Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
CompleteGuidetoShodan
Collect.Analyze.Visualize.MakeInternetIntelligenceWorkforYou.
JohnMatherly
Thisbookisforsaleathttp://leanpub.com/shodan
Thisversionwaspublishedon2016-02-25
*****
ThisisaLeanpubbook.LeanpubempowersauthorsandpublisherswiththeLeanPublishingprocess.LeanPublishingistheactofpublishinganin-progressebookusinglightweighttoolsandmanyiterationstogetreaderfeedback,pivotuntilyouhavetherightbookandbuildtractiononceyoudo.
*****
©2015-2016Shodan,LLC
TableofContents
IntroductionAllAbouttheDataSSLInDepthDataCollection
WebInterfacesSearchQueryExplainedIntroducingFiltersShodanSearchEngineShodanMapsShodanExploitsShodanImagesExercises:Website
ExternalToolsShodanCommand-LineInterfaceMaltegoAdd-OnBrowserPlug-InsExercises:Command-LineInterface
DeveloperAPIUsageLimitsIntroducingFacetsGettingStartedInitializationSearchHostLookupScanningReal-TimeStreamNetworkAlertExample:PublicMongoDBDataExercises:ShodanAPI
IndustrialControlSystemsCommonAbbreviationsProtocolsSecuringInternet-ConnectedICSUseCases
AppendixA:BannerSpecificationGeneralPropertiesHTTP(S)PropertiesLocationProperties
SSLPropertiesSpecialPropertiesExample
AppendixB:ListofSearchFiltersGeneralFiltersNTPFiltersSSLFiltersTelnetFilters
AppendixC:SearchFacetsGeneralFacetsNTPFacetsSSHFacetsSSLFacetsTelnetFacets
AppendixD:ListofPorts
AppendixE:SampleSSLBanner
ExerciseSolutionsWebsiteCommand-LineInterfaceShodanAPI
Introduction
ShodanisasearchengineforInternet-connecteddevices.Websearchengines,suchasGoogleandBing,aregreatforfindingwebsites.Butwhatifyou’reinterestedinfindingcomputersrunningacertainpieceofsoftware(suchasApache)?OrifyouwanttoknowwhichversionofMicrosoftIISisthemostpopular?OryouwanttoseehowmanyanonymousFTPserversthereare?Maybeanewvulnerabilitycameoutandyouwanttoseehowmanyhostsitcouldinfect?Traditionalwebsearchenginesdon’tletyouanswerthosequestions.
AllAbouttheData
BannerThebasicunitofdatathatShodangathersisthebanner.Thebanneristextualinformationthatdescribesaserviceonadevice.ForwebserversthiswouldbetheheadersthatarereturnedorforTelnetitwouldbetheloginscreen.
Thecontentofthebannervariesgreatlydependingonthetypeofservice.Forexample,hereisatypicalHTTPbanner:HTTP/1.1200OK
Server:nginx/1.1.19
Date:Sat,03Oct201506:09:24GMT
Content-Type:text/html;charset=utf-8
Content-Length:6466
Connection:keep-alive
Theabovebannershowsthatthedeviceisrunningthenginxwebserversoftwarewithaversionof1.1.19.Toshowhowdifferentthebannerscanlooklike,hereisabannerfortheSiemensS7industrialcontrolsystemprotocol:Copyright:OriginalSiemensEquipment
PLCname:S7_Turbine
Moduletype:CPU313C
Unknown(129):BootLoaderA
Module:6ES7313-5BG04-0AB0v.0.3
BasicFirmware:v.3.3.8
Modulename:CPU313C
Serialnumberofmodule:SQ-D9U083642013
Plantidentification:
BasicHardware:6ES7313-5BG04-0AB0v.0.3
TheSiemensS7protocolreturnsacompletelydifferentbanner,thistimeprovidinginformationaboutthefirmware,itsserialnumberandalotofdetaileddatatodescribethedevice.
Youhavetodecidewhattypeofserviceyou’reinterestedinwhensearchinginShodanbecausethebannersvarygreatly.
Note:Shodanletsyousearchforbanners-nothosts.ThismeansthatifasingleIPexposesmanyservicestheywouldberepresentedasseparateresults.
DeviceMetadataInadditiontothebanner,Shodanalsograbsmeta-dataaboutthedevicesuchasitsgeographiclocation,hostname,operatingsystemandmore(seeAppendixA).Mostofthemeta-dataissearchableviathemainShodanwebsite,howeverafewfieldsareonlyavailabletousersofthedeveloperAPI.
IPv6AsofOctober2015,ShodangathersmillionsofbannerspermonthfordevicesaccessibleonIPv6.ThosenumbersstillpaleincomparisontothehundredsofmillionsofbannersgatheredforIPv4butitisexpectedtogrowoverthecomingyears.
SSLInDepthSSLisbecominganevermoreimportantaspectofservingandconsumingcontentontheInternet,soit’sonlyfitthatShodanextendstheinformationthatitgathersforeverySSL-capableservice.ThebannersforSSLservices,suchasHTTPS,includenotjusttheSSLcertificatebutalsomuchmore.AllthecollectedSSLinformationdiscussedbelowisstoredinthesslpropertyonthebanner(seeAppendixAandAppendixE).
VulnerabilityTestingHeartbleed
IftheserviceisvulnerabletoHeartbleedthenthebannercontains2additionalproperties.opts.heartbleedcontainstherawresponsefromrunningtheHeartbleedtestagainsttheservice.NotethatforthetestthecrawlersonlygrabasmalloverflowtoconfirmtheserviceisaffectedbyHeartbleedbutitdoesn’tgrabenoughdatatoleakprivatekeys.ThecrawlersalsoaddedCVE-2014-0160totheopts.vulnslistifthedeviceisvulnerabel.However,ifthedeviceisnotvulnerablethenitadds“!CVE-2014-0160”.Ifanentryinopts.vulnsisprefixedwitha!or-thentheserviceisnotvulnerabletothegivenCVE.{
"opts":{
"heartbleed":"...174.142.92.126:8443-VULNERABLE\n",
"vulns":["CVE-2014-0160"]
}
}
Shodanalsosupportssearchingbythevulnerabilityinformation.Forexample,tosearchShodanfordevicesintheUSAthatareaffectedbyHeartbleeduse:country:USvuln:CVE-2014-0160
FREAK
IftheservicesupportsEXPORTciphersthenthecrawlersaddthe“CVE-2015-0204”itemtotheopts.vulnsproperty:"opts":{
"vulns":["CVE-2015-0204"]
}
Logjam
ThecrawlerstrytoconnecttotheSSLserviceusingephemeralDiffie-Hellmanciphersandiftheconnectionsucceedsthefollowinginformationisstored:"dhparams":{
"prime":"bbbc2dcad84674907c43fcf580e9…",
"public_key":"49858e1f32aefe4af39b28f51c…",
"bits":1024,
"generator":2,
"fingerprint":"nginx/Hardcoded1024-bitprime"
}
Version
Normally,whenabrowserconnectstoanSSLserviceitwillnegotiatetheSSLversionandcipherthatshouldbeusedwiththeserver.TheywillthenagreeonacertainSSLversion,suchasTLSv1.2,andthenusethatforthecommunication.
ShodancrawlersstartouttheSSLtestingbydoinganormalrequestasoutlinedabovewheretheynegotiatewiththeserver.However,afterwardstheyalsoexplicitlytryconnectingtotheserverusingaspecificSSLversion.Inotherwords,thecrawlersattempttoconnecttotheserverusingSSLv2,SSLV3,TLSv1.0,TLSv1.1andTLSv1.2explicitlytodeterminealltheversionsthattheSSLservicesupports.Thegatheredinformationismadeavailableinthessl.versionsfield:{
"ssl":{
"versions":["TLSv1","SSLv3","-SSLv2","-TLSv1.1","-TLSv1.2"]
}
}
Iftheversionhasa-(dash)infrontoftheversion,thenthedevicedoesnotsupportthatSSLversion.Iftheversiondoesn’tbeginwitha-,thentheservicesupportsthegivenSSLversion.Forexample,theaboveserversupports:TLSv1
SSLv3
Anditdeniesversions:SSLv2
TLSv1.1
TLSv1.2
Theversioninformationcanalsobesearchedoverthewebsite/API.Forexample,thefollowingsearchquerywouldreturnallSSLservices(HTTPS,POP3withSSL,etc.)thatallowconnectionsusingSSLv2:ssl.version:sslv2
FollowtheChainThecertificatechainisthelistofSSLcertificatesfromtheroottotheend-user.ThebannerforSSLservicesincludesassl.chainpropertythatincludesalloftheSSLcertificatesofthechaininPEM-serializedcertificates.
DataCollection
FrequencyTheShodancrawlerswork24/7andupdatethedatabaseinreal-time.AtanymomentyouquerytheShodanwebsiteyou’regettingthelatestpictureoftheInternet.
DistributedCrawlersarepresentincountriesaroundtheworld,including:
USA(EastandWestCoast)
ChinaIcelandFranceTaiwanVietnamRomaniaCzechRepublic
Dataiscollectedfromaroundtheworldtopreventgeographicbias.Forexample,manysystemadministratorsintheUSAblockentireChineseIPranges.DistributingShodancrawlersaroundtheworldensuresthatanysortofcountry-wideblockingwon’taffectdatagathering.
RandomizedThebasicalgorithmforthecrawlersis:
1. GeneratearandomIPv4address2. GeneratearandomporttotestfromthelistofportsthatShodanunderstands3. ChecktherandomIPv4addressontherandomportandgrababanner4. Goto1
Thismeansthatthecrawlersdon’tscanincrementalnetworkranges.ThecrawlingisperformedcompletelyrandomtoensureauniformcoverageoftheInternetandpreventbiasinthedataatanygiventime.
WebInterfaces
TheeasiestwaytoaccessthedatathatShodangathersisthroughthewebinterfaces.Almostallofthemletyouenterasearchquery,soletsdiscussthatfirst:
SearchQueryExplainedBydefault,thesearchqueryonlylooksatthemainbannertextanddoesn’tsearchthemeta-data.Forexample,ifyou’researchingfor“Google”thentheresultswillonlyincluderesultswherethetext“Google”wasshowninthebanner;itwouldn’tnecessarilyreturnresultsforGoogle’snetworkrange.
Shodansearchfor“Google”
Asseenabove,asearchfor“Google”returnsalotofGoogleSearchAppliancesthatorganizationshavepurchasedandconnectedtotheInternet;itdoesn’treturnGoogle’sservers.
