SlideShare a Scribd company logo

Shodan Search Engine: Amphion Forum San Francisco

S
shawn_merdinger

Shawn Merdinger gave a presentation on Shodan, a search engine for internet-connected devices. He explained that Shodan scans the internet and indexes banners from devices to make them searchable. This allows users to find unprotected devices like IP cameras, industrial control systems, and medical devices. Merdinger showed examples of sensitive devices he discovered, including traffic lights, TV station antennas, and gas station pumps. He emphasized that while concerning, the visibility provided by Shodan can encourage better security practices.

Related slideshows

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
1 of 41
Download to read offline
SHODAN Computer Search Engine for the Internet of Things Amphion Forum San Francisco 12 December, 2013 Shawn Merdinger Network Security Analyst University of Florida Health
Obligatory Speaker Slide ● UF Health – ● Past lives – ● Work, School, Independent Research Cisco Systems, TippingPoint, Independent Consulting CVEs, Research, Conferences – VoIP, door access controllers, scada HMI, “other stuff” – Current interests ● ● – Medical device security research - MedSec on LinkedIN Shodan Talks at DerbyCon, DefCon, Educause, etc.
What is Shodan ● Computer Search Engine – Created by John Matherly ● ● Based in Austin, TX Public late 2009 – “Search engine for service banners of scanned devices accessible via the public Internet” – Somewhat controversial... ● ● Major media coverage, security conference talks, DHS ICS-CERT advisories, political leaders naming as threat Tool: utility and outcome are dependent on use and intent
Shodan Technicals ● Shodan Scans – Shodan servers scan Internet, place results in DB ● ● ● Users search Shodan – Web interface or API ● ● Services (web, telnet, snmp, ftp, mysql, rdp, vnc etc.) Ports (80, 8080, 443, 161, 21, 23, 3389, 5900, etc) Free-text, port, org, hostname, country, city, CIDR, etc. Advanced Integration ● ● ● Metasploit Shodan Module (John Sawyer, InGuardians) Maltego Geolocation mapping via http://maps.shodan.io (beta)
Why You Should Care ● Shodan has already scanned...everything? – Shodan API – Shodan's low-cost extras ● ● – The business case ● ● – Add-ons for in-depth search capability (i.e. Telnet search) Special discount code for Amphion Forum at end :) Metrics & deltas with your regular scanning efforts Export search results for other tools, analysis Caveats ● ● Not under your control, timeliness, IPv4 (no IPv6) One man show by John Matherley
Who Is Talking About Shodan? If Joe Lieberman is talking about Shodan, you should know what it is.
Project SHINE – ICS/SCADA ● Project SHINE: SHodan INtelligence Extraction – Bob Radvanovsky & Jake Brodsky infracritical / scadasec ● I provide research support, search terms, etc. – Daily search feed to ICS-CERT – 1,000,000 control systems discovered, 2K new each day
DHS ICS-CERT Shodan Advisories ● First issued October 2010 ● Several updates & references since
Keeping Perspective... ● Scanning is old news – Attackers ● ● Constantly scanning you Shodan just made scanning more – – Legitimate research ● ● ● HD Moore's scanning projects Scan repository at UMich via www.scans.io Academic researchers doing default credential checks! – – Searchable + visible + accessible....without scanning Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials We are entering a Golden Age of scanning ● Tools like zmap, masscan and scan data sharing
Shodan at UF Health ● Currently looking for “low-hanging fruit” – – ● Printers on public IP Open Telnet → “Polycom Command Shell” Lots of ways to leverage more – – ● Automation Deltas (daily scan diffs) Limitations – External IP only
Shodan Search Engine: Amphion Forum San Francisco
Shodan Search Engine: Amphion Forum San Francisco
Sp00ky Findings ● ● ● ● The following information details sensitive devices exposed on the Internet Please exercise discretion and restraint regarding further disclosure of these devices and issues Several findings are still in varying phases of resolution and remediation, unfortunately, some may never be resolved All are in SHINE and reported to ICS-CERT
