Shodan - Google's dark twin



A source

S in IoT stands for Security
We have already written about Shodan more than once, including here. I would like to suggest once again running through the capabilities of this wonderful tool and the principles of its operation. I want to make a reservation right away that the situation with this search engine is quite classic for researchers in the field of information security - the tool can be used both with good intentions and strongly outside the law.



Disclamer:

Using the search engine itself is not punishable. Successfully entering an open control panel of an oil terminal node somewhere in Singapore and experimenting with opening the dampers are already punishable. Unfriendly people can come and knock. Therefore, be prudent and respect other people's space. We are against using Shodan for anything other than research purposes or analyzing our own systems.



I propose to once again go through the capabilities of this search engine, the peculiarities of its syntax and try to find something interesting. And let's not print War and Peace on other people's network printers.



People are careless



Channels became gigabit, tools like ZMap appeared, which allow scanning the entire array of IPv4 addresses in a few minutes. And still, there are still a lot of people who are sincerely sure that if you do not tell anyone about the raised service, then you can not bother with its protection.



Unfortunately, very quickly, first, automatic bots will come to you, and then real people, if something interesting is found. I forgot to turn off vsftpd in due time, which I raised for a while. As a result, a month later, I was surprised to notice that text files with spam, some small encrypted archives, and similar joys regularly appear and disappear inside.



If the problem were limited to junior admins and ordinary people who can forgive some carelessness and lack of qualifications, then I simply cannot justify companies that deliberately embed backdoors into their hardware products. The popular Hikvision and Dahua IP cameras are classic examples . There were similar stories with D-link routers, Huawei and other manufacturers.



And with the advent of the Internet-of-Things, with its “safe” approaches to implementation, everything becomes completely sad. Here you have smart bulbs without passwords that work with the external Internet via HTTP. Or even robotic vacuum cleaners that will be used to attack your internal infrastructure, as happened with Dongguan Diqee... It's generally fun - the vulnerabilities CVE-2018-10987 and CVE-2018-10988 allowed getting root rights, taking over control of the device, driving to the desired point and receiving an image from the device's infrared camera.





A similar story happened with LG Hom-Bot , where an attacker could intercept control and use an innocent vacuum cleaner as a point to invade someone else's network.



How Shodan Works



Things changed a lot when Shodan came along. Well, okay, in fact, everything remained the same leaky, but at least there was an opportunity to assess the scale of a particular disaster and try to reach the vendor to close the vulnerability. Shodan is essentially a hybrid of nmap -sV across the entire IPv4 range and search engine results. Crawlers scrupulously scan the entire Internet, try to connect to open ports, and fingerprint the service behind these ports.





An example of a search result for "vuln: cve-2014-0160".



In combination with search, this makes it possible to quickly estimate the number of vulnerable software versions after the publication of the next vulnerability.



The data for each post is stored in a structure that the developers call banner. This is how it looks:



{
    "data": "Moxa Nport Device
            Status: Authentication disabled
            Name: NP5232I_4728
            MAC: 00:90:e8:47:10:2d",
    "ip_str": "46.252.132.235",
    "port": 4800,
    "org": "Starhub Mobile",
    "location": {
        "country_code": "SG"
    }
}


Depending on the amount of information received, a banner can contain many more fields that can be filtered and searched. By default, only the data field is searched, which is partly for security reasons. The data field will be very different in different banners, depending on the type of application, server or device.



HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sat, 03 Oct 2015 06:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6466
Connection: keep-alive


This is what a typical data field for an HTTP server would look like. You can see the main parameters and version.



Copyright: Original Siemens Equipment
PLC name: S7_Turbine
Module type: CPU 313C
Unknown (129): Boot Loader           A
Module: 6ES7 313-5BG04-0AB0  v.0.3
Basic Firmware: v.3.3.8
Module name: CPU 313C
Serial number of module: S Q-D9U083642013
Plant identification: 
Basic Hardware: 6ES7 313-5BG04-0AB0  v.0.3


And this is how a much more unusual industrial controller Siemens S7 looks like. At this stage, it already becomes a little scary from what devices can stick around the Internet and get into search results. On the other hand, security through obscurity hasn't helped anyone yet.



A typical use case assumes that you give a general query to the data field, and then refine your search with numerous filters. The format of the request looks something like this:



nuclear reactor filtername1:value filtername2:value filtername3:value


Note that there is no space after the colon. In this case, at first, all records containing "nuclear reactor" in the general data field will be selected, and then all the listed filters will be applied sequentially to narrow the search objects.



A complete list of filters is available here . At the same time, some part is available only for paid accounts, for example "tag" and "vuln".



Trying to search





Let's try something like a door controller.





It's wonderful. Now let's look at all the HID VertX controllers owned by Spectrum Business.



door controller org:"Spectrum Business"


After that, by clicking on a specific host, a brief summary of the data collected on it is expanded. Or you can see the full output of the raw data.



