Introduction to Shodan

[Music]

who here has heard of shouting by Shore hands all right keep him up good good that most of the room not all the room who's actually logged into a free account for shoten still a good part of the room who has a paid account to show it in and has done something with it okay I think I saw one hand those are any any count like if you've done something with it okay so we got about four or five so this is probably about the right level of talk for this group I want to thank our sponsors before we get started without them we wouldn't have this awesome conference so big hand to the sponsors so we when a lot of us

think of the World Wide Web well I always think of the Internet what we think of is the World Wide Web but according to John maithili who created showed in the world wide web is only a small fraction of what is actually on the Internet it's only about 10% of the entire Internet and there's a bunch of other devices that are connected in there so my name is Erin blithe I've been working in software for over 15 years I started as a developer but I've always been that want to take on the operation years ago the one that had like extra machines on my desk and I would run like Citrix labs I would run

our build servers I would like create a bunch of stuff and then from that I kind of got into chef years later and we started on like spinning up machines which was super awesome and so where this is taking me in my career is now I'm the lead organizer of the DevOps meetup or monthly meetup in Kansas City and we're gonna do our second conference DevOps days in September and it's pretty rad I have a sheet for you if you're interested come see me after the talk I did one semester of college in Australia I didn't go to class that much I did surf every day that I could for months I wasn't really very good to be good you

have to serve for years so you notice I didn't call myself a surfer but I surfed every day this is very similar to my relationship with security so far I wouldn't call myself a security expert but it's something that I really love and get into you I feel the same way when I find something out in the security realm as I do when I was surfing or when I figure out that thing whatever that may be and software or IT you spend all this time like paddling out and all this work for that like epiphany that few seconds when you come back in on that wave shodhan was created by the self-described internet cartographer john mad early he conceived

of the idea back in 2003 and worked on it continually until it actually went live in 2009 you can find him on Twitter as Killian the easiest way to get started with shodhan is just to go to show dan dot IO what shodhan does is it indexes all of the devices that are connected to the Internet so basically what we're working with is googled for all the devices that are connected to the Internet who here is familiar with nmap quite a few people in the room yeah it's that badass tool that Trinity used in her hacking session and the matrix she actually used it correctly to hack the power grid and then there's that scene of the city where she founds the

vulnerable ssh server and everything starts shutting down in the movie since it was a while ago she uses the h-1 crc32 exploit from 2001 however it schools that maybe I'd warn against using nmap unless you really know what you're doing from the nmap website it says when properly used and map helps protect your network from invaders but when used improperly and map can in rare cases get you sued fired expelled jailed or banned from your ISP so you reduce your risk by reading the guide that they have damn children is not in map when I first heard of shodhan I have to admit that I was actually pretty scared I was like knowing what I know about nmap this

thing is gonna like you know crawl the whole Internet what am i doing am i kicking off a crawl everywhere am I gonna have my isp coming down on me it's not that at all just like with books someone needs to organize that library of all the information shodhan crawls all the internet IPS continually and randomly from data centers that are around the world so shodhan has data centers or colocation or or cloud type of places in there they're hitting all of the IPs they're hitting them randomly um throughout the world so the basic unit that's returned from a device is a banner so here we see the Apache server this might be very familiar to a lot of people in IT you

see that we get a 200 we get the information that we would if we just went to a web page there's also you know industrial control devices and they'll send back banners that look more like this it takes the banner and it decorates it with this metadata things like the host name the operating system the actual geolocation of that device and it puts that together and has that as part of the index and the index is based mostly on the IP address so of course we get web servers as but as we've discussed at the opening that's only about 10% of the internet there's also databases and we would expect that that that sometimes databases are

connected directly to the internet so they can be called by Web Services a lot of times you keep those back behind your firewall but there's also this new explosion of Internet of Things these are things like webcams watches and a lot of other personal devices so let's talk about any other things real quick have you seen this one you leave your dog in this Internet connected box outside of a business and what happens when this thing gets unplugged or what happens when this thing can't connect to the internet this is a terrible idea horrible there's also a drone on the market right now that picks up dog poop throughout the city no I don't know

