Shodan is a search engine that indexes internet-connected devices. This document provides an overview of how to use Shodan's basic search functions to identify vulnerabilities, including case studies on default credentials for Cisco devices and other internet of things devices. It also discusses how to defend against Shodan searches and tools for scanning your own network and systems.

1. How to use Shodan more powerful
CB
20180120@RAT COMMUNITY

2. 物聯網威脅
Webcam直播:
- 號稱全球7萬支Webcam直播
- 裝設地點包括美國、日本、法國、義大利、台灣
- http://www.insecam.org

3. 真實的新聞事件
- 網路監視器被駭，錄到激情鏡頭。
- http://219.67.210.22:8080/multi.html
- 參考來源：http://www.twgreatdaily.com/cat34/node1651341

4. 真實的新聞事件
參考來源：http://www.ithome.com.tw/news/116476

5. Outline
What is SHODAN?
Basic Operations
Penetration Testing
Case Study 1: Cisco Devices
Case Study 2: Default Passwords
Case Study 3: Other Example

6. 什麼是Shodan.io?
It is a computer search engine designed by web developer
John Matherly (https://twitter.com/achillean). See
https://www.shodan.io
While SHODAN is a search engine, it is much different than
content search engines like Google, Yahoo or Bing.

7. 什麼是Shodan.io？

8. Explore for these

9. Shodan和 Google之不同
 SHODAN interrogates ports and grabs
the resulting banners, then indexes the
banners (rather than the web content)
for searching.

10. Basic Operations: Search
Search terms are entered into a text box. See the following:
Quotation marks can narrow a search.
Boolean operators + and – can be used to include and
exclude query terms (+ is implicit default)

11. Basic Operations: Login
Create and login using a SHODAN account.
Login is notrequired, but country and net filters are not
available unless you login.

12. Basic Operations: Login

13. Basic Operations: Filters
Rule Examples
Net:搜尋特定IP網段 Net:10.1.0.1/24
Country:國家代碼 Country:TW
City:城市 City:beijing
Port:連接埠 Port:445
OS:作業系統 OS:”Linux”
Hostname:網域 Hostname:edu.tw
Org:網路供應商(ISPs) Org:”Hinet”
Product:產品/軟體 Product:mysql
Version:版本 Version:2.3.12

14. Basic Operations: Country Filter

15. Basic Operations: version Filter

16. Basic Operations: Hostname Filter

17. 在TANet內開遠端桌面的機器
輸入：
port:3389 org:"Taiwan Academic network“

18. 在上海有開MongoDB的機器
輸入：
product:MongoDB city:shanghai

19. 在北京有在Linux上開apache的機器
輸入：
apache os:"Linux" city:beijing

20. 在北京有開mysql的機器
輸入：
product:mysql city:Beijing

21. 產生報告

22. 這邊需要一點時間等待報告

23. Basic Operations: Export
SHODAN lets you export up to 10,000 results per credit in
XML format.
Credits can be purchased online.
Sample data export file is available.

24. Basic Operations: Export

25. Pen Testing: HTTP Status Codes
Status Code Description
200 OK Request succeeded
401 Unauthorized Request requires authentication
403 Forbidden
Request is denied regardless of authentication

26. Pen Testing: Assumptions
“200 OK” banner results will load without any
authentication (at least not initially).
“401 Unauthorized” banners with www-authenticate
indicate a username and password pop-up box
(authentication is possible but not yet accomplished, as
distinguished from “403 Forbidden”).
Some banners advertise defaults.

27. Case Study: Cisco Devices

28. Case Study: Cisco Devices

29. Case Study: Cisco Devices
HTTP/1.1 401 Unauthorized
Date: Tue, 10 Oct 2017 02:46:53 GMT
Server: cisco-IOS
Connection: close
Accept-Ranges: none
WWW-Authenticate: Basic realm="level_15 or
view_access"
HTTP/1.1 200 OK
Date: Tue, 10 Oct 2017 02:27:21 GMT
Server: cisco-IOS
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Expires: Tue, 10 Oct 2017 02:27:21 GMT
Last-Modified: Tue, 10 Oct 2017 02:27:21 GMT

30. Case Study: Cisco Results
Search Results
Cisco 1,274,229
Cisco-ios 384,925
Cisco www-authenticate 630,390
Cisco last-modified 3,482
Cisco last-modified www-authenticate 54
The results on the previous slide suggest there are potentially 3,400+ Cisco devices that do not require
authentication.