Raw data by 70.62.170.218
Property Name 	Value
area_code 	null
asn 	AS10796
city 	Garfield Heights
country_code 	US
country_code3 	null
country_name 	United States
data.0._shodan.crawler 	4aca62e44af31a464bdc72210b84546d570e9365
data.0._shodan.id 	e85c3c1b-54ff-4194-8dc1-311da6851e5d
data.0._shodan.module 	http
data.0._shodan.options.referrer 	5ee031c4-75c3-423f-99b8-5c06dd97cf14
data.0._shodan.ptr 	True
data.0.data 	
data.0.domains 	['rr.com']
data.0.hash 	0
data.0.hostnames 	['rrcs-70-62-170-218.central.biz.rr.com']
data.0.http.host 	70.62.170.218
data.0.http.html 	null
data.0.http.html_hash 	null
data.0.http.location 	/
data.0.http.redirects 	[]
data.0.http.robots 	null
data.0.http.robots_hash 	null
data.0.http.securitytxt 	null
data.0.http.securitytxt_hash 	null
data.0.http.server 	null
data.0.http.sitemap 	null
data.0.http.sitemap_hash 	null
data.0.http.title 	null
data.0.port 	443
data.0.timestamp 	2020-09-02T15:26:31.443605
data.0.transport 	tcp
data.1._shodan.crawler 	4aca62e44af31a464bdc72210b84546d570e9365
data.1._shodan.id 	458e8be2-04df-4db7-8499-8e378792584e
data.1._shodan.module 	http
data.1._shodan.ptr 	True
data.1.data 	HTTP/1.1 301 Moved Permanently Location: https://70.62.170.218:443/ Content-Length: 0 Date: Wed, 02 Sep 2020 15:26:23 GMT Server: HID-Web
data.1.domains 	['rr.com']
data.1.hash 	-788227878
data.1.hostnames 	['rrcs-70-62-170-218.central.biz.rr.com']
data.1.http.host 	70.62.170.218
data.1.http.html 	
data.1.http.html_hash 	0
data.1.http.location 	/
data.1.http.redirects 	[]
data.1.http.robots 	null
data.1.http.robots_hash 	null
data.1.http.securitytxt 	null
data.1.http.securitytxt_hash 	null
data.1.http.server 	HID-Web
data.1.http.sitemap 	null
data.1.http.sitemap_hash 	null
data.1.http.title 	null
data.1.port 	80
data.1.timestamp 	2020-09-02T15:26:24.253885
data.1.transport 	tcp
data.2._shodan.crawler 	70752434fdf0dcec35df6ae02b9703eaae035f7d
data.2._shodan.id 	b7f280e3-cffc-4ddd-aa4b-1f9cd9e4d2be
data.2._shodan.module 	vertx-edge
data.2._shodan.ptr 	True
data.2.data 	HID VertX/ Edge door controller MAC: 00:06:8E:41:AB:81 Name: EdgeEHS400 Internal IP: 70.62.170.218 Type: EHS400 Firmware Version: 2.1.1.101 Firmware Date: 2018-05-03-11
data.2.domains 	[]
data.2.hash 	-764264635
data.2.hostnames 	[]
data.2.opts.raw 	646973636f76657265643b3039313b30303a30363a38453a34313a41423a38313b456467654548533430303b37302e36322e3137302e3231383b313b4548533430303b322e312e312e3130313b323031382d30352d30332d31313b
data.2.port 	4070
data.2.tags 	['ics']
data.2.timestamp 	2020-08-26T20:59:09.260224
data.2.transport 	udp
data.2.vertx.firmware_data 	2018-05-03-11
data.2.vertx.firmware_version 	2.1.1.101
data.2.vertx.internal_ip 	70.62.170.218
data.2.vertx.mac 	00:06:8E:41:AB:81
data.2.vertx.name 	EdgeEHS400
data.2.vertx.type 	EHS400
data.3._shodan.crawler 	4aca62e44af31a464bdc72210b84546d570e9365
data.3._shodan.id 	43663d5e-db76-4cba-8f14-6c1bf417ddd3
data.3._shodan.module 	ntp
data.3._shodan.ptr 	True
data.3.data 	NTP protocolversion: 3 stratum: 3 leap: 0 precision: -17 rootdelay: 0.108978271484 rootdisp: 0.162017822266 refid: 1209934681 reftime: 3807379353.45 poll: 3
data.3.domains 	['rr.com']
data.3.hash 	-1317347992
data.3.hostnames 	['rrcs-70-62-170-218.central.biz.rr.com']
data.3.opts.raw 	1c0303ef00001be60000297a481e2359e2efff9972f64603e2f0016cc6b1f800e2f0016ceef1bb83e2f0016cef0fb34d
data.3.port 	123
data.3.timestamp 	2020-08-25T21:30:20.877776
data.3.transport 	udp
dma_code 	510
domains 	['rr.com']
hostnames 	['rrcs-70-62-170-218.central.biz.rr.com']
ip 	1178512090
ip_str 	70.62.170.218
isp 	Spectrum Business
last_update 	2020-09-02T15:26:31.443605
latitude 	41.4344
longitude 	-81.6373
org 	Spectrum Business
os 	null
ports 	[80, 123, 443, 4070]
postal_code 	null
region_code 	OH
tags 	['ics']




What else can you find interesting



In fact, what they just did not find. Both the control of the turbines of the hydroelectric power station, and the controller for the control of the cooling systems of the municipal ice rink. Here are some interesting and relatively harmless options.







"Server: Prismview Player"


Shows outdoor advertising panels. And forever temperature sensors show absolute zero.





http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2


Shows the current status of the Tesla PowerPack .



The internet is not the safest place



In fact, the lists available are simply endless. You can find the control panels of wind turbines and someone's media centers in Vietnamese, sticking out on the Internet. Stick to a few basic rules yourself and everything will be fine.



  1. If the device can work offline - do not expose it to the Internet
  2. If you really need to expose the device to the Internet, you don't need to forward access to it directly. Use a VPN to connect to your network
  3. ,





All Articles