Shodanwilltrytofindresultsmatchingallsearchterms,whichmeansthatimplicitlythereisa+orANDbetweeneachsearchterm.Forexample,thesearchqueries“apache+1.3”isequivalentto“apache1.3”.
Tosearchthemeta-datayouneedtousesearchfilters.
IntroducingFiltersFiltersarespecialkeywordsthatShodanusestoletyounarrowsearchresultsbasedonthemeta-dataofaserviceordevice.Theformatforenteringfiltersis:filtername:value
Important:Thereisnospacebetweenthecolon“:”andthevalue.
Touseavaluethatcontainsaspacewithafilteryouhavetowrapthevalueindoublequotes.Forexample,tofindalldevicesontheInternetthatarelocatedinSanDiegoyouwouldsearchfor:city:"SanDiego"
Afewfiltersletyouspecifyseveralvaluesthatareseparatedbyacomma“,”.Forexample,tofinddevicesthatarerunningTelnetonports23and1023:port:23,1023
Ifafilterdoesn’tallowcommasinitsvalue(ex.port,hostname,net)thenitletsyouprovidemultiplevalues.Filterscanalsobeusedtoexcluderesultsbyprependingaminussign“-“tothefilter.Forexample,thefollowingwouldreturnalldevicesthataren’tlocatedinSanDiego:-city:"SanDiego"
Shodansupportsalotoffilters,afewpopularonesare:
FilterName Description Example
category Availablecategories:ics,malware city Nameofthecity country Fullcountryname
net OnlyshowresultsinsidetheprovidedIPrangeinCIDRformat net:190.30.40.0/24
org NarrowresultsbasedontheorganizationthatownstheIP
org:”VerizonWireless”
SeeAppendixBforafulllistofsearchfiltersthatareavailable.
ShodanSearchEngineThemaininterfaceforaccessingthedatagatheredbyShodanisviaitssearchenginelocatedathttps://www.shodan.io
Bydefault,thesearchquerywilllookatthedatacollectedwithinthepast30days.Thisisachangefromtheoldwebsiteatshodanhq.com,whichsearchedtheentireShodandatabasebydefault.ThismeansthattheresultsyougetfromthewebsitearerecentandprovideanaccurateviewoftheInternetatthemoment.
Inadditiontosearching,thewebsitealsoprovidesthefollowingfunctionality:
DownloadDataAftercompletingasearchtherewillbeabuttonatthetopcalledDownloadData.ClickingonthatbuttonwillprovideyouwiththeoptionofdownloadingthesearchresultsinJSON,CSVorXMLformats.
TheJSONformatgeneratesafilewhereeachlinecontainsthefullbannerandallaccompanyingmeta-datathatShodangathers.Thisisthepreferredformatasitsavesallavailableinformation.AndtheformatiscompatiblewiththeShodancommand-lineclient,meaningyoucandownloaddatafromtheShodanwebsitethenprocessitfurtherusingtheterminal.
TheCSVformatreturnsafilecontainingtheIP,port,banner,organizationandhostnamesforthebanner.Itdoesn’tcontainalltheinformationthatShodangathersduetolimitationsintheCSVfileformat.UsethisifyouonlycareaboutthebasicinformationoftheresultsandwanttoquicklyloaditintoexternaltoolssuchasExcel.
TheXMLformatistheold,deprecatedwayofsavingsearchresults.ItishardertoworkwiththanJSONandconsumesmorespace,therebymakingitsuboptimalformostsituations.
Downloadingdataconsumesexportcredits,whichareone-timeuseandpurchasedonthewebsite.Theyaren’tassociatedinanywaywiththeShodanAPIandtheydon’tautomaticallyreneweverymonth.1exportcreditcanbeusedtodownloadupto10,000results.
DatafilesgeneratedbythewebsitecanberetrievedintheDownloadssectionofthe
website,whichyoucanvisitbyclickingonthe buttonintheupperrightcorner.
GenerateReportThewebsiteletsyougenerateareportbasedoffofasearchquery.Thereportcontainsgraphs/chartsprovidingyouabigpictureviewofhowtheresultsaredistributedacross
theInternet.Thisfeatureisfreeandavailabletoanyone.
WhenyougenerateareportyouareaskingShodantotakeasnapshotofthesearchresultsandprovideanaggregateoverview.Oncethereporthasbeengenerated,itdoesn’tchangeorautomaticallyupdateasnewdataisbeingcollectedbyShodan.Thisalsomeansthatyoucangenerateareportonceamonthandkeeptrackofchangesovertimebycomparing
ittoreportsofpreviousmonths.Byclickingonthe buttoninthetoprightcorneryoucangetalistingofpreviouslygeneratedreports.
SharedSearchQueriesFindingspecificdevicesrequiresknowledgeaboutthesoftwaretheyrunandhowtheyrespondtobannergrabsovertheInternet.Fortunately,itispossibletoleveragethesharedknowledgeofthecommunityusingthesearchdirectoryonShodan.Peopleareabletoreadilydescribe,tagandsharetheirsearchqueriesforotherstouse.Ifyou’reinterestedingettingstartedwithShodan,thesharedsearchesshouldbeyourfirststop.
Warning:Sharedsearchqueriesarepubliclyviewable.Donotsharequeriesthataresensitiveoryoudon’twantotherstoknowabout.
Example:FindingNon-DefaultServicesAcommonreactionIgetwhentalkingaboutdevicesexposedontheInternetissomethinglikethefollowing:
Specifically,theideathatrunningtheservice(inthiscaseMinecraft)onanon-standardportisagoodwaytostayhidden.Insecuritycirclesthisisalsoknownastheconceptofsecuritybyobscurity,andit’sconsideredalargelyineffective,deprecatedidea.What’sworseisthatitmightgiveyoutheowneroftheserver/deviceafalsesenseofsecurity.Forexample,letstakealookatpeoplerunningOpenSSHonanon-standardport.Todothiswewillusethefollowingsearchquery:product:openssh-port:22
TheproductfilterisusedtoonlyshowOpenSSHserverswhile-port:22tellsShodantoexcludeallresultsthatwerecollectedfromthestandardSSHport(22).Togetabetteroverviewofthesearchresultsletsgenerateareport:
Thereportalsogivesusabreakdownofthemostcommonnon-standardports:
1. 2222:323,9302. 5000:47,4393. 23:13,4824. 26:7,5695. 5555:6,8566. 9999:6,2867. 82:6,0468. 2323:3,6229. 6666:2,73510. 3333:2,644
Thesenumbersdon’tlookthatrandomtome…Rightawayyoushouldrealizethatyourrandomchoiceofnon-standardportmightnotbesounique.Port2222ispopularthesamewaythatHTTPonport8080ispopular,andit’salsothedefaultportfortheKippohoneypotthoughIdoubtthatmanypeoplearerunninghoneypots.Thenextmostpopularportis5000,whichdidn’tfollowthesamepatternastheotherportstome(repeating/symmetricnumbers).AnditwasaroundthesametimethatIrealizedthatAustraliawasthe2ndmostpopularcountrytorunOpenSSHonanon-standardport.IdecidedtotakeacloserlookatAustralia,anditturnsoutthattherearenearlythesameamountofserversrunningOpenSSHonport5000astheyareonthedefaultport22.About68,000devicesarerunningonthedefaultport,and54,000onport5000.LookingatafewbannerswecandeterminethatthisistheSSHfingerprintthattheyallshare:5b:a2:5a:9a:91:28:60:9c:92:2b:9e:bb:7f:7c:2e:06
ItappearsthattheAustralianISPBigPondinstalls/configuresnetworkinggearthatnotonlyrunsOpenSSHonport5000(mostlikelyforremotemanagement)butalsohasthesameSSHkeysinstalledonallofthem.ThedevicesalsohappentorunanoldversionofOpenSSHthatwasreleasedonSeptember4th2007.There’snoguaranteethatrunningOpenSSHonthedefaultportwould’vemadethemmoresecurityconscious,buttheirinstallationof~54,000devicesis25%ofthetotalnumberofOpenSSHserversontheInternetrunningversion4.7(sidenote:themostpopularversionofOpenSSHis5.3).
ShodanMapsShodanMapsprovidesawaytoexploresearchresultsvisuallyinsteadofthetext-basedmainwebsite.Itdisplaysupto1,000resultsatatimeandasyouzoomin/outMapsadjuststhesearchquerytoonlyshowresultsfortheareayou’relookingat.
AllsearchfiltersthatworkforthemainShodanwebsitealsoworkonMaps.
MapStylesThereareavarietyofmapstylesavailabletopresentthedatatoyourpreference.Clickon
the gearbuttonnexttothesearchbuttonforalistofoptions.
Satellite
SatellitewithoutLabels
Streets(Light)
Streets(Dark)
Streets(Green)
Streets(Red)
Pirate
ShodanExploitsShodanExploitscollectsvulnerabilitiesandexploitsfromCVE,ExploitDBandMetasploittomakeitsearchableviawebinterface.
ThesearchfiltersavailableforExploitsaredifferentthantherestofShodan,thoughanattemptwasmadetokeepthemsimilarwhenpossible.
Important:Bydefault,Exploitswillsearchtheentirecontentoftheavailableexploitinformationincludingmeta-data.ThisisunlikeShodan,whichonlysearchesthebannertextifnootherfiltersarespecified.
Thefollowingsearchfiltersareavailable:
Name Descriptionauthor Authorofthevulnerability/exploitdescription Descriptionplatform Platformthatittargets(ex:php,windows,linux)type Exploittype(ex:remote,dos)
ShodanImagesForaquickwaytobrowseallthescreenshotsthatShodancollectscheckoutShodanImages.Itisauser-friendlyinterfacearoundthehas_screenshotfilter.
ThesearchboxatthetopusesthesamesyntaxasthemainShodansearchengine.Itismostusefultousethesearchboxtofilterbyorganizationornetblock.However,itcanalsobeusedtofilterthetypesofimagesthatareshown.
Imagedataisgatheredfrom4differentsources:
VNCRTSPWebcamsXWindows
Eachimagesourcecomesfromadifferentport/serviceandthereforhasadifferentbanner.Thismeansthatifyouonlywanttoseeimagesfromwebcamsyoucouldsearchfor:HTTP
TosearchforVNCyoucansearchusingauthenticationdisabledandforRTSPyousimplysearchwithRTSP.
TheimagescanalsobefoundusingthemainShodanwebsiteorShodanMapsbyusingthehas_screenshot:truefilterinthesearchquery.Forexample,tofindimagesofVNC
serversthathavedisabledauthenticationsearchforhas_screenshot:trueauthenticationdisabled.
