"When people don't see stuff on Google, they think no one can find it.
That's not true."
That's according to John Matherly, creator of Shodan, the
scariest search engine on the Internet.
Unlike Google (GOOG),
which crawls the Web looking for websites, Shodan navigates the Internet's back
channels. It's a kind of "dark" Google, looking for the servers,
webcams, printers, routers and all the other stuff that is connected to and
makes up the Internet.Shodan uses CADA (Supervisory Control and Data
Acquisition)
How does
SHODAN work?
SHODAN does what Google does but spits out specific and greater amounts of
data. It’s just like Google except that, instead of indexing web page content,
it indexes banner information. It indexes data on HTTP, SSH, FTP, and
SNMP services for a good portion of the IP net blocks that make up the
Internet.You can do basic searching for free. An account is required for some
features, and others require the purchase of credits.The basic SHODAN search
filters are country, net, os, and port. There are others but these will get you
started. So let’s say an attacker wants to identify all Siemens Simatic devices
in the US by their SNMP banner. The search looks like this
port:161 country:US simatic
This
search returns about 25 results. Hopefully that helps to start understanding
the SCADA implications.
To cloak
a computer from Shodan, systems should simply refrain from responding to either
the first crawl or subsequent connection attempts by configuring their firewall
to block unknown sources from connecting.
Another
example :
If you
wanted to execute a more specific search you’d use a string like this:
port:121 country:US hyper-v
Port:121 – this narrows the search down
to specific ports.
Country – obvious.
Hyper V – this identifies all web
servers using Hyper V in the UK (for example) by their SNMP banner.
To cloak
a computer from Shodan, systems should simply refrain from responding to
either the first crawl or subsequent connection attempts by configuring
their firewall to block unknown sources from connecting. I should note that
this is not the same as trying to hide the computer from search engine
crawling by configuring a robots.txt file to tell Google, Yahoo, Bing, etc. to
leave you alone.
How to
defend ?
The net
filter allows you to search by an IP range, which is important for using SHODAN
from a defense perspective. We may not care about all the other people exposing
their PLCs to the Internet, but we do want to verify that we are not.
So the
first step in the process of using SHODAN from a defense perspective is
arguably the most critical: identify your public IP address space. One place to
start is with the Regional Internet Registry (RIR) for your region. There you
can perform a WHOIS search for your organization. In North America, ARIN is our
RIR and you can find the advanced WHOIS search page here. You may not own all
your IP space, however, so the identification process should not stop there. Make
sure you identify and include all IP ranges for public carrier lines, leased
circuits, wireless communication, etc… Hopefully internal documentation and
diagrams will help with this task as well.
Another
note about attacks: a traditional, targeted attack may follow a similar
identification process and then scan your IP ranges to look for interesting or
vulnerable targets. SHODAN doesn’t really change anything with this approach.
What it does change is the ability for someone to find vulnerable or interesting
targets in a non-targeted manner and makes the process quick and easy. Hence
the concern and advisory from ICS-CERT, especially when combined with default
passwords and other problems with control system servers and devices. But I
said I wasn’t going to complain about that… at least not in this post.
Once you
have a list of your public IP address ranges compiled, you can use this
information to filter your SHODAN search. So you could search like this using
CIDR notation: net:123.123.0.0/16
Cyberpunk
spider :
Shodan’s
big lesson is that the internet is more diverse than we think. Think webserver,
and you’ll probably think of Apache or Microsoft, or maybe Nginx, but Shodan’s
database of nearly 144 million webservers shows that they’re not the only ones
out there — not by a long shot. According to Shodan, Microsoft’s Internet
Information Server, or IIS, runs about 8.5 million web servers. Allegro
Software Development’s RomPager, which runs on more than 22 million machines.
IIS may run big websites such as MSN.com, but RomPager runs on millions of
routers, switches, and printers.
When
Shodan went live in 2009, it was no Google. Matherly ran the search engine on
an old Dell Vostro that ran in his closet. He took the name Shodan from the
rogue artificial intelligence entity in the 1999 cyberpunk video game System
Shock 2.
Today,
the Shodan operation is much more sophisticated, but it’s still a one-man show.
Matherly has a half-rack of servers in San Diego that store his core data on
the more than 1.2 billion devices he’s tracked on the internet. There’s also
his network of probes, which add new data on 200 to 400 million devices each
month.
Like most
attack tools, if used proactively, SHODAN can be used as part of a defense
strategy.