I think is it and also light on fire on somebody's porch and then the one of the other ones is industrial control systems this one was the most interesting thing to me while I was researching this presentation there are many pieces of complicated industrial machinery out there before the internet companies paid these highly trained workers to go out to where their equipment was right and so like if there was a problem at a water plant or any type of industrial control system they would pay people and most of their time was spent in the car to get to the place the internet comes out and what they do is they start having their devices phone in and most

of their service calls they get this economy of scale by having the information in the centralized location so these highly trained people can sit in one location and not have to drive around and actually do a lot of the service the unfortunate thing is they did a lot of this before there was like a Linux or before there was a lot of standards or the way that we understand rest currently they did this on proprietary systems that they built themselves and the security for it isn't the best in the world so now we'll jump in to Showtime inside of show Dan there is a report for heartbleed I hope it's still there and we're going to go to it so we go to

reports look command - just a little bit my account

okay just on the front page if you scroll down there's the sample report on heartbleed so these are the devices that are vulnerable to heartbleed um throughout the internet so does it is anybody remember heartbleed so when we started branding exploits and giving them icons and names and all kinds of stuff what's interesting is like we can see all of the different information about this in a very simple report so the top countries most of the heartbleed things that are out there are you in the United States the top services mostly its HTTPS but there are a host of other services that are running on the machines top organization this is interesting as amazon.com this is

probably not the company amazon.com is probably people that have just spun up servers on AWS right mostly its HTTP 1.1 which is good people are not using as much of HTTP 1 0 mode patchy web servers and we also see that mostly it is Apache 2.2 which is interesting to me either people are not using 2.4 as much which is probably the current standard there's they're stuck in some way on 2.2 and or the people that are on 2.4 are just more secure either one could be a possibility top domains we see on Amazon AWS again SSL versions and all kinds of good information mostly that's the Linux kernel 3 dot X which I was actually

surprised with that's good people are running later versions of Linux so this is directly from the book by John matter Lee and the emphasis is mind and I'm completely breaking all the rules of presentation by just throwing a bunch of text up here for you but I do think it's important so I want to read this part to you note that the test crawlers only grab a small overflow to confirm the service is affected by heartbleed but it doesn't grab enough data to leak private keys I was actually surprised by this shodhan is actually trying to do the exploit to tell you whether or not you're susceptible to heartbleed I remember heartbleed is being running a bunch of

scripts against our servers where we just checked open SSL version right and then we made an assumption that all we need to upgrade that version the the servers that are listed here are actually the servers that are susceptible he's actually done a small exploit not enough to actually pull information down but to show that they're susceptible so we can see the numbers when I started researching this talk someone write this down cuz we're gonna compare it it's a 145 I took that report which we're going to do here in a second and I started drilling down and we'll do that but in Kansas City when I drill down to just Kansas City 145 boxes were susceptible I did the same thing in

Overland Park 195 boxes were susceptible so when I go to this report I simply click on here actually this number 144,000 let's remember that and I'll go back to the original report because the original report was ran in March 2016 and it said two hundred and thirty seven thousand so the number is coming down we are getting as a community across the world getting hard bleed actually patched so now we're actually using shoting can you guys see that screen or do I need the command plus in got can't see No

that's too far for what I want to show so the way this is laid out is it's very similar to like if you're familiar with like solar or like different indexing type of stuff there's a lot of different facets over here that I can drill down by and then my results are here so each one of these are individual machines so if I click on United States and I'm just going to see the ones that are in the United States I'm gonna click on a city New York is the one I'm choosing which has 806 we click on it again

so QuickStart years ago when I was in like college we used Alta Vista this is well before Google or whatever I don't always just like hit the but I was like if I hit it four times then it all comes back faster right I didn't know anything about computers behind the college

so Kansas City is down to 102 compared to the 145 that I showed you earlier

and Overland Park I'm just happy the conference Wi-Fi is working it slaw was better than like this demo would be terrible if I was just like I'll just wasn't worried at all see I think if I hit enter again it'll be better right

