SlideShare ist ein Scribd-Unternehmen logo

SHODAN- Defcon 18-schearer-shodan

Ivan Flores
Ivan Flores

Una presentacion de "theprez98" en DEFCON 18, es sobre el buscador SHODAN

Technologie
1 von 79
Downloaden Sie, um offline zu lesen
SHODAN for Penetration Testers Michael “theprez98” Schearer
SHODAN for Penetration Testers  What is SHODAN?  Basic Operations  Penetration Testing  Case Study 1: Cisco Devices  Case Study 2: Default Passwords  Case Study 3: Infrastructure Exploitation  Other Examples  The Future  Conclusions
By pen testing, I mean…  Black/gray/white box testing  Ethical hacking  Security auditing  Vulnerability assessment  Standards compliance  Training  All of the above
SHODAN for Penetration Testers WHAT IS SHODAN?
What is SHODAN? (1)  SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly (http://twitter.com/achillean)  While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing
What is SHODAN? (2)  Typical search engines crawl for data on web pages and then index it for searching  SHODAN interrogates ports and grabs the resulting banners, then indexes the banners (rather than the web content) for searching
What is SHODAN? (3)  Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners  Optimizing search results requires some basic knowledge of banners
SHODAN for Penetration Testers BASIC OPERATIONS
SHODAN Search Provider Firefox Add-on SHODAN Helper Firefox Add- on
Basic Operations: Search  Search terms are entered into a text box (seen below)  Quotation marks can narrow a search  Boolean operators + and – can be used to include and exclude query terms (+ is implicit default)
Basic Operations: Login  Create and login using a SHODAN account; or  Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID  Login is not required, but country and net filters are not available unless you login  Export requires you to be logged in
Basic Operations: Filters  country: filters results by two letter country code  hostname: filters results by specified text in the hostname or domain  net: filter results by a specific IP range or subnet  os: search for specific operating systems  port: narrow the search for specific services
country, hostname, country net, os, port port
Basic Operations: Country Filter  Filtering by country can be accomplished by clicking on the country map (available from the drop down menu)  Mouse over a country for the number of scanned hosts for a particular country
Find all „apache‟ servers in Switzerland
Find „apache‟ servers running version 2.2.3 Top four countries matching your query
Basic Operations: Hostname Filter Search results can be filtered using any portion of a hostname or domain name Find „apache‟ servers in the .nist.gov domain Find „iis-5.0‟ servers in the .edu domain
Basic Operations: Net / OS Filters  The net filter allows you to refine your searches by IP/CIDR notation  The OS filter allows you to refine searches by operating system
Basic Operations: Port Filter  SHODAN can filter your search results by port  Current collection is limited to ports 21 (FTP), 22 (SSH), 23 (Telnet), and 80 (HTTP), while the overwhelming majority of collection is HTTP  More ports/services coming (send requests to the developer via Twitter)
Basic Operations: Searches  Popular searches are available on the main page  Logged in users can save searches and share them with other users
Basic Operations: Export  SHODAN lets you export up to 1,000 results per credit in XML format  Credits can be purchased online  Sample data export file is available
SHODAN for Penetration Testers PENETRATION TESTING
Pen Testing: Ethics (1)  Is it acceptable under any circumstances to view the configuration of a device that requires no authentication to view?  What about viewing the configuration of a device using a default username and password?  What about viewing the configuration of a device using a unique username and password?  Changing the configuration of any device?
Pen Testing: Ethics (2) Default username Changing and password configurations Unique username No authentication and password
Pen Testing Applications  Using SHODAN for penetration testing requires some basic knowledge of banners including HTTP status codes  Banners advertise service and version  Banners can be spoofed (unlikely?)