Exercises:WebsiteExercise1
Findthe4SICSwebsiteusingShodan.
Tip:CheckoutAppendixBforalistofsearchfilters.
Exercise2
FindtheRastalvskarnpowerplant.
Tip:ItisrunninganonymousVNCandislocatedintheSwedishcityofNora
Exercise3
HowmanyIPsinSwedenarevulnerabletoHeartbleedandstillsupportSSLv2?
HowmanyIPsarevulnerabletoHeartbleedatyourorganization?Exercise4
Findalltheindustrialcontrolsystemsinyourtown.Exercise5
WhichRATismostpopularinSweden?
ExternalTools
ShodanCommand-LineInterface
GettingStartedTheshodancommand-lineinterfaceispackagedwiththeofficialPythonlibraryforShodan,whichmeansifyou’rerunningthelatestversionofthelibraryyoualreadyhaveaccesstotheCLI.Toinstallthenewtoolsimplyexecute:easy_installshodan
OncethetoolisinstalledithastobeinitializedwithyourAPIkey:shodaninitYOUR_API_KEY
Visithttps://account.shodan.iotoretrievetheAPIkeyforyouraccount.
alertThealertcommandprovidesyoutheabilitytolist,clearandremovenetworkalertsthatwerecreatedusingtheAPI.
convertConvertthecompressedJSONfilegeneratedbyShodanintoadifferentfileformat.Atthemomentitonlysupportsoutputtokml.
countReturnsthenumberofresultsforasearchquery.$shodancountmicrosoftiis6.0
5360594
downloadSearchShodananddownloadtheresultsintoafilewhereeachlineisaJSONbanner(seeAppendixA).
Bydefaultitwillonlydownload1,000results,ifyouwanttodownloadmorelookatthe--limitflag.
ThedownloadcommandiswhatyoushouldbeusingmostoftenwhengettingresultsfromShodansinceitletsyousavetheresultsandprocessthemafterwardsusingtheparsecommand.Becausepagingthroughresultsusesquerycredits,itmakessensetoalwaysstoresearchesthatyou’redoingsoyouwon’tneedtousequerycreditsforasearchyoualreadydidinthepast.
hostSeeinformationaboutthehostsuchaswhereit’slocated,whatportsareopenandwhichorganizationownstheIP.$shodanhost189.201.128.250
infoObtaingeneralinformationaboutyourAPIplan,includinghowmanyqueryandscancreditsyouhaveremainingthismonth.$shodaninfo
Querycreditsavailable:5102
Scancreditsavailable:249
myipReturnsyourInternet-facingIPaddress.$shodanmyip
199.30.49.210
parseUseparsetoanalyzeafilethatwasgeneratedusingthedownloadcommand.Itletsyoufilteroutthefieldsthatyou’reinterestedin,converttheJSONtoaCSVandisfriendlyforpipe-ingtootherscripts.
ThefollowingcommandoutputstheIPaddress,portandorganizationinCSVformatforthepreviouslydownloadedMicrosoft-IISdata:
$shodanparse--fieldsip_str,port,org--separator,microsoft-data.json.gz
scanThescancommandprovidesafewsub-commandsbutthemostimportantoneissubmitwhichletsyouperformnetworkscansusingShodan.$shodanscansubmit202.69.165.20
searchThiscommandletsyousearchShodanandviewtheresultsinaterminal-friendlyway.BydefaultitwilldisplaytheIP,port,hostnamesanddata.Youcanusethe–fieldsparametertoprintwhicheverbannerfieldsyou’reinterestedin.
Forexample,tosearchMicrosoftIIS6.0andprintouttheirIP,port,organizationandhostnamesusethefollowingcommand:$shodansearch--fieldsip_str,port,org,hostnamesmicrosoftiis6.0
statsThestatscommandletsyouprintthefacetsforasearchquery.
Forexample,thefollowingcommandshowsthemostpopularcountrieswhereApachewebserversarelocatedin:$shodanstats--facetscountryapache
Top10ResultsforFacet:country
US8,336,729
DE4,512,172
CN1,470,434
JP1,093,699
GB832,221
NL684,432
FR667,871
CA501,630
RU324,698
BR266,788
streamThestreamcommandprovidesaccesstothereal-timestreamofdatathattheShodancrawlerscollect.
Thecommandsupportsmanydifferentflags,howeverthereare2thatareimportanttomention:
–datadir
The–datadirflagletsyouspecifyadirectoryinwhichthestreameddatashouldbestored.Thefilesgeneratedinthe–datadirdirectoryhavethefollowingnamingconvention:YYYY-MM-DD.json.gz
Asamplefilenamewouldbe“2016-01-15.json.gz”.Eachdayanewfileisautomaticallygeneratedaslongasyoukeepthestreamrunning.Forexample,thefollowingcommanddownloadsallthedatafromthereal-timestreamandsavesitinadirectorycalled/var/lib/shodan/:shodanstream--datadir/var/lib/shodan/
–limit
The–limitflagspecifieshowmanyresultsthatshouldbedownloaded.Bydefault,thestreamcommandrunsforeveruntilyouexitthetool.However,ifyou’reonlyinterestedincollectingasampleofdatathenthe–limitflagensuresyougatherasmallamountofrecords.Forexample:shodanstream--limit100
TheabovecommandwouldconnecttotheShodanreal-timestream,printoutthefirst100recordsthatarereceivedandthenexit.
–ports
The–portsflagacceptsacomma-separatedlistofportstoletyoustreamonlyrecordsgatheredfromthoseports.Thefollowingcommandprintsoutastreamofbannersthatwerecollectedfromservicesrunningonport80or8080:shodanstream--ports80,8080
Example:TelnetResearch
LetsassumewewanttoperformresearchintodevicesontheInternetrunningTelnet.Asastartingpointwecancombinealloftheaforementionedcommandsintothefollowing:mkdirtelnet-data
shodanstream--ports23,1023,2323--datadirtelnet-data/--limit10000
First,wecreateadirectorycalledtelnet-datatostoretheTelnetdata.Thenwerequest10,000records(–limit10000)fromthestreamoncommonTelnetports(–ports23,1023,2323)andstoretheresultsinthepreviouslycreateddirectory(–datadirtelnet-data/).
MaltegoAdd-OnMaltegoisanopensourceintelligenceandforensicsapplication;itletsyouvisuallyexploreandcorrelatedatafromavarietyofsources.
TheShodanadd-onforMaltegoprovides2newentities(ServiceandExploit)and5transforms:
searchShodansearchShodanByDomainsearchShodanByNetblocktoShodanHostsearchExploits
BrowserPlug-InsTherearepluginsavailableforbothChromeandFirefoxthatletyouseewhatservicesawebsiteexposes.
Exercises:Command-LineInterfaceExercise1
DownloadtheIPsvulnerabletoHeartbleedinSwedenandNorwayusingtheShodanCLI.
FilterouttheresultsforSwedenandstoretheminaseparatefile.
Note:UncompressthefileandlookattherawdatatoseetherawresponsefromtheHeartbleedtest.
Exercise2
Download1,000recentbannersusingthereal-timestreamandthenmapthemusingGoogleMaps.
Tip:shodanconvert
Exercise3
WriteascripttodownloadalistofknownmalwareIPsandblockanyoutgoingtraffictothem.
Tip:iptables-AOUTPUT-dx.x.x.x-jDROP
DeveloperAPI
ShodanprovidesadeveloperAPI(https://developer.shdan.io/api)forprogrammaticaccesstotheinformationthatiscollected.Allofthewebsitesandtools,includingthemainShodanwebsite,arepoweredbytheAPI.Everythingthatcanbedoneviathewebsitecanbeaccomplishedfromwithinyourowncode.
TheAPIisdividedinto2parts:RESTAPIandStreamingAPI.TheRESTAPIprovidesmethodstosearchShodan,lookuphosts,getsummaryinformationonqueriesandavarietyofutilitymethodstomakedevelopingeasier.TheStreamingAPIprovidesaraw,real-timefeedofthedatathatShodaniscurrentlycollecting.Thereareseveralfeedsthatcanbesubscribedto,butthedatacan’tbesearchedorotherwiseinteractedwith;it’salivefeedofdatameantforlarge-scaleconsumptionofShodan’sinformation.
Note:OnlyuserswithanAPIsubscriptionareabletoaccesstheStreamingAPI.
UsageLimitsThereare3methodsoftheAPIthatgetlimiteddependingonyourAPIplan:
1. SearchingTolimitthenumberofsearchesthatcanbeperformedpermonthShodanusesquerycredits.1querycreditsisusedwhenyouperformasearchcontainingfiltersorgopastthe1stpage.Forexample,ifyousearchfor“apache”thatdoesn’tueanyquerycredits.Ifyousearchfor“apachecountry:US”thatwoulduse1querycredit.Likewise,ifyousearchedforthe2ndpageofresultsfor“apache”thatwoulduse1querycredit.Finally,asearchqueryforthe2ndpageof“apachecountry:US”wouldalsouseup1querycredit.
2. ScanningTheon-demandscanningAPIusesscancreditstolimitthenumberofhoststhatyoucanrequestShodantoscaneverymonth.ForeveryhostthatyourequestascanofShodandeducts1scancredit.
3. NetworkAlertsThenumberofIPsthatcanbemonitoredusingalertsislimitedbasedonyourAPIsubscription.Onlypaidcustomershaveaccesstothisfeature.Andyoucan’tcreatemorethan100alertsonyouraccount.
Important:Queryandscancreditsgetresetatthestartofeverymonth.
IntroducingFacetsFacetsprovideaggregateinformationaboutaspecificfieldofthebanneryou’reinterestedin.Filtersletyounarrowdownsearchresultswhilefacetsletyougetabigpictureviewoftheresults.Forexample,themainShodanwebsiteusesfacetstoprovidethestatisticsinformationontheleftsideofthesearchresults:
Alonglistoffacetsareavailable(seeAppendixC)andusingtheAPIyouareincontrolofwhichfacetsyoucareabout.Forexample,searchingforport:22andfacetingonthessh.fingerprintfacetwillgiveyouabreakdownofwhichSSHfingerprintsaremostcommonlyseenontheInternet.FacetsareoftenthestartingpointforresearchintoInternet-wideissuessuchasduplicateSSHkeys,negligenthostingprovidersorcountry-widesecurityholes.
Atthemoment,facetsareonlyavailablefromtheAPIandtheShodancommand-lineinterface.
