Introduction to Shodan

all right who here had a turtle show your hands up crew here had logged on with the bleep your hands up go ahead the bleep logged on with the free accounts and not many hands down who has a paid account will hand them down it was actually done something with the Peter Hammill okay we got we got it helping people goodness respecting because what I'm going to do today is pretty much an introduction to show them and then we'll talk about that so first thing I want to do is think are often sponsors out there we would not be on the shinde today the round of applause for them so many of us think of the

Internet we think of the World Wide Web according to data that's collected by John Natalie for showing that's only a small fraction of the actual Internet of the half a trillion devices that are connected only about 10% is a Exodus world wide web my name is Aaron Blythe I've been working in software for over 15 years I started at the developer it seems to be a developer but I've always been that person to take on the operations work but years ago I was the one that had a bunch of machines tacked on my desk running Citrix servers and running our build servers and different things moved on from there 2 p.m. and we've gone from there configuration

management tools like chef I run the DevOps KC meet up a half or less four years we're about to have our second DevOps tape here in September so I think it'd be a great thing to get more DevOps and sack God's work better fun facts you can carry on me I did one semester college Australia I didn't go to college I thought it was a Thursday I made going did me I did sir um every chance I got for the month of everyday I wasn't very good to be good you gotta serve four years but every day after I had done with hours of paddling out for what seemed like just seconds of being up on that way and they're getting

pummeled with water this is a look at this model I feel the same way about that going to feel the same way about security all these hours of paddling out for those few seconds of clarity and I've contented feeling at the end of the day chosen was created by self-described internet cartographer John Madden you can see the design here back in 2003 which blows my mind that's now 14 years I just wanna show it in 2009 you can find them on Twitter onto the handlebar killing the easiest way to get started with shows is to just go to show them that I owe what shoten does is to index the devices that are connected to the

Internet so basically what we're working with is like Google for all the internet devices who here is familiar with and quite a few after those that are it's that bad app tool that Trinity used in our hacking session in the Matrix Reloaded she actually uses it correctly in that movie to hack the power grid a city on a more durable a sensation then she uses that they can SSH one crc32 X which of 2001 so let's shut down an Ethernet awesome graphics all the lights one off across the city and everything however as cool as this tool may be and Matt I would want to get to using it unless you really know what you're doing

directly from the n-back work website when you start early and map helps protect your network against invaders but when used improperly nmap and in rare cases get your suit fire expel jailed or banned from your IP so reduce your risk probably beating them legal guy Dan showing is not in when I first are shown that with me that I was apprehensive even used considering what I've heard about it especially when casting a wide net so largely we're trying to map the entire internet but to be clear to show you now I'm just like with books someone needs to organize the indexes are part of that library of all this information so it shown does it crawls

all of the internet IDs continually and randomly from data centers around the world reason why this is obvious there's wrong world is in some countries they don't allow trafficking for other functions right they also do this randomly so if you know a bit about nmap I think there's like a default way it does it sequentially and that's pretty expected so you're just going to this IP address and the next one is the next one for all numbers and stuff so what this does that randomly create some type e addresses over a short period of time it just continually doesn't that gathers all the information the basic unit is the fan he goes out makes an internet

request and select if your defense occurs it's an internet return we've got a few hundred ok that text HTML content hype probably familiar to a lot of people 90 this one down here is another banner just from FEMA semi-industrial control on the system we're getting too desperate result is a little bit they didn't decorated metadata such as the host thing the operating system where death server is actually located the next thing you understand is what is actually in debt of course we got the web servers but as we discussed at the beginning that's only about 10% of the Internet there's also databases as we would expect somebody very connected to the Internet so that services can come in

again directly however there's also been this explosion of IOT or Internet of Things two talks ago I talked about IOT so this is things like webcam and webkinz watches many other personal devices so speaking of Internet of Things we heard about this one you leave your dog in the internet message box out of a business this is terrible and what happens in the power goes out or this thing's on claw like there's a you dog or someone else going to come take your focus to me there's also a drone on the market now it takes up dog food throughout cities no he is poor thing is mental control systems this is one of the most interesting things I learned

while researching this presentation there are many pieces of complicated industrial machinery out there so before the Internet companies have to pay these highly trained technicians approach you money just drive to where these things work right super expensive because you got highly paid people and most the time your fans and drive so many company started out affecting these devices to the Internet so because it's economy of scale they can bring in a lot of their routine maintenance to essential locations and they're really smart person take care of many different places as opposed to driving 80 percent right many of us started doing this well before the Linux operating so they got these proprietary systems that they

still use to this day that control our water electricity gas and many other important pieces of technology so these um so if we scroll down from page a little bit we're going to come to you heart there's a link that we're going to go to now and write down

