Using SHODAN to Identify "SysiLeaks"

Tuesday, December 14, 2010

Ron Baklarz


"SysiLeaks"  (pronounced 'sissy leaks') is the exposure of specific system names, IP addresses, configurations, physical locations, and possible lax system security that can be used for exploitation purposes.

I am always looking out for new, interesting, and cost-effective (i.e., cheap) ways to address various INFOSEC issues and have an item to share.

On October 28, 2010 the DHS Industrial Control System - Cyber Emergency Response Team (ICS-CERT) issued ICS-CERT Advisory 10-301-01 "Control System Internet Accessibility".   

Specifically, the alert was distributed to identify that the SHODAN search engine had been used to enumerate not only Internet-facing SCADA systems but also identify various and specific vulnerabilities associated with these systems.

I took a moment to find out what exactly this SHODAN website was and to my surprise, I discovered a veritable "Google" type of search engine specifically designed to seek out Internet-facing servers, routers, etc. including query capabilities to find systems running specific software versions, those configured with default or no passwords, by geographic locations, etc.

What little hair I have was immediately set afire in considering the possibilities for system exploitation as the result of this website and it search capabilities.  I ran a few searches on my own domain to ascertain if I had any gaping holes with my own systems.

And, I would advise readers to check out SHODAN for yourself and address any holes you may find before they are exploited.  

While the news has been consumed with "wikileaks", we INFOSEC practitioners should be very, very concerned about these "SysiLeaks".

Possibly Related Articles:
SCADA Shodan CERT Systems SysiLeaks
Post Rating I Like this!
shawn merdinger Those interested in Shodan may also want to check out some of the following:

My blog post in August (shameless plug):

Michael Schearer's "Shodan for Penetration Testers" preso from Defcon 18:

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.