GettingStartedAlltheexampleswillbeprovidedinPythonandassumeyouhaveaccesstothecommand-line,thoughthereareShodanlibraries/clientsavailableinotherlanguagesaswell.
ToinstalltheShodanlibraryforPythonrunthefollowingcommand:easy_installshodan
Ifyoualreadyhaveitinstalledandwanttoupgradetothelatestversion:easy_install-Ushodan
InitializationThefirstthingthatalwayshastobedoneisinitializingtheShodanAPIobject:importshodan
api=shodan.Shodan('YOURAPIKEY')
WhereYOURAPIKEYistheAPIkeyforyouaccountwhichyoucanobtainfrom:
https://account.shodan.io
SearchNowthatwehaveourAPIobjectallgoodtogo,we’rereadytoperformasearch:#Wraptherequestinatry/exceptblocktocatcherrors
try:
#SearchShodan
results=api.search('apache')
#Showtheresults
print'Resultsfound:%s'%results['total']
forresultinresults['matches']:
print'IP:%s'%result['ip_str']
printresult['data']
print''
exceptshodan.APIError,e:
print'Error:%s'%e
Steppingthroughthecode,wefirstcalltheShodan.search()methodontheapiobjectwhichreturnsadictionaryofresultinformation.Wethenprinthowmanyresultswerefoundintotal,andfinallyloopthroughthereturnedmatchesandprinttheirIPandbanner.Eachpageofsearchresultscontainsupto100results.
There’salotmoreinformationthatgetsreturnedbythefunction.SeebelowforashortenedexampledictionarythatShodan.searchreturns:{
'total':8669969,
'matches':[
{
'data':'HTTP/1.0200OK\r\nDate:Mon,08Nov201005:09:59GMT\r\nSer…',
'hostnames':['pl4t1n.de'],
'ip':3579573318,
'ip_str':'89.110.147.239',
'os':'FreeBSD4.4',
'port':80,
'timestamp':'2014-01-15T05:49:56.283713'
},
...
]
}
SeeAppendixAforacompletelistofpropertiesthatthebannermaycontain.
Important:Bydefault,afewofthelargefieldsinthebannersuchas“html”gettruncatedtoreducebandwidthusage.Ifyouwanttoretrievealltheinformationsimplydisableminificationusingminify=False.Forexample,thefollowingsearchqueryforanonymousVNCserviceswouldensureallinformationisreturned:results=api.search('has_screenshot:true',minify=False)
It’salsogoodpracticetowrapallAPIrequestsinatry/exceptclause,sinceanyerrorwillraiseanexception.Butforsimplicity’ssake,Iwillleavethatpartoutfromnowon.
Theabovescriptonlyoutputstheresultsfromthe1stpageofresults.Togetthe2ndpageofresultsormoresimplyusethepageparameterwhendoingthesearchrequest:results=api.search('apache',page=2)
Orifyouwanttosimplyloopoverallpossibleresultsthere’samethodtomakeyourlifeeasiercalledsearch_cursor()
forbannerinapi.search_cursor('apache'):
printbanner['ip_str']#PrintouttheIPaddressforeachbanner
Important:Thesearch_cursor()methodonlyreturnsthebannersanddoesn’tletyouusefacets.Onlyuseittoloopoverresults.
HostLookupToseewhatShodanhasavailableonaspecificIPwecanusetheShodan.host()function:#Lookupthehost
host=api.host('217.140.75.46')
#Printgeneralinfo
print"""
IP:%s
Organization:%s
OperatingSystem:%s
"""%(host['ip_str'],host.get('org','n/a'),host.get('os','n/a'))
#Printallbanners
foriteminhost['data']:
print"""
Port:%s
Banner:%s
"""%(item['port'],item['data'])
Bydefault,Shodanonlyreturnsinformationonthehostthatwasrecentlycollected.IfyouwouldliketogetafullhistoryofanIPaddress,includethehistoryparameter.Forexample:host=api.host('217.140.75.46',history=True)
Theabovewouldreturnallbanners,includingforservicesthatmaynolongerbeactiveonthehost.
ScanningShodancrawlstheInternetatleastonceamonth,butifyouwanttorequestShodantoscananetworkimmediatelyyoucandosousingtheon-demandscanningcapabilitiesoftheAPI.
UnlikescanningviaatoolsuchasNmap,thescanningwithShodanisdoneasynchronously.ThismeansthatafteryousubmitarequesttoShodanyoudon’tgetbacktheresultsimmediately.Itisuptothedevelopertodecidehowtheresultsofthescanshouldbegathered:bylookinguptheIPinformation,searchingShodanorsubscribingtothereal-timestream.TheShodancommand-lineinterfacecreatesatemporarynetworkalertafterascanwasinitiatedandthenwaitsforresultstocomethroughthereal-timestream.scan=api.scan('198.20.69.0/24')
It’salsopossibletosubmitalistofnetworksatoncebyprovidingalistofaddressesinCIDRnotation:scan=api.scan(['198.20.49.30','198.20.74.0/24'])
AftersubmittingascanrequesttheAPIwillreturnthefollowinginformation:{
'id':'R2XRT5HH6X67PFAB',
'count':1,
'credits_left':5119
}
Theobjectprovidesauniqueidthatyoucanusefortrackingpurposes,thetotalcountofIPsthatweresubmittedforscanningandfinallyhowmanyscancreditsareleft(credits_left).
Real-TimeStreamTheStreamingAPIisanHTTP-basedservicethatreturnsareal-timestreamofdatacollectedbyShodan.Itdoesn’tprovideanysearchorlookupcapabilities,itissimplyafeedofeverythingthatisgatheredbythecrawlers.
Forexample,hereisascriptthatoutputsastreamofbannersfromdevicesthatarevulnerabletoFREAK(CVE-2015-0204):defhas_vuln(banner,vuln):
if'vulns'inbanner['opts']andvulninbanner['opts']['vulns']:
returnTrue
returnFalse
forbannerinapi.stream.banners():
ifhas_vuln(banner,'CVE-2015-0204'):
printbanner
Tosavespaceandbandwidthmanypropertiesinthebannerareoptional.Tomakeworkingwithoptionalpropertieseasieritisbesttowrapaccesstopropertiesinafunction.Intheaboveexample,thehas_vuln()methodcheckswhethertheserviceisvulnerablefortheprovidedCVE.
Note:RegularAPIsubscriptionsonlyhaveaccessto1%ofthefeed.100%accessisavailabletodatalicensecustomersonly.
NetworkAlertAnetworkalertisareal-timefeedofdatathatisbeingcollectedbyShodanforanetworkrange.Togetstartedwithnetworkalertsrequires2steps:
CreatingaNetworkAlertTocreateanetworkalertyounedtoprovideanameandanetworkrange.Thenameshouldbedescriptivetoletyouknowwhatthealertismonitoringorwhyitwascreated.alert=api.create_alert('Productionnetwork','198.20.69.0/24')
Aswiththescan()methodyoucanalsoprovidealistofnetworkrangestomonitor:alert=api.create_alert('ProductionandStagingnetwork',[
'198.20.69.0/24',
'198.20.70.0/24',
])
Note:OnlyalimitednumberofIPscanbemonitoredusingnetworkalertsandanaccountcan’thavemorethan100alertsactive.
AusefultrickwhencombiningnetworkalertswiththescanningAPIistosetanexpirationforthealert:alert=api.create_alert('Temporaryalert','198.20.69.0/24',expires=60)
Theabovealertwouldbeactivefor60secondsandthenexpire,atwhichpointthealertcan’tbeusedanymore.
Uponsuccessfullycreatinganalert,theAPIwillreturnthefollowingobject:{
"name":"Productionnetwork",
"created":"2015-10-17T08:13:58.924581",
"expires":0,
"expiration":null,
"filters":{
"ip":["198.20.69.0/24"]
},
"id":"EPGWQG5GEELV4799",
"size":256
}
SubscribingOnceanalerthasbeencreateditisreadytobeusedasareal-timestreamofdataforthatnetwork.forbannerinapi.stream.alert(alert['id']):
printbanner
Aswiththeregular,real-timestreamthealert()methodprovidesaniteratorwhereeachitemisabannerasit’sbeingcollectedbytheShodancrawlers.Theonlyargumentthatthealert()methodrequiresisthealertIDthatwasreturnedwhencreatingthenetworkalert.
Example:PublicMongoDBDataMongoDBisapopularNoSQLdatabaseandforalongtimeitdidn’tcomewithanyauthentication.ThishasresultedinmanyinstancesofMongoDBbeingpubliclyaccessibleontheInternet.Shodangrabsabannerforthesedatabasesthatcontainsalotofinformationaboutthedatastored.Followingisanexcerptfromthebanner:MongoDBServerInformation…
{
"ok":1.0,
"tokumxAuditVersion":"unknown",
"bits":64,
"tokukvVersion":"unknown",
"tokumxVersion":"2.0.2",
"javascriptEngine":"V8",
"version":"2.4.10",
"versionArray":[
2,
4,
10,
0
],
"debug":false,
"compilerFlags":"-fPIC-fno-strict-aliasing-ggdb-Wall-Wsign-compare-Wno\
-unknown-pragmas-Winvalid-pch-pipe-Wnon-virtual-dtor-Woverloaded-virtual-Wn\
o-unused-local-typedefs-fno-builtin-memcmp-O3",
"maxBsonObjectSize":16777216,
"sysInfo":"Linuxvps-vivid-x64-042.6.32-042stab106.6#1SMPMonApr2014:\
48:47MSK2015x86_64x86_64x86_64GNU/LinuxBOOST_LIB_VERSION=1_55",
"loaderFlags":"",
"gitVersion":"unknown"
},
...
