Shodan computer search engine presentation - Amphion Forum, San Francisco, 12 December 2013

1. SHODAN
Computer Search Engine for the
Internet of Things
Amphion Forum
San Francisco
12 December, 2013
Shawn Merdinger
Network Security Analyst
University of Florida Health

2. Obligatory Speaker Slide
●
UF Health
–
●
Past lives
–
●
Work, School, Independent Research
Cisco Systems, TippingPoint, Independent Consulting
CVEs, Research, Conferences
–
VoIP, door access controllers, scada HMI, “other stuff”
–
Current interests
●
●
–
Medical device security research - MedSec on LinkedIN
Shodan
Talks at DerbyCon, DefCon, Educause, etc.

3. What is Shodan
●
Computer Search Engine
–
Created by John Matherly
●
●
Based in Austin, TX
Public late 2009
–
“Search engine for service banners of scanned
devices accessible via the public Internet”
–
Somewhat controversial...
●
●
Major media coverage, security conference talks, DHS
ICS-CERT advisories, political leaders naming as threat
Tool: utility and outcome are dependent on use and intent

4. Shodan Technicals
●
Shodan Scans
–
Shodan servers scan Internet, place results in DB
●
●
●
Users search Shodan
–
Web interface or API
●
●
Services (web, telnet, snmp, ftp, mysql, rdp, vnc etc.)
Ports (80, 8080, 443, 161, 21, 23, 3389, 5900, etc)
Free-text, port, org, hostname, country, city, CIDR, etc.
Advanced Integration
●
●
●
Metasploit Shodan Module (John Sawyer, InGuardians)
Maltego
Geolocation mapping via http://maps.shodan.io (beta)

5. Why You Should Care
●
Shodan has already scanned...everything?
–
Shodan API
–
Shodan's low-cost extras
●
●
–
The business case
●
●
–
Add-ons for in-depth search capability (i.e. Telnet search)
Special discount code for Amphion Forum at end :)
Metrics & deltas with your regular scanning efforts
Export search results for other tools, analysis
Caveats
●
●
Not under your control, timeliness, IPv4 (no IPv6)
One man show by John Matherley

6. Who Is Talking About Shodan?
If Joe Lieberman is talking about Shodan, you should know what it is.

7. Project SHINE – ICS/SCADA
●
Project SHINE: SHodan INtelligence Extraction
–
Bob Radvanovsky & Jake Brodsky infracritical / scadasec
●
I provide research support, search terms, etc.
–
Daily search feed to ICS-CERT
–
1,000,000 control systems discovered, 2K new each day

8. DHS ICS-CERT Shodan Advisories
●
First issued October 2010
●
Several updates & references since

9. Keeping Perspective...
●
Scanning is old news
–
Attackers
●
●
Constantly scanning you
Shodan just made scanning more
–
–
Legitimate research
●
●
●
HD Moore's scanning projects
Scan repository at UMich via www.scans.io
Academic researchers doing default credential checks!
–
–
Searchable + visible + accessible....without scanning
Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials
We are entering a Golden Age of scanning
●
Tools like zmap, masscan and scan data sharing

10. Shodan at UF Health
●
Currently looking for “low-hanging fruit”
–
–
●
Printers on public IP
Open Telnet → “Polycom Command Shell”
Lots of ways to leverage more
–
–
●
Automation
Deltas (daily scan diffs)
Limitations
–
External IP only

13. Sp00ky Findings
●
●
●
●
The following information details sensitive
devices exposed on the Internet
Please exercise discretion and restraint
regarding further disclosure of these devices
and issues
Several findings are still in varying phases of
resolution and remediation, unfortunately, some
may never be resolved
All are in SHINE and reported to ICS-CERT

14. S2 Security NetBox
●
DefCon 2010 talk: “We don't need no stinkin' badges”
–
Building Door Access Controllers (Web Based)
–
Multiple CVEs, complete compromise of device, S2 Security
vendor threatened to sue me, even blocked my Twitter follow...
–
Real value of Shodan
●
Proved not “deep inside corporate network” (Today 800+ )
“When hackers put viruses on your home computer it's a nuisance; when they
unlock doors at your facility it's a nightmare”
– John Moss, CEO of S2 Security

15. VoIP Phones
●
Lots of VoIP phones: individual, conference, video
●
Late 2010 I focused on Snom
–
VOIPSA blog
●
Remote tap script: call via phone's web server, record call, etc.
●
Hard to find open Snom now – Exposure + tool works

16. No Auth Cisco Routers & Switches
●
"cisco-ios" "last-modified"
–
–
10,469 devices with HTTP No authentication TODAY
Level 15 access via HTTP
●
“ip http authentication local” would lock down web server
●
3rd party attack example: TinyURL commands to Twitter

17. No Auth Cisco Devices in Iran
●
“School of Particles and Accelerators” in Tehran, Iran
–
Who might be interested in this?
–
Honeypot?

