Shodan Search Engine: Amphion Forum San Francisco

3,632 views

Published on

Shodan computer search engine presentation - Amphion Forum, San Francisco, 12 December 2013

Published in: Technology

Shodan Search Engine: Amphion Forum San Francisco

  1. 1. SHODAN Computer Search Engine for the Internet of Things Amphion Forum San Francisco 12 December, 2013 Shawn Merdinger Network Security Analyst University of Florida Health
  2. 2. Obligatory Speaker Slide ● UF Health – ● Past lives – ● Work, School, Independent Research Cisco Systems, TippingPoint, Independent Consulting CVEs, Research, Conferences – VoIP, door access controllers, scada HMI, “other stuff” – Current interests ● ● – Medical device security research - MedSec on LinkedIN Shodan Talks at DerbyCon, DefCon, Educause, etc.
  3. 3. What is Shodan ● Computer Search Engine – Created by John Matherly ● ● Based in Austin, TX Public late 2009 – “Search engine for service banners of scanned devices accessible via the public Internet” – Somewhat controversial... ● ● Major media coverage, security conference talks, DHS ICS-CERT advisories, political leaders naming as threat Tool: utility and outcome are dependent on use and intent
  4. 4. Shodan Technicals ● Shodan Scans – Shodan servers scan Internet, place results in DB ● ● ● Users search Shodan – Web interface or API ● ● Services (web, telnet, snmp, ftp, mysql, rdp, vnc etc.) Ports (80, 8080, 443, 161, 21, 23, 3389, 5900, etc) Free-text, port, org, hostname, country, city, CIDR, etc. Advanced Integration ● ● ● Metasploit Shodan Module (John Sawyer, InGuardians) Maltego Geolocation mapping via http://maps.shodan.io (beta)
  5. 5. Why You Should Care ● Shodan has already scanned...everything? – Shodan API – Shodan's low-cost extras ● ● – The business case ● ● – Add-ons for in-depth search capability (i.e. Telnet search) Special discount code for Amphion Forum at end :) Metrics & deltas with your regular scanning efforts Export search results for other tools, analysis Caveats ● ● Not under your control, timeliness, IPv4 (no IPv6) One man show by John Matherley
  6. 6. Who Is Talking About Shodan? If Joe Lieberman is talking about Shodan, you should know what it is.
  7. 7. Project SHINE – ICS/SCADA ● Project SHINE: SHodan INtelligence Extraction – Bob Radvanovsky & Jake Brodsky infracritical / scadasec ● I provide research support, search terms, etc. – Daily search feed to ICS-CERT – 1,000,000 control systems discovered, 2K new each day
  8. 8. DHS ICS-CERT Shodan Advisories ● First issued October 2010 ● Several updates & references since
  9. 9. Keeping Perspective... ● Scanning is old news – Attackers ● ● Constantly scanning you Shodan just made scanning more – – Legitimate research ● ● ● HD Moore's scanning projects Scan repository at UMich via www.scans.io Academic researchers doing default credential checks! – – Searchable + visible + accessible....without scanning Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials We are entering a Golden Age of scanning ● Tools like zmap, masscan and scan data sharing
  10. 10. Shodan at UF Health ● Currently looking for “low-hanging fruit” – – ● Printers on public IP Open Telnet → “Polycom Command Shell” Lots of ways to leverage more – – ● Automation Deltas (daily scan diffs) Limitations – External IP only
  11. 11. Sp00ky Findings ● ● ● ● The following information details sensitive devices exposed on the Internet Please exercise discretion and restraint regarding further disclosure of these devices and issues Several findings are still in varying phases of resolution and remediation, unfortunately, some may never be resolved All are in SHINE and reported to ICS-CERT
  12. 12. S2 Security NetBox ● DefCon 2010 talk: “We don't need no stinkin' badges” – Building Door Access Controllers (Web Based) – Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, even blocked my Twitter follow... – Real value of Shodan ● Proved not “deep inside corporate network” (Today 800+ ) “When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare” – John Moss, CEO of S2 Security
