Wednesday, January 21, 2015

Shodan :the scariest search engine


"When people don't see stuff on Google, they think no one can find it. That's not true."

 

That's according to John Matherly, creator of Shodan, the scariest search engine on the Internet.

Unlike Google (GOOG), which crawls the Web looking for websites, Shodan navigates the Internet's back channels. It's a kind of "dark" Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.Shodan uses CADA (Supervisory Control and Data Acquisition)

How does SHODAN work?

                  SHODAN does what Google does but spits out specific and greater amounts of data. It’s just like Google except that, instead of indexing web page content,  it indexes banner information. It indexes data on HTTP, SSH, FTP, and SNMP services for a good portion of the IP net blocks that make up the Internet.You can do basic searching for free. An account is required for some features, and others require the purchase of credits.The basic SHODAN search filters are country, net, os, and port. There are others but these will get you started. So let’s say an attacker wants to identify all Siemens Simatic devices in the US by their SNMP banner. The search looks like this  


               port:161 country:US simatic

This search returns about 25 results. Hopefully that helps to start understanding the SCADA implications.

To cloak a computer from Shodan, systems should simply refrain from responding to either the first crawl or subsequent connection attempts by configuring their firewall to block unknown sources from connecting.

Another example :

If you wanted to execute a more specific search you’d use a string like this:

port:121 country:US hyper-v

Port:121 – this narrows the search down to specific ports.
Country – obvious.
Hyper V – this identifies all web servers using Hyper V in the UK (for example) by their SNMP banner.
To cloak a computer from Shodan, systems should simply refrain from responding to either the first crawl or subsequent connection attempts by configuring their firewall to block unknown sources from connecting. I should note that this is not the same as trying to hide the computer from search engine crawling by configuring a robots.txt file to tell Google, Yahoo, Bing, etc. to leave you alone.

How to defend ? 
The net filter allows you to search by an IP range, which is important for using SHODAN from a defense perspective. We may not care about all the other people exposing their PLCs to the Internet, but we do want to verify that we are not.

So the first step in the process of using SHODAN from a defense perspective is arguably the most critical: identify your public IP address space. One place to start is with the Regional Internet Registry (RIR) for your region. There you can perform a WHOIS search for your organization. In North America, ARIN is our RIR and you can find the advanced WHOIS search page here. You may not own all your IP space, however, so the identification process should not stop there. Make sure you identify and include all IP ranges for public carrier lines, leased circuits, wireless communication, etc… Hopefully internal documentation and diagrams will help with this task as well.

Another note about attacks: a traditional, targeted attack may follow a similar identification process and then scan your IP ranges to look for interesting or vulnerable targets. SHODAN doesn’t really change anything with this approach. What it does change is the ability for someone to find vulnerable or interesting targets in a non-targeted manner and makes the process quick and easy. Hence the concern and advisory from ICS-CERT, especially when combined with default passwords and other problems with control system servers and devices. But I said I wasn’t going to complain about that… at least not in this post.

Once you have a list of your public IP address ranges compiled, you can use this information to filter your SHODAN search. So you could search like this using CIDR notation:   net:123.123.0.0/16

Cyberpunk spider :

Shodan’s big lesson is that the internet is more diverse than we think. Think webserver, and you’ll probably think of Apache or Microsoft, or maybe Nginx, but Shodan’s database of nearly 144 million webservers shows that they’re not the only ones out there — not by a long shot. According to Shodan, Microsoft’s Internet Information Server, or IIS, runs about 8.5 million web servers. Allegro Software Development’s RomPager, which runs on more than 22 million machines. IIS may run big websites such as MSN.com, but RomPager runs on millions of routers, switches, and printers.

When Shodan went live in 2009, it was no Google. Matherly ran the search engine on an old Dell Vostro that ran in his closet. He took the name Shodan from the rogue artificial intelligence entity in the 1999 cyberpunk video game System Shock 2.

Today, the Shodan operation is much more sophisticated, but it’s still a one-man show. Matherly has a half-rack of servers in San Diego that store his core data on the more than 1.2 billion devices he’s tracked on the internet. There’s also his network of probes, which add new data on 200 to 400 million devices each month.

Like most attack tools, if used proactively, SHODAN can be used as part of a defense strategy.
 







 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)