Basically,thebannerismadeupofaheaderthatsays“MongoDBServerInformation”followedby3JSONobjectsthatareseparatedbycommas.EachJSONobjectcontainsdifferentinformationaboutthedatabaseandIrecommendyoucheckoutafullbanneronShodan(it’sverylong)bysearchingfor:product:MongoDB
LetsusethebannerinformationtodeterminewhichdatabasenamesaremostpopularandhowmuchdataispubliclyexposedontheInternet!Thebasicworkflowwillbeto:
1. DownloadallMongoDBbanners2. Processthedownloadedfileandoutputalistoftop10databasenamesaswellasthe
totaldatasize
DownloadingthedataissimpleusingtheShodancommand-lineinterface:shodandownload--limit-1mongodb.json.gzproduct:mongodb
Theabovecommandsaystodownloadallresults(–limit-1)intoafilecalledmongodb.json.gzforthesearchqueryproduct:mongodb.NowwejustneedasimplePythonscripttoprocesstheShodandatafile.Toeasilyiterateoverthefilewe’regoingtousetheshodan.helpers.iterate_files()method:importshodan.helpersashelpers
importsys
#Thedatafileisthe1stargumenttothecommand
datafile=sys.argv[1]
forbannerinhelpers.iterate_files(datafile):
#Nowwehavethebanner
SinceeachbannerisjustJSONwithsomeaddedheader,letsprocessthebannerintoanativePythondictionaryusingthesimplejsonlibrary:#StripouttheMongoDBheaderaddedbyShodan
data=banner['data'].replace('MongoDBServerInformation\n','').split('\n},\n'\
)[2]
#Loadthedatabaseinformation
data=simplejson.loads(data+'}')
Theonlythingthat’sleftiskeepingtrackofthetotalamountofdatathat’sexposedandthemostpopulardatabasenames:total_data=0
databases=collections.defaultdict(int)
...
#Thenintheloop
#Keeptrackofhowmuchdataispubliclyaccessible
total_data+=data['totalSize']
#Keeptrackofwhichdatabasenamesaremostcommon
fordbindata['databases']:
databases[db['name']]+=1
Pythonhasausefulcollections.defaultdictclassthatautomaticallycreatesadefaultvalueforadictionarykeyifthekeydoesn’tyetexist.AndwejustaccessthetotalSizeanddatabasespropertyoftheMongoDBbannertogathertheinformationwecareabout.Finally,wejustneedtooutputtheactualresults:print('Total:{}'.format(humanize_bytes(total_data)))
counter=1
forname,countinsorted(databases.iteritems(),key=operator.itemgetter(1),rev\
erse=True)[:10]:
print('#{}\t{}:{}'.format(counter,name,count))
counter+=1
First,weprintthetotalamountofdatathat’sexposedandwe’reusingasimplehumanize_bytes()methodtoconvertbytesintohuman-readableformatofGB/MB/etc.Second,weloopsortthedatabasescollectioninreverseorderbythenumberoftimesthatacertaindatabasenamewasseen(key=operator.itemgetter(1))andgetthetop10results([:10]).
BelowisthefullscriptthatreadsaShodandatafileandanalyzesthebanner:importcollections
importoperator
importshodan.helpersashelpers
importsys
importsimplejson
defhumanize_bytes(bytes,precision=1):
"""Returnahumanizedstringrepresentationofanumberofbytes.
Assumes`from__future__importdivision`.
>>>humanize_bytes(1)
'1byte'
>>>humanize_bytes(1024)
'1.0kB'
>>>humanize_bytes(1024*123)
'123.0kB'
>>>humanize_bytes(1024*12342)
'12.1MB'
>>>humanize_bytes(1024*12342,2)
'12.05MB'
>>>humanize_bytes(1024*1234,2)
'1.21MB'
>>>humanize_bytes(1024*1234*1111,2)
'1.31GB'
>>>humanize_bytes(1024*1234*1111,1)
'1.3GB'
"""
abbrevs=(
(1<<50L,'PB'),
(1<<40L,'TB'),
(1<<30L,'GB'),
(1<<20L,'MB'),
(1<<10L,'kB'),
(1,'bytes')
)
ifbytes==1:
return'1byte'
forfactor,suffixinabbrevs:
ifbytes>=factor:
break
return'%.*f%s'%(precision,bytes/factor,suffix)
total_data=0
databases=collections.defaultdict(int)
forbannerinhelpers.iterate_files(sys.argv[1]):
try:
#StripouttheMongoDBheaderaddedbyShodan
data=banner['data'].replace('MongoDBServerInformation\n','').split(\
'\n},\n')[2]
#Loadthedatabaseinformation
data=simplejson.loads(data+'}')
#Keeptrackofhowmuchdataispubliclyaccessible
total_data+=data['totalSize']
#Keeptrackofwhichdatabasenamesaremostcommon
fordbindata['databases']:
databases[db['name']]+=1
exceptException,e:
pass
print('Total:{}'.format(humanize_bytes(total_data)))
counter=1
forname,countinsorted(databases.iteritems(),key=operator.itemgetter(1),rev\
erse=True)[:10]:
print('#{}\t{}:{}'.format(counter,name,count))
counter+=1
Here’sasampleoutputofthescript:Total:1.8PB
#1local:85845
#2admin:67648
#3test:24983
#4s:5121
#5config:4329
#6proxy:2045
#7research:2007
#8seolib_new:2001
#9traditional:1998
#10simplified:1998
Exercises:ShodanAPIExercise1
WriteascripttomonitoranetworkusingShodanandsendoutnotifications.Exercise2
Writeascripttooutputthelatestimagesintoadirectory.
Tip:Imagesareencodedusingbase64.Pythoncaneasilydecodeitintobinaryusing:image_string.decode(‘base64’)
IndustrialControlSystems
Inanutshell,industrialcontrolsystems(ICS)arecomputersthatcontroltheworldaroundyou.They’reresponsibleformanagingtheairconditioninginyouroffice,theturbinesatapowerplant,thelightingatthetheatreortherobotsatafactory.
Researchconductedfrom2012through2014byProjectSHINE(SHodanINtelligenceExtraction)indicatesthereareatleast2millionpubliclyaccessibledevicesrelatedtoICSontheInternet.Thefirstdatasetcontaining500,000ICSdeviceswassentin2012totheICS-CERT.TheICS-CERTdeterminedthatroughly7,200outofthe500,000werecriticalinfrastructureintheUnitedStates.Andwiththedemandforincreasedconnectivityineverythingthatnumberisexpectedtorise.Therehavebeeneffortstosecurethesedevicesbytakingthemofflineorpatchingflaws,butit’sachallengingproblemandthereisn’taneasysolution.
CommonAbbreviationsBeforegettingintotheprotocolsandhowtofindICSdevices,hereareafewcommonabbreviationsthatareusefultoknow:
BMS BuildingManagementSystemDCS DistributedControlSystemHMI HumanMachineInterfaceICS IndustrialControlSystemPLC ProgrammableLogicControllerRTU RemoteTerminalUnitSCADA SupervisoryControlandDataAcquisition(asubsetofICS)VNC VirtualNetworkComputing
ProtocolsThereare2differentwaysofidentifyingcontrolsystemsontheInternet:
Non-ICSprotocolsusedinanICSenvironment
ThemajorityoftheICSfindingsonShodanarediscoveredbysearchingforwebserversorotherpopularprotocolsthataren’tdirectlylinkedtoICSbutmaybeseenonanICSnetwork.Forexample:awebserverrunningonanHMIoraWindowscomputerrunningunauthenticatedremotedesktopwhileconnectedtoanICS.TheseprotocolsprovideyouwithavisualviewoftheICSbuttheyusuallyhavesomeformofauthenticationenabled.
TheaboveisanHMIforanengineexposedviaanunauthenticatedVNCconnectionfoundonShodanImages.
ICSprotocols
Thesearetherawprotocolsthatareusedbythecontrolsystems.EveryICSprotocolhasitsownuniquebannerbutthere’sonethingtheyallhaveincommon:theydon’trequireanyauthentication.Thismeansthatifyouhaveremoteaccesstoanindustrialdeviceyouautomaticallyhavetheabilitytoarbitrarilyreadandwritetoit.However,therawICSprotocolstendtobeproprietaryandhardtodevelopwith.Thismeansthatit’seasytocheckwhetheradevicesupportsanICSprotocolusingShodanbuthardtoactuallyinteractwiththecontrolsystem.
ThefollowingbannerdescribesaSiemensS7PLC,notethatitcontainsalotofdetailedinformationaboutthedeviceincludingitsserialnumberandlocation:
SecuringInternet-ConnectedICSThemajorityofICSbannersdon’tcontaininformationonwherethedeviceislocatedorwhoownsthecontrolsystem.Thismakesitexceedinglydifficulttosecurethedeviceandisoneofthemainreasonsthattheycontinuetostayonlineafteryearsofresearchintotheironlineexposure.
Ifyoudiscoveracontrolsystemthatlookscritical,belongstoagovernmentorotherwiseshouldn’tbeonlinepleasenotifytheICS-CERT
UseCases
AssessingICSfortheUSAYou’vebeentaskedwithgeneratingaquickpresentationontheexposureofindustrialcontrolsystemsfortheUSA.Togetstarted,letsfirstgetageneralideaofwhat’soutthereusingthemainShodanwebsite:
https://www.shodan.io/search?query=category%3Aics
ThisreturnsalistofalldevicesrunningICSprotocolsontheInternet.However,therearealotofwebserversandotherprotocols(SSH,FTPetc.)runningonthesameportsasindustrialcontrolsystemswhichweneedtofilterout:
https://www.shodan.io/search?query=category%3Aics+-http+-html+-ssh+-ident
NowwehaveafilteredlistofdevicesrunninginsecureICSprotocols.SincethefocusofthepresentationwillbeontheUSA,it’stimetonarrowtheresultstoonlyIPsintheUSA:
https://www.shodan.io/search?query=category%3Aics+-http+-html+-ssh+-ident+country%3Aus
Togetabigpictureviewofthedataandhavesomechartstoworkwithwecangenerateafreereport.ThisprovidesuswithabetterunderstandingofwhichICSprotocolsareseenontheInternetintheUS:
Tridium’sFoxprotocol,usedbytheirNiagaraframework,isthemostpopularICSprotocolintheUSfollowedbyBACnetandModbus.ThedatashowsthatthemajorityofexposeddevicesareBMSusedinoffices,factories,stadiums,auditoriumsandvariousfacilities.
TheabovechartwassavedasanimageusingNimbusScreenCaptureonFirefox,butyoucanalsousetheAwesomeScreenshotMinusplug-inforChrome.
ThereportalsohighlightsacommonissuewithICSontheInternet:themajorityofthemareonmobilenetworks.Thismakesitespeciallydifficulttotrackdownandsecurethesedevices.
Atthispoint,thedatashowsusthefollowing:
1. Thereareatleast65,000ICSontheInternetexposingtheirraw,unauthenticatedinterfaces
2. Nearlyhalfofthem(~31,000)areintheUSalone
3. BuildingsarethemostcommonlyseentypeofICS4. Mobilenetworkshostthelargestamount
FurtherReading
1. DistinguishingInternet-FacingDevicesusingPLCProgrammingInformation2. NISTSpecialPublication-GuidetoIndustrialControlSystemsSecurity3. QuantitativelyAssessingandVisualizingIndustrialSystemAttackSurfaces
IdentifyingHoneypotsHoneypotshavebecomeanincreasinglypopularandusefultoolinunderstandingattackers.I’veseenmanymisconfiguredhoneypotswhilescanningtheInternet,hereareafewtipstoidentifythemormistakestoavoidwhensettingthemup.