S2 Security NetBox ● DefCon 2010 talk: “We don't need no stinkin' badges” – Building Door Access Controllers (Web Based) – Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, even blocked my Twitter follow... – Real value of Shodan ● Proved not “deep inside corporate network” (Today 800+ ) “When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare” – John Moss, CEO of S2 Security
VoIP Phones ● Lots of VoIP phones: individual, conference, video ● Late 2010 I focused on Snom – VOIPSA blog ● Remote tap script: call via phone's web server, record call, etc. ● Hard to find open Snom now – Exposure + tool works
No Auth Cisco Routers & Switches ● "cisco-ios" "last-modified" – – 10,469 devices with HTTP No authentication TODAY Level 15 access via HTTP ● “ip http authentication local” would lock down web server ● 3rd party attack example: TinyURL commands to Twitter
No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran – Who might be interested in this? – Honeypot?
Cisco Wireless LAN Controllers
Banners Bite Back ● “Best practices” warning banners = easy fingerprinting ● Swisscom and hotel routers (1200+) – Warning banner has company name and hotel location – Telnet for access. No SSH. ● If they run their routers like this - what other poor practices?
Banners Bite Back ● Swisscom Miami Convention Center Routers
Telnet To Root On Linux Devices ● TV, DVR, home routers, VoIP phones, refrigerators, etc. ● Botnets have leveraged this already (Carna, Aidra)
WebCams ● Huge numbers, all kinds of uses ● Personal, Office, Business, Security, SCADA ● See Dan Tentler's talks and tools – Camcreep.py ● ● Auto screenshot via CLI wkhtmltoimage
Printers on Public IP ● Technical Risks – ● Advanced research (Andrei Costin, Ph.D - Milan, Italy) – ● MFP = Multi-function Printer (FAX, Scan, Email, Storage) Access docs, change configs, attack via printed document Risks – Print from anywhere, Web printing, run out paper, ink – Social engineering: how bad could a printer on Internet be?
Printer Case Study: Penn State One line of code to print: nc target_ip 9100 < kiddy_porn_image
Siemens HMI SCADA Examples
Power Meter via HTTP
High Profile HVAC Controllers Sidwell Friends School, Washington DC (HVAC, Lights, Doors)
FBI Newark Office: Niagara Memo
Crematorium on Public IP ● Siemens HMI – VNC default pass “100”, no auth Telnet, MD5 passwords – Same system as “pr0f” South Houston SCADA hack (11/2011)
Embassy Network Devices ● Question: What's running telnet in country X with “embassy” in name? ● Cuts both ways...
Cisco Lawful Intercept ● Cisco routers with LI special code and SNMP public “LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
BlueCoat ● BlueCoat surveillance devices and human rights impact – Syria (and other regimes) ● Tracking + interception of dissidents' communications ● “Chilling effect” to “Killing effect” – ITAR export violations – See Munk School report
75+ US TV Stations' Antennas ● TV station antenna controllers w/ no auth (telnet or http) – Looks like simple home NAS or DVR (Windows CE) ● – Multi-step search technique to find – (1) Shodan (2) scan for unique TCP port Sent ICS-CERT report of issues, IP, Geolocation, FCC info, etc.
CacheTalk Safes
Econolite Traffic Light Controller ● Yes, it is what you think.
Red Light Enforcement Cameras ● Delete those pesky speeding tickets!
500+ Gas Station Pumps in Turkey
950+ Cellular Tower Hydrogen Fuel Cell Power Controllers in Italy
Caterpiller VIMS ● Web based remote monitoring (control?) over cell modem ● CAT 79X series are largest trucks in world ● 80+ in Alberta, Canada working tar sands ● Poor vendor response (contacted by lawyer...not engineer)
Medical Devices, EHRs ● Reported 1st medical devices on public IP to ICS-CERT – – ● Glucose monitor base-station (Roche) Fetal monitoring remote access solution (Philips) Increasing numbers of EHR “patient portals” (EPIC MyChart)
Thanks! ● Contact – Email: shawnmer@ufl.edu – Twitter @shawnmer – LinkedIN MedSec group Special Shodan package for Amphion Forum! 1. Register for free Shodan account 2. Login, and then activate by visiting unique URL: http://www.shodanhq.com/amphion