just go pack all right good a show if I scroll down into the front page so I thought I oh I'm going to click on the anvil report for our it's just a sample report it was gathered in March 26 2015 and at that time it found that there's two hundred and thirty seven thousand devices that are vulnerable to harvest so let's take a look before we can learn about those the top country the United States followed by China top services is HTTP top organizations interesting is m.com which is a great company but they have a bunch of servers that many of you are using negotiate negotiated a PSP version HP 1.1 was pretty standard

nothing groundbreaking there the top product is edge web server top version I hopefully imagines this is rather late so patch web server still out of 22.4 and really old version there's neither one I can't really figure out there must be something that's on the list on the bottom and the top domains again repeat Amazon AWS calm this is a lot 50cc too Excel versions expire to get all right so this is a great report but it's one year old so let's actually click illness someone remember the $237 oh oh

[Music] so we're under a hundred thousand guitar I showed you this picture right so that's a good thing to you show with a c'mon the United State and we're going to see and I've got boner ability partly identified border country at us so now I'm always operating back home state for three thousand because one New York and then I'm going to click on I'm going to place New York

eighty-eight resilient servers here in Kansas City that are accessible the heartbeat so they know that can someone write that down 88 remember that measure that switch over again and use over a bar

they're part of the resort exterior that ah all right it opens a heartbeat at 118 so we've got 88 118 you guys remember that in kisame attacks we'll get anything instantly attacks earlier you guys heard it go

all right this is directly from the book by John Mather Leon showed in I broke all the rules of presentations put a wall of text up here the essence of minority note that for the test the callers only grab small overflows to confirm that the services affected by heart but it doesn't grab it up it is a big private key now anybody yes we're working a 90 time a heart bleed a lot of our texts were simply worship the OpenSSL version which took the OS version stone this is actually not that this is what I expect it to be it all this is this open SSL version so this is actually your stuff - hardly and it's

telling you so when I started researching this presentation on the number of Kansas City without 145 we're we say 188 was 195 in Overland Park we said I was learning danger I'd like to think that I had any end and bringing that number down because I know people that work at some of these companies and while I was researching this I reached out to them talk to their security people and let them know that they had left and we got reports generated I think that they've actually started off working on no consulting Keys anything just it's the right thing to do the next killer feature is math you only get this in the paid version based on

the time I have when I am going to this to this is a boiler to render and I'm not sure about the watch I guess but it is pretty cool I did this map by the grab parts and usually as you can see we're still quite a few servers out there that are successful person the query language which I was booking three in taiga type E and M right it looks similar other free languages that you're probably familiar with right if you use the advanced features in Google or you solar elasticsearch what you just got hot search string we had anybody picks you're going to basically clean up so I'm Sydney San Francisco are opposed

because if you were John Matarese these positive beam types of also why I think the technical people should do this but as you saw the UI makes is pretty easy so like people can find out if you order caused by the disclose some of you may be aware that Krebs on security with the tag last fall this was a DDoS or distributed server attack is executed for many internet of things mostly DVRs they had a default week or hard-coded passwords credit reports that the source code for this botnet was released the problem is there's likely just as many devices that are connected with be passwords so general geography

here we've got another thing when you do a search you save this report if you've got paid out and you'd be tagging something these are the searches that are tagged as I see here Internet of Things the deck along all the tariffs I'm alright because of it so I've searched [Music] I push this over

Oh times I can interfere

EER [Music] you can see pretty quickly

that he responded to your TiVo devices that are connected directly the internet a lot of times people want to access those from outside the house and whatever Tom that's the kind of stuff that you can find there more recently in March of this year there was the vault seven WikiLeaks released which detailed how the CIA performs electronic surveillance in cyber warfare in these documents it was made even more obvious that telnet is on by default on Cisco switches to the tune of 300 plus of different models so by sending some malformed CMP or cluster management protocol arbitrary code one that x1 that executed are you going to take full control the machine Cisco's response shut off telnet obviously right

they show the search of this I found 30,000 devices when I just put in the word disco this act is a search string and then 4:23 but when I do a product of Cisco with port 23 121,000 different devices so this is definitely something that or your clients or for your business or whatever you want to check out make sure that you've got this shut off like I said earlier the banner this is saying that pretty much telling us is running because they hit 4:23 when they got back with let's do this login [Music] eyes open general there are three point seven million devices out there on the internet that have the telnet port open

to the Internet seriously use as the date on all the spices in shut up telnet in closed twenty three four so this off that I've seen John Natalie acclaimed the original test for market research make a lot of sense right the idea was that hardware manufacturers like Cisco HP would want to see how many devices they have out there in the world that are connected to the Internet right and see what some basic configuration was so they could contact their customers right because Cisco obviously context as you all and attachments right they should absolutely should and they should use this information internet shoten also grabs an image from the device in the cases that warrant it just to be a totally bad