Whatisahoneypot?
Ahoneypotisadevicethatpretendstobesomethingitactuallyisn’tforthepurposeofloggingandmonitoringnetworkactivity.Inthecaseofcontrolsystems,anICShoneypotisaregularcomputerthatpretendstobeacontrolsystemsuchasafactoryorpowerplant.Theyareusedtocollectinformationonattackers,includingwhichnetworkstheattackersaretargeting,whattoolsthey’reusingandmanyotherusefulinsightsthathelpdefendershardentheirnetwork.
Inrecentyears,honeypotshavebeenusedtomeasurethenumberofattacksthathavebeenattemptedagainstindustrialcontrolsystemsconnectedtotheInternet.However,itiscriticallyimportanttounderstandproperhoneypotdeploymentbeforetryingtogatherthedata.ManypeoplemisconfiguretheirhoneypotsandIwilloutlinehowthosemistakesmakeittrivialtodeterminewhetheradeviceisarealcontrolsystemorahoneypot.
Themostpopularandde-factohoneypotusedtosimulateindustrialcontrolsystemsisConpot.Thesoftwareiswell-writtenandextremelypowerfulwhenproperlyconfigured.MostoftheexamplesanddiscussionwillbeusingConpotbuttheprinciplesapplytoallhoneypotsoftware.
WhyDetectThem?
Thedatathathoneypotsgenerateisonlyasgoodastheirdeployment.Ifwewanttomakeinformeddecisionsaboutwhoisattackingcontrolsystemswehavetoensurethedataisbeinggatheredfromrealistichoneypots.Sophisticatedattackerswon’tbefooledbyhoneypotsthatarepoorlyconfigured.It’simportanttoraiseawarenessforcommonpitfallswhendeployinghoneypotstoimprovethequalityofdatabeingcollected.
DefaultConfigurations
Themostcommonmistakethatpeoplemakewhendeployinghoneypotsisusingthedefaultconfiguration.Alldefaultconfigurationsreturnthesamebanner,includingidenticalserialnumbers,PLCnamesandmanyotherfieldsthatyouwouldexpecttovaryfromIPtoIP.
IfirstrealizedhowcommonthisproblemissoonafterdoingthefirstInternetscanforSiemensS7:
30%oftheserialnumbersintheresultswerepresentinmorethanonebanner.Itdoesn’tmeanthatalloftheduplicateserialnumbersarehoneypotsbutit’sagoodstartingpointforinvestigation.
InthecaseofS7,themostpopularserialnumberseenontheInternetis88111222whichisthedefaultserialnumberforConpot.
SearchingbytheserialnumbermakesittrivialtolocateinstancesofConpotontheInternet.Andmakesuretoalsochangetheotherpropertiesofthebanner,notjusttheserialnumber:
TheaboveuserchangedtheserialnumbertoauniquevaluebutfailedtochangethePLCname(Technodrome)andtheplantidentification(MouserFactory).Everyhoneypotinstancemusthaveuniquevaluesinordertoevadehoneypotdetectiontechniques.
HistoryMatters
Thehoneypothastobedeployedproperlyfromday1otherwisethebannerhistoryforthedevicewillrevealitasahoneypot.Forexample:
TheaboveisabannerpretendingtobeaSiemensS7PLC.However,therewasanerrorinthetemplategeneratingthebannerandinsteadofshowingavalidPLCnameitshowsthetemplate’srandom.randint(0,1)method.ShodanhasindexedthisbannerandevenifthebugisfixedinthefutureausercouldlookupthehistoryforthisIPandseethatitusedtohaveaninvalidS7banner.
AsampleShodanAPIrequestforthehistoryofanIP:host=api.host('xxx.xxx.xxx.xxx',history=True)
EmulateDevices,NotServices
Keepitsimple,don’ttrytoemulatetoomanyservicesatonce.Ahoneypotshouldemulateadeviceandmostrealdevicesdon’trunMongoDB,DNP3,MySQL,SiemensS7,Kamstrup,ModBus,AutomatedTankGauge,TelnetandSSHonthesameIP.
Thinkabouthowthedeviceisconfiguredinthereal-worldandthenemulateit,don’truneverypossibleservicesimplybecauseit’spossible.
Incode,youcouldusethenumberofportsasametric:#Getinformationaboutthehost
host=api.host('xxx.xxx.xxx.xxx')
#Checkthenumberofopenports
iflen(host['ports'])>10:
print('{}lookssuspicious'.format(host['ip_str']))
else:
print('{}hasfewportsopen'.format(host['ip_str']))
Location,Location,Location
Itisn’tjustthesoftwarethatneedstobeproperlyconfigured,ahoneypotalsohastobehostedonanetworkthatcouldreasonablyhaveacontrolsystem.PuttingahoneypotthatsimulatesaSiemensPLCintheAmazonclouddoesn’tmakeanysense.HereareafewofthepopularcloudhostingprovidersthatshouldbeavoidedwhendeployinganICShoneypot:
1. AmazonEC22. Rackspace3. DigitalOcean4. Vultr5. MicrosoftAzure6. GoogleCloud
Forrealisticdeployment,lookatthemostpopularISPsinShodanforpubliclyaccessibleICS.Ingeneral,itisbettertoputthehoneypotintheIPspaceofaresidentialISP.ThefollowingorganizationsarethecommonlocationsintheUSA:
Honeyscore
IdevelopedatoolcalledHoneyscorethatusesalloftheaforementionedmethodsaswellasmachinelearningtocalculateahoneyscoreanddeterminewhetheranIPisahoneypotornot.
SimplyentertheIPaddressofadeviceandthetoolwillperformavarietyofcheckstoseewhetheritisahoneypot.
FurtherReading
1. Wikipediaarticleonhoneypots2. BreakingHoneypotsforFunandProfit(Video)
AppendixA:BannerSpecification
Forthelatestlistoffieldsthatthebannercontainspleasevisittheonlinedocumentation.
Abannermaycontainthefollowingproperties/fields:
GeneralPropertiesName Description Exampleasn Autonomoussystemnumber AS4837data Mainbannerfortheservice HTTP/1.1200…ip IPaddressasaninteger 493427495ip_str IPaddressasastring 199.30.15.20ipv6 IPv6addressasastring 2001:4860:4860::8888port Portnumberfortheservice 80
timestamp Dateandtimetheinformationwascollected
2014-01-15T05:49:56.283713
hostnames ListofhostnamesfortheIP [“shodan.io”,“www.shodan.io”]
domains ListofdomainsfortheIP [“shodan.io”]link Networklinktype Ethernetormodemlocation Geographiclocationofthedevice seebelow
opts Supplementaldatanotcontainedinmainbanner
org OrganizationthatisassignedtheIP GoogleInc.
isp ISPthatisresponsiblefortheIPspace VerizonWireless
os Operatingsystem Linuxuptime UptimeoftheIPinminutes 50
transportTypeoftransportprotocolusedtocollectbanner;either“udp”or“tcp”
tcp
HTTP(S)PropertiesName Descriptionhtml HTMLcontentofthewebsitetitle Titleofthewebsite
LocationProperties
Thefollowingpropertiesaresub-propertiesofthelocationpropertythatisatthetop-levelofthebannerrecord.
Name Descriptionarea_code Areacodeofthedevice’slocationcity Nameofthecitycountry_code 2-lettercountrycodecountry_code3 3-lettercountrycodecountry_name Fullnameofthecountrydma_code Designatedmarketareacode(US-only)latitude Latitudelongitude Longitudepostal_code Postalcoderegion_code Regioncode
SSLPropertiesIftheserviceiswrappedinSSLthenShodanperformsadditionaltestingandmakestheresultsavailableinthefollowingproperties:
Name Descriptionssl.cert ParsedSSLcertificatessl.cipher PreferredcipherfortheSSLconnection
ssl.chain ListofSSLcertificatesfromtheusercertificateuptotherootcertificate
ssl.dhparams Diffie-Hellmanparameters
ssl.versionsSupportedSSLversions;ifthevaluestartswitha“-“thentheservicedoesnotsupportthatversion(ex.“-SSLv2”meanstheservicedoesn’tsupportSSLv2)
SpecialProperties
_shodanThe_shodanpropertycontainsinformationabouthowthedatawasgatheredbyShodan.Itisdifferentthanaltheotherpropertiesbecauseitdoesn’tprovideinformationaboutthedevice.Instead,itwilltellyouwhichbannergrabberShodanwasusingtotalktotheIP.Thiscanbeimportanttounderstandforportswheremultipleservicesmightbeoperatingon.Forexample,port80ismostwell-knownforwebserversbutit’salsousedbyvariousmalwaretocircumventfirewallrules.The_shodanpropertywouldletyouknowwhetherthehttpmodulewasusedtocollectthedataorwhetheramalwaremodulewasused.