More Related Content

Shodan Search Engine: Amphion Forum San Francisco

  • 1. SHODAN Computer Search Engine for the Internet of Things Amphion Forum San Francisco 12 December, 2013 Shawn Merdinger Network Security Analyst University of Florida Health
  • 2. Obligatory Speaker Slide ● UF Health – ● Past lives – ● Work, School, Independent Research Cisco Systems, TippingPoint, Independent Consulting CVEs, Research, Conferences – VoIP, door access controllers, scada HMI, “other stuff” – Current interests ● ● – Medical device security research - MedSec on LinkedIN Shodan Talks at DerbyCon, DefCon, Educause, etc.
  • 3. What is Shodan ● Computer Search Engine – Created by John Matherly ● ● Based in Austin, TX Public late 2009 – “Search engine for service banners of scanned devices accessible via the public Internet” – Somewhat controversial... ● ● Major media coverage, security conference talks, DHS ICS-CERT advisories, political leaders naming as threat Tool: utility and outcome are dependent on use and intent
  • 4. Shodan Technicals ● Shodan Scans – Shodan servers scan Internet, place results in DB ● ● ● Users search Shodan – Web interface or API ● ● Services (web, telnet, snmp, ftp, mysql, rdp, vnc etc.) Ports (80, 8080, 443, 161, 21, 23, 3389, 5900, etc) Free-text, port, org, hostname, country, city, CIDR, etc. Advanced Integration ● ● ● Metasploit Shodan Module (John Sawyer, InGuardians) Maltego Geolocation mapping via http://maps.shodan.io (beta)
  • 5. Why You Should Care ● Shodan has already scanned...everything? – Shodan API – Shodan's low-cost extras ● ● – The business case ● ● – Add-ons for in-depth search capability (i.e. Telnet search) Special discount code for Amphion Forum at end :) Metrics & deltas with your regular scanning efforts Export search results for other tools, analysis Caveats ● ● Not under your control, timeliness, IPv4 (no IPv6) One man show by John Matherley
  • 6. Who Is Talking About Shodan? If Joe Lieberman is talking about Shodan, you should know what it is.
  • 7. Project SHINE – ICS/SCADA ● Project SHINE: SHodan INtelligence Extraction – Bob Radvanovsky & Jake Brodsky infracritical / scadasec ● I provide research support, search terms, etc. – Daily search feed to ICS-CERT – 1,000,000 control systems discovered, 2K new each day
  • 8. DHS ICS-CERT Shodan Advisories ● First issued October 2010 ● Several updates & references since
  • 9. Keeping Perspective... ● Scanning is old news – Attackers ● ● Constantly scanning you Shodan just made scanning more – – Legitimate research ● ● ● HD Moore's scanning projects Scan repository at UMich via www.scans.io Academic researchers doing default credential checks! – – Searchable + visible + accessible....without scanning Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials We are entering a Golden Age of scanning ● Tools like zmap, masscan and scan data sharing
  • 10. Shodan at UF Health ● Currently looking for “low-hanging fruit” – – ● Printers on public IP Open Telnet → “Polycom Command Shell” Lots of ways to leverage more – – ● Automation Deltas (daily scan diffs) Limitations – External IP only
  • 13. Sp00ky Findings ● ● ● ● The following information details sensitive devices exposed on the Internet Please exercise discretion and restraint regarding further disclosure of these devices and issues Several findings are still in varying phases of resolution and remediation, unfortunately, some may never be resolved All are in SHINE and reported to ICS-CERT
  • 14. S2 Security NetBox ● DefCon 2010 talk: “We don't need no stinkin' badges” – Building Door Access Controllers (Web Based) – Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, even blocked my Twitter follow... – Real value of Shodan ● Proved not “deep inside corporate network” (Today 800+ ) “When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare” – John Moss, CEO of S2 Security
