Shodan Search Engine: Amphion Forum San Francisco

SHODANComputer Search Engine for the

Internet of ThingsAmphion Forum

San Francisco12 December, 2013

Shawn MerdingerNetwork Security AnalystUniversity of Florida Health

Obligatory Speaker Slide

● UF Health

– Work, School, Independent Research● Past lives

– Cisco Systems, TippingPoint, Independent Consulting

● CVEs, Research, Conferences

– VoIP, door access controllers, scada HMI, “other stuff”

– Current interests● Medical device security research - MedSec on LinkedIN● Shodan

– Talks at DerbyCon, DefCon, Educause, etc.

What is Shodan

● Computer Search Engine– Created by John Matherly

● Based in Austin, TX● Public late 2009

– “Search engine for service banners of scanned devices accessible via the public Internet”

– Somewhat controversial...● Major media coverage, security conference talks, DHS

ICS-CERT advisories, political leaders naming as threat● Tool: utility and outcome are dependent on use and intent

Shodan Technicals

● Shodan Scans– Shodan servers scan Internet, place results in DB

● Services (web, telnet, snmp, ftp, mysql, rdp, vnc etc.)● Ports (80, 8080, 443, 161, 21, 23, 3389, 5900, etc)

● Users search Shodan– Web interface or API

● Free-text, port, org, hostname, country, city, CIDR, etc.

● Advanced Integration● Metasploit Shodan Module (John Sawyer, InGuardians)● Maltego● Geolocation mapping via http://maps.shodan.io (beta)

Why You Should Care

● Shodan has already scanned...everything?– Shodan API

– Shodan's low-cost extras● Add-ons for in-depth search capability (i.e. Telnet search)● Special discount code for Amphion Forum at end :)

– The business case● Metrics & deltas with your regular scanning efforts● Export search results for other tools, analysis

– Caveats● Not under your control, timeliness, IPv4 (no IPv6)● One man show by John Matherley

Who Is Talking About Shodan?

If Joe Lieberman is talking about Shodan, you should know what it is.

Project SHINE – ICS/SCADA

● Project SHINE: SHodan INtelligence Extraction

– Bob Radvanovsky & Jake Brodsky infracritical / scadasec● I provide research support, search terms, etc.

– Daily search feed to ICS-CERT

– 1,000,000 control systems discovered, 2K new each day

DHS ICS-CERT Shodan Advisories

● First issued October 2010● Several updates & references since

Keeping Perspective...

● Scanning is old news– Attackers

● Constantly scanning you● Shodan just made scanning more

– Searchable + visible + accessible....without scanning

– Legitimate research● HD Moore's scanning projects ● Scan repository at UMich via www.scans.io● Academic researchers doing default credential checks!

– Columbia, 2010 (Qui, Stoflo) +500K devices with default credentials

– We are entering a Golden Age of scanning● Tools like zmap, masscan and scan data sharing

Shodan at UF Health

● Currently looking for “low-hanging fruit”– Printers on public IP

– Open Telnet → “Polycom Command Shell”

● Lots of ways to leverage more– Automation

– Deltas (daily scan diffs)

● Limitations– External IP only

Sp00ky Findings

● The following information details sensitive devices exposed on the Internet

● Please exercise discretion and restraint regarding further disclosure of these devices and issues

● Several findings are still in varying phases of resolution and remediation, unfortunately, some may never be resolved

● All are in SHINE and reported to ICS-CERT

S2 Security NetBox

● DefCon 2010 talk: “We don't need no stinkin' badges”

– Building Door Access Controllers (Web Based)

– Multiple CVEs, complete compromise of device, S2 Security vendor threatened to sue me, even blocked my Twitter follow...