Pen Testing: HTTP Status Codes Status Code Description 200 OK Request succeeded 401 Unauthorized Request requires authentication 403 Forbidden Request is denied regardless of authentication
Pen Testing: Assumptions  “200 OK” banner results will load without any authentication (at least not initially)  “401 Unauthorized” banners with Www- authenticate indicate a username and password pop-up box (authentication is possible but not yet accomplished, as distinguished from “403 Forbidden”)  Some banners advertise defaults
SHODAN for Penetration Testers CASE STUDY: CISCO DEVICES
Case Study: Cisco Devices Here is a typical “401 Unauthorized” banner when using the simple search term “cisco”: Take note of the Www-authenticate line which indicates the requirement for a username and password
Case Study: Cisco Devices Now consider an example of a “200 OK” banner which does not include the Www- authenticate line:
Case Study: Cisco Devices A comparison of the two banners finds the second banner to include the Last-modified line which does not appear when Www-authenticate appears: In fact, among “cisco” results these two lines are more than 99% mutually exclusive
Case Study: Cisco Results Search Results cisco 251,742 cisco-ios 226,184 cisco www-authenticate 225,402 cisco last-modified 4,265 cisco last-modified www-authenticate 56
Case Study: Cisco Results  This suggests that Cisco “200 OK” banners that include the Last-modified line do not require any authentication (at least not initially)  The results on the previous slide suggest there are potentially 4,200+ Cisco devices that do not require authentication
Surely these HTML links will require some additional authentication…
Nope. No authentication required for Level 15! No authentication required for configure commands
No authentication required for Level 15 exec commands
show running-config show cdp neighbors
SHODAN for Penetration Testers CASE STUDY: DEFAULT PASSWORDS
Case Study: Default Passwords (1)  The „default password‟ search locates servers that have those words in the banner  This doesn‟t suggest that these results will be using the defaults, but since they‟re advertising the defaults they would potentially be the lowest hanging fruit
Case Study: Default Passwords (2) An example of a „default password‟ result: The server line indicates this is likely to be a print server; also note the “401” and Www- authenticate which indicates the likelihood of a username and password pop-up box
Case Study: Default Passwords (3) This does not suggest that this device is using the default password, but it does mean that it is a possibility While no username is listed, a null username or “admin” is always a good guess And did it work?
SHODAN for Penetration Testers CASE STUDY: INFRASTRUCTURE EXPLOITATION
Case Study:  Two Cisco 3750 infrastructure switches with direct access to Cisco 7606 Router  VLAN IDs for internal ISP network, hotels, condos, apartments, convention center, public backbone…  SNMP server IP address and community strings
SHODAN for Penetration Testers OTHER EXAMPLES
Some general observations…
javascript:SnapshotWin() client.html
javascript:SnapshotWin() client.html setup/config.html
system.html security.html network.html wireless.html ddns.html accesslist.html audiovideo.html cameracontrol.html mailftp.html motion.html application.html syslog.html parafile.html maintain.html
SHODAN for Penetration Testers THE FUTURE
The Future  API in the works for program integration  Summary report for export option  Software fingerprints  Collection of HTTPS
SHODAN for Penetration Testers CONCLUSIONS
Conclusions  SHODAN aggregates a significant amount of information that isn‟t already widely available in an easy to understand format  Allows for passive vulnerability analysis Bottom line: SHODAN is a potential game- changer for pen testers that will help shape the path for future vulnerability assessments
Authors and add-ons  John Matherly (http://twitter.com/achillean)  Gianni Amato (SHODAN Helper)  sagar38 (SHODAN Search Provider)
SHODAN for Penetration Testers QUESTIONS
SHODAN for Penetration Testers Michael “theprez98” Schearer