18. Cisco Wireless LAN Controllers

19. Banners Bite Back
●
“Best practices” warning banners = easy fingerprinting
●
Swisscom and hotel routers (1200+)
–
Warning banner has company name and hotel location
–
Telnet for access. No SSH.
●
If they run their routers like this - what other poor practices?

20. Banners Bite Back
●
Swisscom Miami Convention Center Routers

21. Telnet To Root On Linux Devices
●
TV, DVR, home routers, VoIP phones, refrigerators, etc.
●
Botnets have leveraged this already (Carna, Aidra)

22. WebCams
●
Huge numbers, all kinds of uses
●
Personal, Office, Business, Security, SCADA
●
See Dan Tentler's talks and tools
–
Camcreep.py
●
●
Auto screenshot via CLI
wkhtmltoimage

23. Printers on Public IP
●
Technical Risks
–
●
Advanced research (Andrei Costin, Ph.D - Milan, Italy)
–
●
MFP = Multi-function Printer (FAX, Scan, Email, Storage)
Access docs, change configs, attack via printed document
Risks
–
Print from anywhere, Web printing, run out paper, ink
–
Social engineering: how bad could a printer on Internet be?

24. Printer Case Study: Penn State
One line of code to print: nc target_ip 9100 < kiddy_porn_image

25. Siemens HMI SCADA Examples

26. Power Meter via HTTP

27. High Profile HVAC Controllers
Sidwell Friends School, Washington DC (HVAC, Lights, Doors)

28. FBI Newark Office: Niagara Memo

29. Crematorium on Public IP
●
Siemens HMI
–
VNC default pass “100”, no auth Telnet, MD5 passwords
–
Same system as “pr0f” South Houston SCADA hack (11/2011)

30. Embassy Network Devices
●
Question: What's running telnet in country X with “embassy” in name?
●
Cuts both ways...

31. Cisco Lawful Intercept
●
Cisco routers with LI special code and SNMP public
“LI User” = level 16 super-duper Cisco admin level. Supposed to be
invisible to any other user. Taps supposed to use encrypted
SNMPv3 for secure Mediation Device comms.

32. BlueCoat
●
BlueCoat surveillance devices and human rights impact
–
Syria (and other regimes)
●
Tracking + interception of dissidents' communications
●
“Chilling effect” to “Killing effect”
–
ITAR export violations
–
See Munk School report

33. 75+ US TV Stations' Antennas
●
TV station antenna controllers w/ no auth (telnet or http)
–
Looks like simple home NAS or DVR (Windows CE)
●
–
Multi-step search technique to find – (1) Shodan (2) scan for unique TCP port
Sent ICS-CERT report of issues, IP, Geolocation, FCC info, etc.

34. CacheTalk Safes

35. Econolite Traffic Light Controller
●
Yes, it is what you think.

36. Red Light Enforcement Cameras
●
Delete those pesky speeding tickets!

37. 500+ Gas Station Pumps in Turkey

38. 950+ Cellular Tower Hydrogen Fuel
Cell Power Controllers in Italy

39. Caterpiller VIMS
●
Web based remote monitoring (control?) over cell modem
●
CAT 79X series are largest trucks in world
●
80+ in Alberta, Canada working tar sands
●
Poor vendor response (contacted by lawyer...not engineer)

40. Medical Devices, EHRs
●
Reported 1st medical devices on public IP to ICS-CERT
–
–
●
Glucose monitor base-station (Roche)
Fetal monitoring remote access solution (Philips)
Increasing numbers of EHR “patient portals” (EPIC MyChart)

41. Thanks!
●
Contact
–
Email: shawnmer@ufl.edu
–
Twitter @shawnmer
–
LinkedIN MedSec group
Special Shodan package for Amphion Forum!
1. Register for free Shodan account
2. Login, and then activate by visiting unique URL:
http://www.shodanhq.com/amphion