31. For example

32. For example

33. Case Study: Default Passwords
An example of a “default password” result:
◦ ****** Important Banner Message ******
◦ Enable and Telnet passwords are configured to "password".
◦ HTTP and HTTPS default username is "admin" and password is "password".
◦ Please change them immediately.
◦ The ethernet 0/1 interface is enabled with an address of 10.10.10.1
◦ Telnet, HTTP, and HTTPS access are also enabled.
◦ To remove this message, while in configuration mode type "no banner motd".

34. Case Study: Default Passwords

35. Other example

36. Other example

37. Other example

38. Other example

39. Other example

40. What is SCADA?
全名：Supervisory Control and Data Acquisition
資料採集與監控系統(Ex: 廢水處理場、機場捷運中控)
DCS(Distributed Control System): 分散式控制系統
PLC(Programmable Logic Controller): 可編程邏輯控制器
RTU(Remote Terminal Unit): 遠端終端控制系統
HMI(human machine interface):人機介面

41. SCADA, ICS, DCS不同？
ICS ~= SCADA ~= DCS
Programmable logic controllers (PLCs)
Discrete process control systems (DPCs)

42. 風力發電系統
輸入：title:"xzeres wind“

43. 風力發電系統
MyTurbine:m442+SRt

44. 發電機
輸入：
CUMMINS port:80
PERKINS port:80

45. 發電機

46. 預設SCADA密碼
https://github.com/scadastrangelove/SCADAPASS
廠商名字：https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv

47. Google Hacking
https://www.exploit-db.com/google-hacking-database/

48. 搜尋敏感資訊/錯誤頁面/潛在弱點
https://pentest-tools.com/information-gathering/google-hacking

49. Google Hacking Operators
http://www.sans.org/security-resources/GoogleCheatSheet.pdf
關鍵字 範例
Site: 搜尋特定Domain或IP Site: 10.1.*.*
Filetype/ext:特定檔案 ext:pdf | ext:docx | ext:csv | ext:ppt |ext:log |ext:sh
Intitle:標題含有特定字串 Intitle:”index.of”
intitle:"IPCam Client" intext:indoor
Intext:本文含有特定內容 Intext:”SQL syntax near”
intext:"Hikvision" inurl:"login.asp"
admin:12345

50. Defend from Google Hacking
http://resources.infosecinstitute.com/defending-from-google-hackers/
http://www.robotstxt.org/orig.html#meta
One of the simple rules is that Web site administrators can create a robots.txt file that specifies
particular locations, so that the search engine should not explore and store in its cache.
The following allows all robots to visit all files:
User-agent: * or googlebot
Disallow: /

51. Defend from Google Hacking
The following meta tag will prevent all robots from scanning any links on the site.
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
We can also deny or allow certain spiders using this tag.
Example: <META NAME="GOOGLEBOT" CONTENT="NOINDEX, NOFOLLOW">

52. Check your own site - SiteDigger
 Gooscan
 Sitedigger
 Wikto

53. Check your own site - Wikto
Wikto: http://sectools.org/tool/wikto

54. Protect Networks Against Shodan Searches
限制公開的服務和設備的數量，確認哪些設備和服務的實際需要遠端存取，
並驗證防火牆規則。
若一定要遠端存取，建議使用VPN Tunnel
更改預設的連接埠
修改回應的banner或關閉banner
封鎖Shodan Server的IP位址, for example:
https://geek.net.pl/poradniki/obrona-wyszukiwarka-shodan-lista-adresow-ip

55. Internet of Things Scanner(1/3)
• http://iotscanner.bullguard.com
• Check if your internet-connected devices at home
are public on Shodan. If they are, this means they
are accessible to the public, and hackers.

56. Internet of Things Scanner(2/3)

57. Internet of Things Scanner(3/3)
Scanner: http://iotscanner.bullguard.com

58. Shodan network Topology
A search engine for threats: https://www.threatcrowd.org

59. Shodan Helper
https://tel.search.ch/bern/sidlerstrasse-4/amato-giani.it.html

60. Shodan Search Provider
Open Source Vulnerability Database Search:
https://howucan.gr/mozilla-addons/227-osvdb-by-sagar38-open-source-vulnerability-database-
search

61. Maltego Add-On
https://www.paterva.com/web7/index.php
https://maltego.shodan.io

62. Conclusions
善用Shodan，來尋找系統上的弱點
檢測自己的系統是否有弱點被Shodan找到
更改預設帳號密碼