Revisiting Shodan Computer Search Engine

Thursday, August 26, 2010

shawn merdinger

E376ca757c1ebdfbca96615bf71247bb

I'm sorry to say so
But, sadly it's true
That bang-ups and hang-ups
Can happen to you...

-- Dr. Seuss, "Oh, the places you'll go!" (1990)

Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it's a site well worth revisiting.  Well, that time has come, and there's plenty more to talk about when it comes to Shodan.

What is Shodan?

It is a publicly available, searchable database of pre-scanned networked devices.  The scanning includes banner results from common services like telnet and http, and is akin to fingerprinting.  One way to look at it is like Rainbow Tables for networked devices.

What's the risk?

When a new vulnerability is discovered, Shodan makes it easy for attackers to search for vulnerable devices without actively scanning. 

For example, say a vulnerability is published about Apache Mod_Security -- an attacker can easily search Shodan for vulnerable version and then launch an attack to pwn the box.

Attackers can also use Shodan search filters and really narrow down search results, by country code or CIDR netblock for example.  You do have to register for more specific search functionality if you're interested in say, the 24 Cisco boxes in Iran with no authentication.

Pssst....wanna Pwn 7000 Cisco routers/switches?

Yes you can.  And only because some network admin didn't know how to configure HTTP authentication.  It's easy peasy with Shodan's most popular search

Click on the resulting IP addresses from that search and you'll get the HTTP interface of a Cisco router/switch with no authentication. 

Add "/level/15/exec/-/sh/run/CR" to the IP address and you'll get the "show running configuration" output of the device.  Understand what's going on here. 

An attacker can easily add an admin-level account, change the configuration, crack the listed Cisco passwords in the configuration to target other devices on that network, etc. 

Why should I care?

Shodan creates risk by making poor configurations and other adminstrator mistakes much more visible to potential attackers.  It also creates risk by providing a pre-scanned inventory of potential targets. 

I've seen some amazingly frightning devices discovered through Shodan that are wide open and have no authentication -- for a few examples:

  • An Eastern European country's SCADA water treatment network
  • A switch controlling the Neurosurgery VLANs of a hospital
  • Physical security door access controller systems
  • Routers with VoIP configurations
  • and plenty more....

These are just a few examples of the micro-risks.  I think from a macro-risk perspective, specifically concerning the Cisco routers with no authentication, is the very possible and easy mass takeover of routers and potential for BGP attacks. 

Not possible?  Well, think back to early 2008 when Pakistan modified BGP routes to block YouTube and because of a misconfiguration, large swaths of the Internet outside of Pakistan could not access the site.

This was the result of a error from a few routers broadcasting bad BGP routes -- now imagine if an attacker does this with a few thousand routers distributed globally?  I think it's really only a matter of time...

What should I do?

There are tangible steps you can take.  First and foremost if to register fora free Shodan account and search for devices on your organization's CIDR netblock. 

If you are working with buisness partners that are connected to you, check their CIDR netblocks in Shodan as well.  Make a stink and inform the right network and security people of the risks of Shodan exposure.

Or

You can do nothing, and let Shodan determine your fate.  Your choice.

Possibly Related Articles:
12738
Network->General
Cisco Fingerprinting
Post Rating I Like this!
Fd0dd3200ae49f5cdabc124b87df3872
hamza karmani thanks for the post
1282934008
5c857bc159e9c361aebbb1eab4c87c3f
Mister Reiner Many hackers have been doing their own scanning for years to create maps of the Internet and specific networks of interest. All it takes is a small army of zombies and a place for them to forward the data.

What many people don't realize, is that a map like this really narrows the window on patching vulnerable systems. People don't have days - they have hours, if that.

1283044593
Fe0cdd659ff88db65dc29352c82cb314
Shalom Cohen Interesting, does it scan all ports or just web ports/well known ports.
If it is just web ports, than most of the info lies in google already (just look for google hacking).
You can locate results of SQL injections , locate network devices like a DSL router by looking for part of the first login web page, etc...
1283083367
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.