Empfohlen

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security Solution
Conor Ryan
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptx
KiranKumar24546
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
webhostingguy
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Office 365 Message Encryption
Office 365 Message EncryptionOffice 365 Message Encryption
Office 365 Message Encryption
Joel Brda
 

Empfohlen

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security Solution
Conor Ryan
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptx
KiranKumar24546
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
webhostingguy
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Office 365 Message Encryption
Office 365 Message EncryptionOffice 365 Message Encryption
Office 365 Message Encryption
Joel Brda
 
Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365
Dock 365
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
CYBER SENSE
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
BGA Cyber Security
 
IBM Security Strategy Overview
IBM Security Strategy OverviewIBM Security Strategy Overview
IBM Security Strategy Overview
xband
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
n|u - The Open Security Community
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
8. operations security
8. operations security8. operations security
8. operations security
7wounders
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
Cisco Canada
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
MITRE ATT&CK
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
xKinAnx
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
Techowl- Wazuh.pdf
Techowl- Wazuh.pdfTechowl- Wazuh.pdf
Techowl- Wazuh.pdf
AbhishekChaudhary518667
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
David J Rosenthal
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
InMobi Technology
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
shawn_merdinger
 

Weitere ähnliche Inhalte

Was ist angesagt?

IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
CYBER SENSE
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
8. operations security
8. operations security8. operations security
8. operations security
7wounders
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
MITRE ATT&CK
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
David J Rosenthal
 

Was ist angesagt? (20)

Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365Overview of Data Loss Prevention Policies in Office 365
Overview of Data Loss Prevention Policies in Office 365
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 
IBM Security Strategy Overview
IBM Security Strategy OverviewIBM Security Strategy Overview
IBM Security Strategy Overview
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
Application Security
Application SecurityApplication Security
Application Security
 
8. operations security
8. operations security8. operations security
8. operations security
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Techowl- Wazuh.pdf
Techowl- Wazuh.pdfTechowl- Wazuh.pdf
Techowl- Wazuh.pdf
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
 

Andere mochten auch

QuantumComputersPresentation
QuantumComputersPresentationQuantumComputersPresentation
QuantumComputersPresentation
Vinayak Suresh
 
Green cloud computing
Green cloud computingGreen cloud computing
Green cloud computing
talktorohit54
 
Green cloud computing
Green cloud computingGreen cloud computing
Green cloud computing
Nalini Mehta
 

Andere mochten auch (20)

Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San FranciscoShodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
 
Shodan
ShodanShodan
Shodan
 
Shodan
ShodanShodan
Shodan
 
Mobile monday atlanta-smartcity-iot-for-startu_ps
Mobile monday atlanta-smartcity-iot-for-startu_psMobile monday atlanta-smartcity-iot-for-startu_ps
Mobile monday atlanta-smartcity-iot-for-startu_ps
 
QuantumComputersPresentation
QuantumComputersPresentationQuantumComputersPresentation
QuantumComputersPresentation
 
Cosmos_IoT_Week_TV_0
Cosmos_IoT_Week_TV_0Cosmos_IoT_Week_TV_0
Cosmos_IoT_Week_TV_0
 
Green cloud computing
Green cloud computingGreen cloud computing
Green cloud computing
 
X INTERNET
X INTERNETX INTERNET
X INTERNET
 
IoT for Smarter Health Care
IoT for Smarter Health CareIoT for Smarter Health Care
IoT for Smarter Health Care
 
IoT in Smart City solutions
IoT in Smart City solutionsIoT in Smart City solutions
IoT in Smart City solutions
 
Green Cloud Computing
Green Cloud ComputingGreen Cloud Computing
Green Cloud Computing
 
Quantum Computing
Quantum ComputingQuantum Computing
Quantum Computing
 
A Study on:Green Cloud Computing
A Study on:Green Cloud ComputingA Study on:Green Cloud Computing
A Study on:Green Cloud Computing
 
Green cloud computing
Green cloud computingGreen cloud computing
Green cloud computing
 
Presentation on quantum computers
Presentation on quantum computersPresentation on quantum computers
Presentation on quantum computers
 
Quantum Computing - Basic Concepts
Quantum Computing - Basic ConceptsQuantum Computing - Basic Concepts
Quantum Computing - Basic Concepts
 
Green cloud computing
Green cloud computingGreen cloud computing
Green cloud computing
 
Quantum Computing: Welcome to the Future
Quantum Computing: Welcome to the FutureQuantum Computing: Welcome to the Future
Quantum Computing: Welcome to the Future
 
Green cloud computing
Green cloud computingGreen cloud computing
Green cloud computing
 

Ähnlich wie SHODAN- Defcon 18-schearer-shodan

Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
kurtvm
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
odanyboy
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With Google
Zero Science Lab
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Addmi 14-discovery credentials
Addmi 14-discovery credentialsAddmi 14-discovery credentials
Addmi 14-discovery credentials
odanyboy
 
automation framework
automation frameworkautomation framework
automation framework
ANSHU GOYAL
 

Ähnlich wie SHODAN- Defcon 18-schearer-shodan (20)

Playing with shodan
Playing with shodanPlaying with shodan
Playing with shodan
 
Null HYD Playing with shodan null
Null HYD Playing with shodan nullNull HYD Playing with shodan null
Null HYD Playing with shodan null
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Identity finder presentation
Identity finder presentationIdentity finder presentation
Identity finder presentation
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And Profit
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With Google
 
Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)Information Gathering with Google (c0c0n - India)
Information Gathering with Google (c0c0n - India)
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Addmi 14-discovery credentials
Addmi 14-discovery credentialsAddmi 14-discovery credentials
Addmi 14-discovery credentials
 
automation framework
automation frameworkautomation framework
automation framework
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Can we build an Azure IoT controlled device in less than 40 minutes that cost...
Can we build an Azure IoT controlled device in less than 40 minutes that cost...Can we build an Azure IoT controlled device in less than 40 minutes that cost...
Can we build an Azure IoT controlled device in less than 40 minutes that cost...
 
Test expo cloud-enabled testing services (wide)_v1.0
Test expo cloud-enabled testing services (wide)_v1.0Test expo cloud-enabled testing services (wide)_v1.0
Test expo cloud-enabled testing services (wide)_v1.0
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

SHODAN- Defcon 18-schearer-shodan

  • 1. SHODAN for Penetration Testers Michael “theprez98” Schearer
  • 2. SHODAN for Penetration Testers  What is SHODAN?  Basic Operations  Penetration Testing  Case Study 1: Cisco Devices  Case Study 2: Default Passwords  Case Study 3: Infrastructure Exploitation  Other Examples  The Future  Conclusions
  • 3. By pen testing, I mean…  Black/gray/white box testing  Ethical hacking  Security auditing  Vulnerability assessment  Standards compliance  Training  All of the above
  • 4. SHODAN for Penetration Testers WHAT IS SHODAN?
  • 5. What is SHODAN? (1)  SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly (http://twitter.com/achillean)  While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing
  • 6. What is SHODAN? (2)  Typical search engines crawl for data on web pages and then index it for searching  SHODAN interrogates ports and grabs the resulting banners, then indexes the banners (rather than the web content) for searching
  • 7. What is SHODAN? (3)  Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners  Optimizing search results requires some basic knowledge of banners
  • 8. SHODAN for Penetration Testers BASIC OPERATIONS
  • 9.
  • 10. SHODAN Search Provider Firefox Add-on SHODAN Helper Firefox Add- on
  • 11. Basic Operations: Search  Search terms are entered into a text box (seen below)  Quotation marks can narrow a search  Boolean operators + and – can be used to include and exclude query terms (+ is implicit default)
  • 12. Basic Operations: Login  Create and login using a SHODAN account; or  Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID  Login is not required, but country and net filters are not available unless you login  Export requires you to be logged in
  • 13.
  • 14. Basic Operations: Filters  country: filters results by two letter country code  hostname: filters results by specified text in the hostname or domain  net: filter results by a specific IP range or subnet  os: search for specific operating systems  port: narrow the search for specific services
  • 15. country, hostname, country net, os, port port
  • 16. Basic Operations: Country Filter  Filtering by country can be accomplished by clicking on the country map (available from the drop down menu)  Mouse over a country for the number of scanned hosts for a particular country
  • 17. Find all „apache‟ servers in Switzerland
  • 18. Find „apache‟ servers running version 2.2.3 Top four countries matching your query
  • 19. Basic Operations: Hostname Filter Search results can be filtered using any portion of a hostname or domain name Find „apache‟ servers in the .nist.gov domain Find „iis-5.0‟ servers in the .edu domain
  • 20. Basic Operations: Net / OS Filters  The net filter allows you to refine your searches by IP/CIDR notation  The OS filter allows you to refine searches by operating system
  • 21. Basic Operations: Port Filter  SHODAN can filter your search results by port  Current collection is limited to ports 21 (FTP), 22 (SSH), 23 (Telnet), and 80 (HTTP), while the overwhelming majority of collection is HTTP  More ports/services coming (send requests to the developer via Twitter)
  • 22. Basic Operations: Searches  Popular searches are available on the main page  Logged in users can save searches and share them with other users
  • 23. Basic Operations: Export  SHODAN lets you export up to 1,000 results per credit in XML format  Credits can be purchased online  Sample data export file is available
  • 24. SHODAN for Penetration Testers PENETRATION TESTING