– Real value of Shodan● Proved not “deep inside corporate network” (Today 800+ )

“When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare”

– John Moss, CEO of S2 Security

VoIP Phones● Lots of VoIP phones: individual, conference, video

● Late 2010 I focused on Snom

– VOIPSA blog● Remote tap script: call via phone's web server, record call, etc.● Hard to find open Snom now – Exposure + tool works

No Auth Cisco Routers & Switches● "cisco-ios" "last-modified"

– 10,469 devices with HTTP No authentication TODAY

– Level 15 access via HTTP● “ip http authentication local” would lock down web server● 3rd party attack example: TinyURL commands to Twitter

No Auth Cisco Devices in Iran ● “School of Particles and Accelerators” in Tehran, Iran

– Who might be interested in this?

– Honeypot?

Cisco Wireless LAN Controllers

Banners Bite Back● “Best practices” warning banners = easy fingerprinting

● Swisscom and hotel routers (1200+)– Warning banner has company name and hotel location

– Telnet for access. No SSH.● If they run their routers like this - what other poor practices?

Banners Bite Back

● Swisscom Miami Convention Center Routers

Telnet To Root On Linux Devices

● TV, DVR, home routers, VoIP phones, refrigerators, etc.

● Botnets have leveraged this already (Carna, Aidra)

WebCams

● Huge numbers, all kinds of uses● Personal, Office, Business, Security, SCADA● See Dan Tentler's talks and tools

– Camcreep.py● Auto screenshot via CLI● wkhtmltoimage

Printers on Public IP● Technical Risks

– MFP = Multi-function Printer (FAX, Scan, Email, Storage)

● Advanced research (Andrei Costin, Ph.D - Milan, Italy)– Access docs, change configs, attack via printed document

● Risks– Print from anywhere, Web printing, run out paper, ink

– Social engineering: how bad could a printer on Internet be?

Printer Case Study: Penn State

One line of code to print: nc target_ip 9100 < kiddy_porn_image

Siemens HMI SCADA Examples

Power Meter via HTTP

High Profile HVAC Controllers

Sidwell Friends School, Washington DC (HVAC, Lights, Doors)

FBI Newark Office: Niagara Memo

Crematorium on Public IP● Siemens HMI

– VNC default pass “100”, no auth Telnet, MD5 passwords

– Same system as “pr0f” South Houston SCADA hack (11/2011)

Embassy Network Devices

● Question: What's running telnet in country X with “embassy” in name?

● Cuts both ways...

Cisco Lawful Intercept● Cisco routers with LI special code and SNMP public

“LI User” = level 16 super-duper Cisco admin level. Supposed to be invisible to any other user. Taps supposed to use encrypted SNMPv3 for secure Mediation Device comms.

BlueCoat

● BlueCoat surveillance devices and human rights impact

– Syria (and other regimes)● Tracking + interception of dissidents' communications● “Chilling effect” to “Killing effect”

– ITAR export violations

– See Munk School report

75+ US TV Stations' Antennas

● TV station antenna controllers w/ no auth (telnet or http)

– Looks like simple home NAS or DVR (Windows CE)

● Multi-step search technique to find – (1) Shodan (2) scan for unique TCP port

– Sent ICS-CERT report of issues, IP, Geolocation, FCC info, etc.

CacheTalk Safes

Econolite Traffic Light Controller● Yes, it is what you think.

Red Light Enforcement Cameras● Delete those pesky speeding tickets!

500+ Gas Station Pumps in Turkey

950+ Cellular Tower Hydrogen Fuel Cell Power Controllers in Italy

Caterpiller VIMS

● Web based remote monitoring (control?) over cell modem

● CAT 79X series are largest trucks in world

● 80+ in Alberta, Canada working tar sands

● Poor vendor response (contacted by lawyer...not engineer)

Medical Devices, EHRs

● Reported 1st medical devices on public IP to ICS-CERT

– Glucose monitor base-station (Roche)

– Fetal monitoring remote access solution (Philips) ● Increasing numbers of EHR “patient portals” (EPIC MyChart)

Thanks!

● Contact– Email: [email protected]

– Twitter @shawnmer

– LinkedIN MedSec group

Special Shodan package for Amphion Forum!

1. Register for free Shodan account

2. Login, and then activate by visiting unique URL:

http://www.shodanhq.com/amphion