155 so if we go back that's compared to 195 you switch my mirroring on my displays jump back into here I'd like to think that I had a small part in that number going down because when I started doing the research for this I saw some of the companies that I knew people that work to those companies and I reached out to him and said listen you have stuff that like hackers probably know about that's open on the internet and open to heartbleed you should probably get this patched no consulting fees none of that so I just it was the right thing to do so the next killer feature is maps you only get this one in the paid

version and based on the time I'm not actually going to drill down into this but it is pretty cool to see if you just switch over to showed in maps you can see where the actual devices in your search are the query language looks similar to a query language that you may be familiar with if you the advanced features of Google or if you've ever used solar it looks sort of like that John madeley's seems kind of fine that this is a little bit more technical than your normal typing into Google I'm also fine with X I think it lowers it raises the barrier to entry so that like not everybody can get into this but as

security professionals we should probably understand how to do this and then we should secure our machines so here we have I'm searching for the word pat Apache and then I'm sick of San Francisco so you use these name value pairs like country of Germany and that's how you get the search to go some of you may be aware that Krebs on security was attacked last fall this was a DDoS attack that was executed from many internet of things devices that had default or weak or hard-coded passwords when when Krebs figured this out he actually reported the so II the the source code to the botnet was released and the the problem is that like these

devices are probably still out there and there's probably still things like this what was actually used was a lot of DVRs in this particular case and a lot of internet of things type of stuff so more recently in March of this year there was a fall seven WikiLeaks release detailing how the CIA performs electronic surveillance and cyber warfare in these documents that was made ever more obvious that telnet is on by default on almost all Cisco devices probably over three hundred so by sending this malformed cmp which is a cluster management protocol this arbitrary code it can be executed and you get full control of the machine Cisco's response was turn off telnet right even though

they shipped the device you with telnet turned on their responses is your responsibility to go in and turn off telnet and by all means do that I did a showtune shirt search for the Cisco as the word and as we talked about earlier I just said port 23 and we can take a look at that search how am i doing on time will do that search at the end if we need to but this is basically what comes back there are a lot of devices that are Cisco devices actually in this search I say products : Cisco and that actually gives me an even better search that's not just that Cisco was anywhere in the index it's that the

product with Cisco if we do a telnet search in general not just on Cisco devices there's 3.7 million devices out there with the telnet port open to the Internet seriously use SSH shut off telnet like this is ridiculous so the original intent of shodhan was to do market research which is pretty good idea the idea was that HP Cisco they're going to want to see all of their devices that are out there on the internet that are actually connected and so they can get data back so they can know like who they need to sell to who's our how are they using the devices how can we fix these in the future which is pretty awesome idea so here I just did

simple searches for Cisco and HP and saw that um you know these are market leaders they've got millions of devices connected directly to the internet shodhan also grabs an image from the devices in cases that warrant it this could be a bad idea but I'm going to just Yolo click this and we'll see what happens all right let's go and I apologize again for the fumbling of switching back and forth but we're going to deal with it

Wow so we can see a lot of parking lots out there in the world okay so now I'm going to search for Windows right see what we get

what

that has changed that used to the joke there was it used to show like security cams of like windows so well you actually went to search for his remote desktop

so if your remote desktops are out there on the internet you know open then we've we can see this for an attacker this can be used to ensure not just only as that is that port open for our CP but this is in fact a Windows machine so my crawler my whatever you have you is going to go go try to do what it's going to do

someone was asking about free version limitations of the free version you can go no more than five pages deep on any search and you have no Maps I think there are other things that you may not get if you're just using the free version however you do get quite a bit so if you I think you have to create an account you have to give them money you have to give them a valid email address people in this room probably know many ways to use valid email addresses that I don't connect it to themselves but I think that it's a solid service so I just gave it my real email address and I've actually purchased the the paid

account my understanding is this lifetime oh wait will probably go into that in a second cost for an individual I can gain full access for $49 I believe last year they had some kind of Black Friday deal and a lot of people got it for either five or ten I think it's a good enough service that I was happy to give them $49 I think that many other people could run a service like this and be nefarious I think this is on the up-and-up and worth it for me to give some of my money to this service so I went ahead and pay full price as a lifetime I believe as far as I know as long as the service is

up like if you paid for it you get to continue to use it enterprise access would allow you to download stream or even have a monthly hard drive delivery of the data to your place of business this would also mean unlimited API access for your organization I don't know that the API access is actually unlimited on the personal one I think that it's metered and you can buy more credits so you can't just like completely pummel it and shonan's marketing material boasts that this is already used by 56 of the Fortune 100 companies and thousands of universities so the question you're probably asking yourself is my device on shodhan currently the answer is likely no the