  • 25. Pen Testing: Ethics (1)  Is it acceptable under any circumstances to view the configuration of a device that requires no authentication to view?  What about viewing the configuration of a device using a default username and password?  What about viewing the configuration of a device using a unique username and password?  Changing the configuration of any device?
  • 26. Pen Testing: Ethics (2) Default username Changing and password configurations Unique username No authentication and password
  • 27. Pen Testing Applications  Using SHODAN for penetration testing requires some basic knowledge of banners including HTTP status codes  Banners advertise service and version  Banners can be spoofed (unlikely?)
  • 28. Pen Testing: HTTP Status Codes Status Code Description 200 OK Request succeeded 401 Unauthorized Request requires authentication 403 Forbidden Request is denied regardless of authentication
  • 29. Pen Testing: Assumptions  “200 OK” banner results will load without any authentication (at least not initially)  “401 Unauthorized” banners with Www- authenticate indicate a username and password pop-up box (authentication is possible but not yet accomplished, as distinguished from “403 Forbidden”)  Some banners advertise defaults
  • 30. SHODAN for Penetration Testers CASE STUDY: CISCO DEVICES
  • 31. Case Study: Cisco Devices Here is a typical “401 Unauthorized” banner when using the simple search term “cisco”: Take note of the Www-authenticate line which indicates the requirement for a username and password
  • 32. Case Study: Cisco Devices Now consider an example of a “200 OK” banner which does not include the Www- authenticate line:
  • 33. Case Study: Cisco Devices A comparison of the two banners finds the second banner to include the Last-modified line which does not appear when Www-authenticate appears: In fact, among “cisco” results these two lines are more than 99% mutually exclusive
  • 34. Case Study: Cisco Results Search Results cisco 251,742 cisco-ios 226,184 cisco www-authenticate 225,402 cisco last-modified 4,265 cisco last-modified www-authenticate 56
  • 35. Case Study: Cisco Results  This suggests that Cisco “200 OK” banners that include the Last-modified line do not require any authentication (at least not initially)  The results on the previous slide suggest there are potentially 4,200+ Cisco devices that do not require authentication
  • 36. Surely these HTML links will require some additional authentication…
  • 37. Nope. No authentication required for Level 15! No authentication required for configure commands
  • 38. No authentication required for Level 15 exec commands
  • 39. show running-config show cdp neighbors
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56. SHODAN for Penetration Testers CASE STUDY: DEFAULT PASSWORDS
  • 57. Case Study: Default Passwords (1)  The „default password‟ search locates servers that have those words in the banner  This doesn‟t suggest that these results will be using the defaults, but since they‟re advertising the defaults they would potentially be the lowest hanging fruit
  • 58. Case Study: Default Passwords (2) An example of a „default password‟ result: The server line indicates this is likely to be a print server; also note the “401” and Www- authenticate which indicates the likelihood of a username and password pop-up box
  • 59. Case Study: Default Passwords (3) This does not suggest that this device is using the default password, but it does mean that it is a possibility While no username is listed, a null username or “admin” is always a good guess And did it work?
  • 60.
  • 61.
  • 62. SHODAN for Penetration Testers CASE STUDY: INFRASTRUCTURE EXPLOITATION
  • 63.
  • 64.
  • 65.
  • 66.
  • 67. Case Study:  Two Cisco 3750 infrastructure switches with direct access to Cisco 7606 Router  VLAN IDs for internal ISP network, hotels, condos, apartments, convention center, public backbone…  SNMP server IP address and community strings
  • 68. SHODAN for Penetration Testers OTHER EXAMPLES
  • 73. SHODAN for Penetration Testers THE FUTURE
  • 74. The Future  API in the works for program integration  Summary report for export option  Software fingerprints  Collection of HTTPS
  • 75. SHODAN for Penetration Testers CONCLUSIONS
  • 76. Conclusions  SHODAN aggregates a significant amount of information that isn‟t already widely available in an easy to understand format  Allows for passive vulnerability analysis Bottom line: SHODAN is a potential game- changer for pen testers that will help shape the path for future vulnerability assessments
  • 77. Authors and add-ons  John Matherly (http://twitter.com/achillean)  Gianni Amato (SHODAN Helper)  sagar38 (SHODAN Search Provider)
  • 78. SHODAN for Penetration Testers QUESTIONS
  • 79. SHODAN for Penetration Testers Michael “theprez98” Schearer