  13. 13. VoIP Phones ● Lots of VoIP phones: individual, conference, video ● Late 2010 I focused on Snom – VOIPSA blog ● Remote tap script: call via phone's web server, record call, etc. ● Hard to find open Snom now – Exposure + tool works
  14. 14. No Auth Cisco Routers & Switches ● "cisco-ios" "last-modified" – – 10,469 devices with HTTP No authentication TODAY Level 15 access via HTTP ● “ip http authentication local” would lock down web server ● 3rd party attack example: TinyURL commands to Twitter
  15. 15. No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran – Who might be interested in this? – Honeypot?
  16. 16. Cisco Wireless LAN Controllers
  17. 17. Banners Bite Back ● “Best practices” warning banners = easy fingerprinting ● Swisscom and hotel routers (1200+) – Warning banner has company name and hotel location – Telnet for access. No SSH. ● If they run their routers like this - what other poor practices?
  18. 18. Banners Bite Back ● Swisscom Miami Convention Center Routers
  19. 19. Telnet To Root On Linux Devices ● TV, DVR, home routers, VoIP phones, refrigerators, etc. ● Botnets have leveraged this already (Carna, Aidra)
  20. 20. WebCams ● Huge numbers, all kinds of uses ● Personal, Office, Business, Security, SCADA ● See Dan Tentler's talks and tools – Camcreep.py ● ● Auto screenshot via CLI wkhtmltoimage
  21. 21. Printers on Public IP ● Technical Risks – ● Advanced research (Andrei Costin, Ph.D - Milan, Italy) – ● MFP = Multi-function Printer (FAX, Scan, Email, Storage) Access docs, change configs, attack via printed document Risks – Print from anywhere, Web printing, run out paper, ink – Social engineering: how bad could a printer on Internet be?
  22. 22. Printer Case Study: Penn State One line of code to print: nc target_ip 9100 < kiddy_porn_image
  23. 23. Siemens HMI SCADA Examples
  24. 24. Power Meter via HTTP
  25. 25. High Profile HVAC Controllers Sidwell Friends School, Washington DC (HVAC, Lights, Doors)
  26. 26. FBI Newark Office: Niagara Memo
  27. 27. Crematorium on Public IP ● Siemens HMI – VNC default pass “100”, no auth Telnet, MD5 passwords – Same system as “pr0f” South Houston SCADA hack (11/2011)
  28. 28. Embassy Network Devices ● Question: What's running telnet in country X with “embassy” in name? ● Cuts both ways...
  29. 29. Cisco Lawful Intercept ● Cisco routers with LI special code and SNMP public “LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
  30. 30. BlueCoat ● BlueCoat surveillance devices and human rights impact – Syria (and other regimes) ● Tracking + interception of dissidents' communications ● “Chilling effect” to “Killing effect” – ITAR export violations – See Munk School report
  31. 31. 75+ US TV Stations' Antennas ● TV station antenna controllers w/ no auth (telnet or http) – Looks like simple home NAS or DVR (Windows CE) ● – Multi-step search technique to find – (1) Shodan (2) scan for unique TCP port Sent ICS-CERT report of issues, IP, Geolocation, FCC info, etc.
  32. 32. CacheTalk Safes
  33. 33. Econolite Traffic Light Controller ● Yes, it is what you think.
  34. 34. Red Light Enforcement Cameras ● Delete those pesky speeding tickets!
  35. 35. 500+ Gas Station Pumps in Turkey
  36. 36. 950+ Cellular Tower Hydrogen Fuel Cell Power Controllers in Italy
  37. 37. Caterpiller VIMS ● Web based remote monitoring (control?) over cell modem ● CAT 79X series are largest trucks in world ● 80+ in Alberta, Canada working tar sands ● Poor vendor response (contacted by lawyer...not engineer)
  38. 38. Medical Devices, EHRs ● Reported 1st medical devices on public IP to ICS-CERT – – ● Glucose monitor base-station (Roche) Fetal monitoring remote access solution (Philips) Increasing numbers of EHR “patient portals” (EPIC MyChart)
  39. 39. Thanks! ● Contact – Email: shawnmer@ufl.edu – Twitter @shawnmer – LinkedIN MedSec group Special Shodan package for Amphion Forum! 1. Register for free Shodan account 2. Login, and then activate by visiting unique URL: http://www.shodanhq.com/amphion

×