idea on my part run with it Yolo like that so let's see what happens right this is the image search it's not shown if we are you crazy to be so we're both like because these web in which we see a lot of we showed us when it does that crawled it hit your device the grabs quick screen capture right so we see Hindi whatever it is when you scroll through these five Google head the treatment work but you will not are acting like a and security I can in like that let's change HTTP instead to Windows and see what we get we think we get to it we can weed out right as we go

right there this one over there we go you know I think what we actually learned at six for was to blow that out

and these are the window she has about ignored use the scene on so it actually goes to the RDP port you grab a screenshot of that if you have this exposed to the internet then that's better so that's good to know

limitations of the free version you can go to more than five pages deep for many search and it no has the cost for an individual for a lifetime subscription is $49 per few it I know that's don't even have told me you get the Black Friday deal last year for like five bucks or whatever 49 is still a deal this is a very good security tool that you should offering it enterprise access would allow you to download stream and have monthly and/or have a monthly hard drive written out to your company this would also mean unlimited API access all of your organization's I don't how much I talk because I just have the individual election like I said the

beginning Donuts other words security is really the place children's marketing material also both the in already is used at 56 to the Fortune 100 companies and over a thousand universities you probably after yourself whoa this tool right is my device awesome curling answers likely to know only if your device is directly connected to the internet so possibly your home or your router will show up depending on the settings at many different levels of networking but even then it kinda depends on how your ISP and set up so you may not be exposed the reason for this at wheeze local networking quite a bit inside of ipv4 wendy6 continues to ramp off and we've got unique to my

addresses we may be having a quite a bit more direct connect less of that home network you come son if you want to check there's a website to do that if I would use an ER doc bullguard comm slash search it has the option to date down solely so this is a fair day thing that my wife made which is really cool and it was working okay I can't defeat fear of this I do not want to invite this crawler into my home network so I decided not to do that that's a personal decision for you guys this is not directly connected to Shonen and that like Sheldon hold it this is just someone doing a service of some

kind I don't I don't know wasn't for me so the browsable of you this allows you to check the public configuration of the site that you're currently browsing to from the web site for this conference I can see that the host machine has D formula while the recessive su had 80 and 443 this one also has a hesitation male does a few other things which is a bit more than it's on other web sites so something to look at John Natalie does excellent talk I highly recommend that you go to them my favorite part of one of these talks is when he goes into when they found that there was a control system for some super report

a power plant or something somewhere in Europe and they can actually see the webpage where they get like clicking clicks you button turn things on and off right and they contact it up like you know totally trying to do the right thing and they're like there are key people like if you think we're bad in the enterprise and in our website all types of security like a lot of industrial controls of some stuff is kind of scary because the answer that they got back is oh no no we have that on a static IP address with no DNS on top of it so nobody can be able to find [Music] through the guy they're found right

so pause it does work as well for some there's a long way to go for security you can pick on the shore boat for $4.99 adjusted price or if you're like me at 15 a 10 because it's an awesome tool and for the disclaimer I want you to use this information for positive purposes accessing or attempting to access someone else's device could be punishable by law very evening showing just click on those links and go through this thing I tell you these things I told you today so you can protect yourself you can protect those around you and have better security I have been credibly attempted to click on stop go for addresses um but it you may think

that you're trying to make a connection to some donee left their stuff moments on the internet we might be making a connection with some way smarter than you instead of honeypot that's going to try to like pull of our information or or polearm your data or pull you I don't know that did you have to get it um but what shoten does in the book goes into that I'm just doing an introduction if they have a honey tour and this is a good way to uh if you can read that section in the book to find honeypot he also goes into regulation of material you eat this which is a big deal with the pedestrian

control systems on the webpage you should really buy the book it's obtained into the tool feel free to contact me about Shogun to get you set up or to get up I teach you something my consulting fee just went up from the free that I did earlier to one beer um so because I've now went on the talk at a conference about you oh yeah and definitely hope this conference give that give them feedback throughout the day in the feedback my song for the conference or anything else and help me give it if you go to enter blood work that's our website this presentation both slides and the video will be posted as we link up there

I do have to run this to my daughter's dance recital but I will be back this afternoon and hope state into the party at night and this is the part where since to check that test detective the subjective came in so I did not sell you on my hair days football bag I don't know we're going to keep we're dealing with designed I'll back you on that but it did hold it offered on what that's all yeah

[Applause] Betty sure hope all right thank you for that great up and yeah we're going to break for launch we're going to wrap up our launch about 1:15 so be back for the next talk at Maine Katie thank you good sir