by law • I tell you these things so you can protect your own assets

Slide 44

Slide 44 text

@ablythe

Slide 45

Slide 45 text

Help us get better! my talk http://bit.ly/BSidesKCT alkEval the conference http://bit.ly/ BSidesKCEventEval anything else http://bit.ly/IqT6zt Please provide feedback on…

Slide 46

Slide 46 text

http://aaronblythe.org/