  • 15. VoIP Phones ● Lots of VoIP phones: individual, conference, video ● Late 2010 I focused on Snom – VOIPSA blog ● Remote tap script: call via phone's web server, record call, etc. ● Hard to find open Snom now – Exposure + tool works
  • 16. No Auth Cisco Routers & Switches ● "cisco-ios" "last-modified" – – 10,469 devices with HTTP No authentication TODAY Level 15 access via HTTP ● “ip http authentication local” would lock down web server ● 3rd party attack example: TinyURL commands to Twitter
  • 17. No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran – Who might be interested in this? – Honeypot?
  • 18. Cisco Wireless LAN Controllers
  • 19. Banners Bite Back ● “Best practices” warning banners = easy fingerprinting ● Swisscom and hotel routers (1200+) – Warning banner has company name and hotel location – Telnet for access. No SSH. ● If they run their routers like this - what other poor practices?
  • 20. Banners Bite Back ● Swisscom Miami Convention Center Routers
  • 21. Telnet To Root On Linux Devices ● TV, DVR, home routers, VoIP phones, refrigerators, etc. ● Botnets have leveraged this already (Carna, Aidra)
  • 22. WebCams ● Huge numbers, all kinds of uses ● Personal, Office, Business, Security, SCADA ● See Dan Tentler's talks and tools – Camcreep.py ● ● Auto screenshot via CLI wkhtmltoimage
  • 23. Printers on Public IP ● Technical Risks – ● Advanced research (Andrei Costin, Ph.D - Milan, Italy) – ● MFP = Multi-function Printer (FAX, Scan, Email, Storage) Access docs, change configs, attack via printed document Risks – Print from anywhere, Web printing, run out paper, ink – Social engineering: how bad could a printer on Internet be?
  • 24. Printer Case Study: Penn State One line of code to print: nc target_ip 9100 < kiddy_porn_image
  • 25. Siemens HMI SCADA Examples
  • 27. High Profile HVAC Controllers Sidwell Friends School, Washington DC (HVAC, Lights, Doors)
  • 28. FBI Newark Office: Niagara Memo
  • 29. Crematorium on Public IP ● Siemens HMI – VNC default pass “100”, no auth Telnet, MD5 passwords – Same system as “pr0f” South Houston SCADA hack (11/2011)
  • 30. Embassy Network Devices ● Question: What's running telnet in country X with “embassy” in name? ● Cuts both ways...
  • 31. Cisco Lawful Intercept ● Cisco routers with LI special code and SNMP public “LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.
  • 32. BlueCoat ● BlueCoat surveillance devices and human rights impact – Syria (and other regimes) ● Tracking + interception of dissidents' communications ● “Chilling effect” to “Killing effect” – ITAR export violations – See Munk School report
  • 33. 75+ US TV Stations' Antennas ● TV station antenna controllers w/ no auth (telnet or http) – Looks like simple home NAS or DVR (Windows CE) ● – Multi-step search technique to find – (1) Shodan (2) scan for unique TCP port Sent ICS-CERT report of issues, IP, Geolocation, FCC info, etc.
  • 35. Econolite Traffic Light Controller ● Yes, it is what you think.
  • 36. Red Light Enforcement Cameras ● Delete those pesky speeding tickets!
  • 37. 500+ Gas Station Pumps in Turkey
  • 38. 950+ Cellular Tower Hydrogen Fuel Cell Power Controllers in Italy
  • 39. Caterpiller VIMS ● Web based remote monitoring (control?) over cell modem ● CAT 79X series are largest trucks in world ● 80+ in Alberta, Canada working tar sands ● Poor vendor response (contacted by lawyer...not engineer)
  • 40. Medical Devices, EHRs ● Reported 1st medical devices on public IP to ICS-CERT – – ● Glucose monitor base-station (Roche) Fetal monitoring remote access solution (Philips) Increasing numbers of EHR “patient portals” (EPIC MyChart)
  • 41. Thanks! ● Contact – Email: shawnmer@ufl.edu – Twitter @shawnmer – LinkedIN MedSec group Special Shodan package for Amphion Forum! 1. Register for free Shodan account 2. Login, and then activate by visiting unique URL: http://www.shodanhq.com/amphion