reason is routers and ipv4 however when we get to ipv6 and everything's individually addressed we'll see what happens your router possibly would you like to check if your device is on shown in you can go to this and search I do this and allow the search in my browser you can actually do a deep scan I was not going to invite these I'm sure they're awesome people I just didn't want them to come into my network so I didn't click on the deep scan there's also a browser plug-in the last talk I did was at besides Casey and I noticed that the web page that they were running had more than just port 80 and 443 open

and actually had a few other ones but the plug-in put it right into chrome and then you can see whatever site you're on the information that's in that index 4 showed in I strongly recommend watching John Mather Lee talked about this because he created it he was a much better speaker than me and he knows what he's talking about I think this is a super cool tool so I'm trying to spread the word but I think you should check out his recent talks at the national cyber summit and net Explo there is a book that John Matthew Lee wrote that you can get on lean pub I think that suggested is 499 the minimum you can get

it for $0.99 or you can be like me and I just paid the maximum $10 because why not like it's super awesome tool now for the disclaimer um I've been incredibly tempted myself to click on stuff you get these search results right whoa we should we should click on that because this person left this open to the Internet I want you to use this information for positive purposes accessing or attempting to access someone else's device can definitely be punishable by law and I tell you these things that I've told you so far today so you can protect your own assets not so you can go out and hack into other people's assets because you know what you may think you're

opening a connection to some dummy on the internet or left open something but you might be very well clicking on a honeypot and you might be actually falling into a trap of someone who's much smarter than you so while it does seem open and it's sitting there and showed in just be careful there's a really good section on serial uniqueness in the show damn book and I recommend that you take a look at that using serial uniqueness you can actually start to figure out which things on the Internet are honey pots so if you think that like someone at your business has actually started to either click or open something or open the connection with

somebody you can actually use the data that's in show Dan to figure out where you just exposed yourself to so it's really good data to use for your your post-mortem type of stuff if something bad happens help me get better you can find me at Aaron boys org I think most of my talks are up there in the presentation thing or you can connect there's links to connect to me on LinkedIn or Twitter or just send me an email any of those type of things I love having conversations about this stuff so rad that's all I got [Applause] can I go I'm good not five minutes for questions attorney oh he may have questions that's an excellent question I

don't know what that is I think that in spaces like this if you're Oh move you the question what's the legality of exploiting that little bit to see if it's vulnerable to heartbleed i I'm not a lawyer so I have no idea but I think in cases like this I think that this is a very positive service that's out there and being upfront like if you're going to be innovative and create things like this and your your desire is to do good then you be upfront and like it was it was exposed like that this is this is what we're trying to do so I think that's the best way to deal with stuff like that

does that answer the question yeah it's a that was a non-answer like is that I'm not a lawyer yeah

what the images did you see the was it but you're gonna check real quick right I'll pull that back up that was fun the the voyeur and all of you was like what you can do what with this

umm.yeah webcams there's kids sleeping um yeah I I'm probably an idiot for bringing this up in a live presentation you don't know what but yeah I mean it just grabs an image and what it does is if there's logic in there that says if it's this particular port it's most likely a webcam so I'm I'm going to actually grab an image in my understanding this is probably I'm not good with video cameras it's probably RTP but it's probably coming over HTTP right that's how the internet works you make a request the request is sent back to you by the server so I don't think there's anything wrong with this like the people have the people have set this

up either through intention or ignorance have set it up in such a way that anybody can make this request and get this information back so I

Yeah right these ones here I'm glad yeah they could be or they could like it doesn't if if it's coming from port 80 it's most likely HTTP if it's coming from port 443 so I think we can click on let's let's see well then I can click on one of these and then we'll get the show the end result for it so this is where it's located in the world port 21 is open for 23 port 81 and it's httpd 1.0 so this particular one is unencrypted most likely I don't know you could be running encryption on that port no cash I don't know is anybody read this stuff fast enough wait so it's really it could be encrypted or not

encrypted it's basic web traffic right so like it gets decrypted by the browser or the client right so like when it comes back to their their thing they decrypt it do a question

any other questions all right that's my time [Applause] [Music]