Example{
"timestamp":"2014-01-16T08:37:40.081917",
"hostnames":[
"99-46-189-78.lightspeed.tukrga.sbcglobal.net"
],
"org":"AT&TU-verse",
"guid":"1664007502:75a821e2-7e89-11e3-8080-808080808080",
"data":"NTP\nxxx.xxx.xxx.xxx:7546\n68.94.157.2:123\n68.94.156.17:123",
"port":123,
"isp":"AT&TU-verse",
"asn":"AS7018",
"location":{
"country_code3":"USA",
"city":"Atlanta",
"postal_code":"30328",
"longitude":-84.3972,
"country_code":"US",
"latitude":33.93350000000001,
"country_name":"UnitedStates",
"area_code":404,
"dma_code":524,
"region_code":null
},
"ip":1664007502,
"domains":[
"sbcglobal.net"
],
"ip_str":"99.46.189.78",
"os":null,
"opts":{
"raw":"\\x97\\x00\\x03*\\x00\\x03\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01G\\x06\\xa7\\x8ec.\\xbdN\\x00\\
\x00\\x00\\x01\\x1dz\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00q\\x00\\x00\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00XD^\\x9d\\x02c.\\xbdN\\\
x00\\x00\\x00\\x01\\x00{\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00q\\x00\\x00\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00YD^\\x9c\\x11c.\\xb\
dN\\x00\\x00\\x00\\x01\\x00{\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\
x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\
x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
"ntp":{
"more":false
}
}
}
AppendixB:ListofSearchFilters
GeneralFiltersName Description Type
after Onlyshowresultsafterthegivendate(dd/mm/yyyy) string
asn Autonomoussystemnumber string
before Onlyshowresultsbeforethegivendate(dd/mm/yyyy) string
category Availablecategories:ics,malware stringcity Nameofthecity stringcountry 2-lettercountrycode string
geo
Acceptsbetween2and4parameters.If2parameters:latitude,longitude.If3parameters:latitude,longitude,range.If4parameters:topleftlatitude,topleftlongitude,bottomrightlatitude,bottomrightlongitude.
string
has_ipv6 True/False booleanhas_screenshot True/False booleanhostname Fullhostnameforthedevice stringhtml HTMLofwebbanners stringip Aliasfornetfilter stringisp ISPmanagingthenetblock string
net NetworkrangeinCIDRnotation(ex.199.4.1.0/24) string
org Organizationassignedthenetblock stringos Operatingsystem stringport Portnumberfortheservice integerpostal Postalcode(US-only) string
product Nameofthesoftware/productprovidingthebanner string
region Nameoftheregion/state stringstate Aliasforregion stringtitle Titleforthewebbanner’swebsite stringversion Versionfortheproduct stringvuln CVEIDforavulnerability string
NTPFilters
Name Description ntp.ip IPaddressesreturnedbymonlist stringntp.ip_count NumberofIPsreturnedbyinitialmonlist integer
ntp.more True/False;whethertherearemoreIPaddressestobegatheredfrommonlist boolean
ntp.port PortusedbyIPaddressesinmonlist integer
SSLFiltersName Description Typehas_ssl True/False booleanssl SearchallSSLdata string
ssl.alpn ApplicationlayerprotocolssuchasHTTP/2(“h2”) string
ssl.chain_count Numberofcertificatesinthechain integer
ssl.version Possiblevalues:SSLv2,SSLv3,TLSv1,TLSv1.1,TLSv1.2 string
ssl.cert.alg Certificatealgorithm stringssl.cert.expired True/False booleanssl.cert.extension Namesofextensionsinthecertificate string
ssl.cert.serial Serialnumberasanintegerorhexadecimalstring
integer/string
ssl.cert.pubkey.bits Numberofbitsinthepublickey integerssl.cert.pubkey.type Publickeytype stringssl.cipher.version SSLversionofthepreferredcipher stringssl.cipher.bits Numberofbitsinthepreferredcipher integerssl.cipher.name Nameofthepreferredcipher string
TelnetFiltersName Description Typetelnet.option Searchalltheoptions string
telnet.do Theserverrequeststheclientdosupporttheseoptions string
telnet.dont Theserverrequeststheclienttonotsupporttheseoptions string
telnet.will Theserversupportstheseoptions stringtelnet.wont Theserverdoesn’tsupporttheseoptions string
AppendixC:SearchFacets
GeneralFacetsName Descriptionasn Autonomoussystemnumbercity Fullnameofthecitycountry Fullnameofthecountrydomain Domain(s)forthedevicehas_screenshot Hasscreenshotavailableisp ISPmanagingthenetblocklink Typeofnetworkconnectionorg Organizationowningthenetblockos Operatingsystemport Portnumberfortheservicepostal Postalcodeproduct Nameofthesoftware/productforthebannerregion Nameoftheregion/statestate Aliasforregionuptime Timeinsecondsthatthehosthasbeenupversion Versionoftheproductvuln CVEIDforvulnerability
NTPFacetsName Descriptionntp.ip IPaddressesreturnedbymonlistntp.ip_count NumberofIPsreturnedbyinitialmonlist
ntp.more True/False;whethertherearemoreIPaddressestobegatheredfrommonlist
ntp.port PortusedbyIPaddressesinmonlist
SSHFacetsName Descriptionssh.cipher Nameofthecipherssh.fingerprint Fingerprintforthedevicessh.mac NameofMACalgorithmused(ex:hmac-sha1)ssh.type Typeofauthenticationkey(ex:ssh-rsa)
SSLFacets
Name Descriptionssl.version SSLversionsupportedssl.alpn Applicationlayerprotocolsssl.chain_count Numberofcertificatesinthechainssl.cert.alg Certificatealgorithmssl.cert.expired True/False;certificateexpiredornotssl.cert.serial Certificateserialnumberasintegerssl.cert.extension Nameofcertificateextensionsssl.cert.pubkey.bits Numberofbitsinthepublickeyssl.cert.pubkey Nameofthepublickeytypessl.cipher.bits Numberofbitsinthepreferredcipherssl.cipher.name Nameofthepreferredcipherssl.cipher.version SSLversionofthepreferredcipher
TelnetFacetsName Descriptiontelnet.option Showalloptionstelnet.do Theserverrequeststheclientdosupporttheseoptions
telnet.dont Theserverrequeststheclienttonotsupporttheseoptions
telnet.will Theserversupportstheseoptionstelnet.wont Theserverdoesn’tsupporttheseoptions
AppendixD:ListofPorts
Port Service(s)7 Echo11 Systat13 Daytime15 Netstat17 Quoteoftheday19 Charactergenerator21 FTP22 SSH23 Telnet25 SMTP26 SSH37 rdate49 TACACS+53 DNS67 DHCP69 TFTP,BitTorrent79 Finger80 HTTP,malware81 HTTP,malware82 HTTP,malware83 HTTP84 HTTP88 Kerberos102 SiemensS7110 POP3111 Portmapper119 NNTP123 NTP129 Passwordgeneratorprotocol137 NetBIOS143 IMAP161 SNMP175 IBMNetworkJobEntry179 BGP195 TA14-353a311 OSXServerManager
389 LDAP
443 HTTPS444 TA14-353a,DellSonicWALL445 SMB465 SMTPS500 IKE(VPN)502 Modbus503 Modbus515 LinePrinterDaemon520 RIP523 IBMDB2554 RTSP587 SMTPmailsubmission623 IPMI626 OSXserialnumbered666 Telnet771 Realport789 RedlionCrimson3873 rsync902 VMWareauthentication992 Telnet(secure)993 IMAPwithSSL995 POP3withSSL1010 malware1023 Telnet1025 Kamstrup1099 JavaRMI1177 malware1200 Codesys1234 udpxy1434 MS-SQLmonitor1604 Citrix,malware1723 PPTP1833 MQTT1900 UPnP1911 NiagaraFox1962 PCworx1991 malware2000 iKettle,MikroTikbandwidthtest2082 cPanel2083 cPanel2086 WHM
2087 WHM
2123 GTPv1
2152 GTPv12181 ApacheZookeeper2222 SSH,PLC5,EtherNet/IP2323 Telnet2332 Sierrawireless(Telnet)2375 Docker2376 Docker2404 IEC-1042455 CoDeSys2480 OrientDB2628 Dictionary3000 ntop3306 MySQL3386 GTPv13388 RDP3389 RDP3460 malware3541 PBXGUI3542 PBXGUI3689 DACP3780 Metasploit3787 Ventrilo4000 malware4022 udpxy4040 DeprecatedChefwebinterface4063 ZeroCGlacier24064 ZeroCGlacier2withSSL4369 EPMD4443 SymantecDataCenterSecurity4444 malware4500 IKENAT-T(VPN)4567 Modemwebinterface4911 NiagaraFoxwithSSL4949 Munin5006 MELSEC-Q5007 MELSEC-Q5008 NetMobility5009 AppleAirportAdministration5060 SIP
5094 HART-IP5222 XMPP5269 XMPPServer-to-Server5353 mDNS
5357 Microsoft-HTTPAPI/2.05432 PostgreSQL5577 FluxLED5632 PCAnywhere5672 RabbitMQ5900 VNC5901 VNC5984 CouchDB6000 X116379 Redis6666 Voldemortdatabase,malware6667 IRC6881 BitTorrentDHT6969 TFTP,BitTorrent7218 Sierrawireless(Telnet)7474 Neo4jdatabase7548 CWMP(HTTPS)7777 Oracle7779 DellServiceTagAPI8010 IntelbrasDVR8060 Rokuwebinterface8069 OpenERP8087 Riak8090 InsteonHUB8099 YahooSmartTV8112 Deluge(HTTP)8139 Puppetagent8140 Puppetmaster8181 GlassFishServer(HTTPS)8333 Bitcoin8334 Bitcoinnodedashboard(HTTP)8443 HTTPS8554 RTSP8880 WebsphereSOAP8888 HTTP,Andromouse8889 SmartThingsRemoteAccess9001 TorOR9002 TorOR
9051 TorControl9100 PrinterJobLanguage
9151 TorControl9160 ApacheCassandra9191 Sierrawireless(HTTP)
9443 Sierrawireless(HTTPS)9595 LANDeskManagementAgent9600 OMRON10001 AutomatedTankGauge10243 Microsoft-HTTPAPI/2.011211 Memcache17185 VxWorksWDBRPC12345 Sierrawireless(Telnet)13579 Mediaplayerclassicwebinterface14147 FilezillaFTP16010 ApacheHbase18245 GeneralElectricSRTP20000 DNP320547 ProconOS21025 Starbound21379 MatrikonOPC23023 Telnet23424 Serviio25105 InsteonHub25565 Minecraft27015 SteamA2Sserverquery,SteamRCon27017 MongoDB28017 MongoDB(HTTP)30718 LantronixSetup32400 Plex37777 DahuvaDVR44818 EtherNet/IP47808 Bacnet49152 Supermicro(HTTP)49153 WeMoLink50070 HDFSNamenode51106 Deluge(HTTP)54138 ToshibaPoS55553 Metasploit55554 Metasploit62078 AppleiDevice64738 Mumble
AppendixE:SampleSSLBanner{
"hostnames":[],
"title":"",
"ip":2928565374,
"isp":"iWebTechnologies",
"transport":"tcp",
"data":"HTTP/1.1200OK\r\nExpires:Sat,26Mar201611:56:36GMT\r\nExpire\
s:Fri,28May199900:00:00GMT\r\nCache-Control:max-age=2592000\r\nCache-Cont\
rol:no-store,no-cache,must-revalidate\r\nCache-Control:post-check=0,pre-che\
ck=0\r\nLast-Modified:Thu,25Feb201611:56:36GMT\r\nPragma:no-cache\r\nP3P:\
CP=\"NONCORCURaADMaOURNORUNICOMNAVSTA\"\r\nContent-type:text/html\r\n\
Transfer-Encoding:chunked\r\nDate:Thu,25Feb201611:56:36GMT\r\nServer:sw-\
cp-server\r\n\r\n",
"asn":"AS32613",
"port":8443,
"ssl":{
"chain":["-----BEGINCERTIFICATE-----\nMIIDszCCApsCBFBTb4swDQYJKoZIhvcN\
AQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw\nDwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbj\
ESMBAGA1UEChMJUGFy\nYWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1Bh\
cmFs\nbGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMB4X\nDTEyMDkx\
NDE3NTUyM1oXDTEzMDkxNDE3NTUyM1owgZ0xCzAJBgNVBAYTAlVTMREw\nDwYDVQQIEwhWaXJnaW5pYT\
EQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy\nYWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMg\
UGFuZWwxGDAWBgNVBAMTD1BhcmFs\nbGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbG\
xlbHMuY29tMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxc9Vy/qajKtFFnHxGOFPHTxm\
\nSOnsffWBTBfyXnK3h8u041VxvZDh3XkpA+ptg2fWOuIT0TTYuqw+tqiDmg8YTsHy\njcpMFBtXV2cV\
dhKXaS3YYlM7dP3gMmkGmH+ZvCgCYc7L9MIJxYJy6Zeuh67YxEMV\ngiU8mZpvc70Cg5WeW1uBCXtUAi\
jDLsVWnhsV3YuxlweEvkRpAk3EHehKbvgMnEZS\nQ30QySe0GAqC7bWzKrwsJAOUk/+Js18+3QKb/LmD\
a9cRjtFCTo6hYfPbfHj8RxQh\n4Xmnn/CtZ48wRQTqKXSO6+Zk3OuU7/jX1Gt/jxN6n77673e6uCsggT\
wut/EtNwID\nAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBb/yTy76Ykwr7DBOPAXc766n73OsZizjAt\n1k\
mx7LxgN3X/wFxD53ir+sdOqbPgJl3edrE/ZG9dNl6LhUBbUK+9s6z9QicEfSxo\n4uQpFSywbGGmXInE\
ZmyT4SsOLi/hNgy68f49LO1h6rn/p7QgIKd31g7189ZfFkFb\nRdD49s1l/Cc5Nm4XapUVvmnS91MlPk\
/OOIg1Lu1rYkuc8sIoZdPbep52H3Ga7TjG\nkmO7nUIii0goB7TQ63mU67+NWHAmQQ8CtCDCN49kJyen\
1WFjD6Je2U4q0IFQrxHw\nMy+tquo/n/sa+NV8QOj1gMVcFsLhYm7Z5ZONg0QFXSAL+Eyj/AwZ\n----\
-ENDCERTIFICATE-----\n"],
"cipher":{
"version":"TLSv1/SSLv3",
"bits":256,
"name":"DHE-RSA-AES256-GCM-SHA384"
},
"alpn":[],
"dhparams":{
"prime":"b10b8f96a080e01dde92de5eae5d54ec52c99fbcfb06a3c69a6a9dca52\
d23b616073e28675a23d189838ef1e2ee652c013ecb4aea906112324975c3cd49b83bfaccbdd7d90\
c4bd7098488e9c219a73724effd6fae5644738faa31a4ff55bccc0a151af5f0dc8b4bd45bf37df36\
5c1a65e68cfda76d4da708df1fb2bc2e4a4371",
"public_key":"2e30a6e455730b2f24bdaf5986b9f0876068d4aa7a4e15c9a1b9c\
a05a420e8fd3b496f7781a9423d3475f0bedee83f0391aaa95a738c8f0e250a8869a86d41bdb0194\
66dba5c641e4b2b4b82db4cc2d4ea8d9804ec00514f30a4b6ce170b81c3e1ce4b3d17647c8e5b8f6\
65bb7f588100bcc9a447d34d728c3709fd8a5b7753b",
"bits":1024,
"generator":"a4d1cbd5c3fd34126765a442efb99905f8104dd258ac507fd6406c\
ff14266d31266fea1e5c41564b777e690f5504f213160217b4b01b886a5e91547f9e2749f4d7fbd7\
d3b9a92ee1909d0d2263f80a76a6a24c087a091f531dbf0a0169b6a28ad662a4d18e73afa32d779d\
5918d08bc8858f4dcef97c2a24855e6eeb22b3b2e5",
"fingerprint":"RFC5114/1024-bitMODPGroupwith160-bitPrimeOrder\
Subgroup"
},
"versions":["TLSv1","-SSLv2","SSLv3","TLSv1.1","TLSv1.2"]
},
"html":"\n\t\t<html><head>\n\t\t<metacharset=\"utf-8\">\n\t\t<metahttp-eq\
uiv=\"X-UA-Compatible\"content=\"IE=edge,chrome=1\">\n\t\t<title></title>\n\t\t\
<scriptlanguage=\"javascript\"type=\"text/javascript\"src=\"/javascript/commo\
n.js?plesk_version=psa-11.0.9-110120608.16\"/></script>\n\t\t<scriptlanguage=\"\
javascript\"type=\"text/javascript\"src=\"/javascript/prototype.js?plesk_versi\
on=psa-11.0.9-110120608.16\"></script>\n\t\t<script>\n\t\t\tvaropt_no_frames=\
false;\n\t\t\tvaropt_integrated_mode=false;\n\t\t</script>\n\t\t\n\t\t</head>\
<bodyonLoad=\";top.location='/login.php3?window_id=&requested_url=https%3A%\
2F%2F174.142.92.126%3A8443%2F';\"></body><noscript>Youwillberedirectedtothe\
newaddressin15seconds…Ifyouarenotautomaticallytakentothenewloca\
tion,pleaseenablejavascriptorclickthehyperlink<ahref=\"/login.php3?wind\
ow_id=&requested_url=https%3A%2F%2F174.142.92.126%3A8443%2F\"target=\"top\"\
>/login.php3?window_id=&requested_url=https%3A%2F%2F174.142.92.126%3A8443%2F\
</a>.</noscript></html><!--_____________________________________________________\
________________________________________________________________________________\
________________________________________________________________________________\
_________________________IEerrorpagesizelimitation__________________________\
________________________________________________________________________________\
________________________________________________________________________________\
____________________________________________________-->",
"location":{
"city":null,
"region_code":"QC",
"area_code":null,
"longitude":-73.5833,
"country_code3":"CAN",
"latitude":45.5,
"postal_code":"H3G",
"dma_code":null,
"country_code":"CA",
"country_name":"Canada"
},
"timestamp":"2016-02-25T11:56:52.548187",
"domains":[],
"org":"iWebTechnologies",
"os":null,
"_shodan":{
"options":{},
"module":"https",
"crawler":"122dd688b363c3b45b0e7582622da1e725444808"
},
"opts":{
"heartbleed":"2016/02/2503:56:45([]uint8){\n00000000020074636\
56e7375732e73686f64616e|..tcensus.shodan|\n000000102e696f53\
454355524954592053555256|.ioSECURITYSURV|\n000000204559fe7a\
a20dfaed9342ed18b0157d6e|EY.z…..B….}n|\n000000302908f6f\
8ce00b194b54b47acdd18aab9|)........KG…..|\n00000040db1c01\
459510e0a243fe8eac882fe875|...E….C…./.u|\n000000508b195f\
8ce08a8061563c680fe11f739e|.._….aV<h…s.|\n00000060614fd\
adb90ce84e3795f9d6ca090fffa|aO…...y_.l….|\n00000070d816\
e87607b2e55e8e3ea445612f6a2d|...v…^.>.Ea/j-|\n000000805d11\
7494033c5d|].t..<]|\n}\n\n2016/02/2503:56:45\
174.142.92.126:8443-VULNERABLE\n",
"vulns":["CVE-2014-0160"]
},
"ip_str":"174.142.92.126"
}
ExerciseSolutions
WebsiteExercise1
title:4sics
Exercise2
has_screenshot:1country:secity:nora
https://www.shodan.io/host/81.233.255.165Exercise3
vuln:CVE-2014-0160country:sessl.version:sslv2
vuln:CVE-2014-0160org:"yourorganization"
Exercise4
category:icscity:"yourcityname"
Exercise5
category:malwarecountry:se
Command-LineInterfaceExercise1
shodandownload--limit-1heartbleed-resultscountry:se,novuln:CVE-2014-0160
shodanparse--filterslocation.country_code:SE-Oheartbleed-swedenheartbleed-\
results.json.gz
Note:The–filtersargumentdoescase-sensitivesearchingonpropertiesthatarestrings,hencetheSwedishcountrycodehastobeupper-case.
Exercise2
mkdirdata
shodanstream--limit1000--datadirdata/
shodanconvertdata/*kml
#UploadtheKMLfiletohttps://www.google.com/maps/d/
Exercise3
#!/bin/bash
shodandownload--limit-1malware.json.gzcategory:malware
foripin`shodanparse--fieldsip_strmalware.json.gz`
do
iptables-AOUTPUT-d$ip-jDROP
done
ShodanAPIReplaceYOUR_API_KEYwiththeAPIkeyforyouraccountasseenonyourShodanAccountwebsite.Exercise1
#!/usr/bin/envpython
#InitializeShodan
importshodan
api=shodan.Shodan("YOUR_API_KEY")
#Createanewalert
alert=api.create_alert('Myfirstalert','198.20.69.0/24')
try:
#Subscribetodataforthecreatedalert
forbannerinapi.stream.alert(alert['id']):
printbanner
except:
#Cleanupifanyerroroccurs
api.delete_alert(alert['id'])
Tip:UsetheShodancommand-lineinterface’salertcommandtolistandremovealerts.Forexample:shodanalertlist
shodanalertclear
Exercise2
mkdirimages
Runtheabovecommandtogenerateadirectorytostoretheimagesin.Thensavethefollowingcodeinafilesuchasimage-stream.py:#!/usr/bin/envpython
importshodan
output_folder='images/'
api=shodan.Shodan("YOUR_API_KEY")
forbannerinapi.stream.banners():
if'opts'inbannerand'screenshot'inbanner['opts']:
#AlltheimagesareJPGsfornow
#TODO:Usethemimetypetodeterminefileextension
#TODO:SupportIPv6results
#CreatethefilenameusingitsIPaddress
filename='{}/{}.jpg'.format(output_folder,banner['ip_str'])
#Createthefileitself
output=open(filename,'w')
#Theimagesareencodedusingbase64
output.write(banner['opts']['screenshot'].decode('base64'))