SANS Penetration Testing

Getting the Most Out of Shodan Searches

By Joshua Wright and Jeff McJunkin

Shodan is a search engine that takes a distinct departure from most Internet search engines. Instead of searching through content intentionally served up and delivered to web browsers, Shodan allows us to search for Internet-connected devices. Created by John Matherly, Shodan uses distributed scanners throughout the world to randomly select target IP addresses and identify listening TCP and UDP ports. Listening ports are further enumerated to gather protocol banners, web pages, and other service data. All of this data is then added to an enormous, searchable database that describes the "what" of Internet devices.

shodan1

Shodan's search feature is powerful, allowing us to specify generic terms such as "camera" or even a specific part number such as "WVC80N" and quickly identify the devices that match.

shodan2

 

Beyond the web interface, Shodan offers a full-featured API and command-line tools to search and parse the Internet-device results. In this article we'll focus on using the web interface for effective device searches, as well as tips to use Shodan in your next penetration test.

Default Search Behavior

By default, Shodan's website search feature will use a search term as an exact expression in a string match. Shodan does not do incomplete word matching (e.g. "WVC80" will not return matches against "WVC80N"), and will treat multiple words as a logical AND expression. Common words (a, and, by, the, is, on, it) are ignored.

The basic search will perform string matching against server banner information without searching through additional protocol metadata that is also gathered about the discovered devices. The Shodan documentation doesn't disclose exactly what protocol data is used in the default search, but empirical analysis indicates that it includes at least the following:

  • HTTP header information
  • HTTPS header and certificate information
  • Several gaming server banners (Steam's A2S, Minecraft, and more)
  • FTP banners
  • NetBIOS server banner
  • SSH header and server key data
  • Telnet banner
  • SMTP banner
  • NTP banner
  • SIP/VoIP banner
  • DNS server configuration settings
  • And more!

shodan3

Metadata about a service is not searched by default. This list includes:

  • HTML title tag content
  • HTML header and body content
  • Physical location (via IP geolocation)
  • Autonomous System Number (ASN)
  • Internet Service Provider (by name, such as "Verizon Wireless")

Shodan Search Operators

To perform more advanced searches using Shodan, we can apply search operators. Search operators are only available to registered users. It's free to create an account, which will also give you an API key for use with Shodan's command-line tool.

Once you are logged-in, you can apply additional search modifiers to focus your search. Search operators include:

  • title: Search the content scraped from the HTML tag
  • html: Search the full HTML content of the returned page
  • product: Search the name of the software or product identified in the banner
  • net: Search a given netblock (example: 204.51.94.79/18)
  • version: Search the version of the product
  • port: Search for a specific port or ports
  • os: Search for a specific operating system name
  • country: Search for results in a given country (2-letter code)
  • city: Search for results in a given city

Some filters allow multiple values, such as "postal:97201,97202".

By default, multiple search terms are treated as Boolean AND expressions. You can also negate a particular prefix with the "!" character at the beginning of the search operator. For example, to search for machines running Outlook Web Access on ports other than 80 and 443, you can combine the title and port operators as follows:

Shodan 4

Search query: title:"Outlook Web Access" !port:443,80

Applying Shodan in your Pen Test

It's easy to disregard Shodan as offering functionality to find vulnerable devices: an opportunistic attack tool. However, to do so is to overlook the benefits that Shodan can offer you and your customers in a penetration test.

Answering Questions About Similar Vulnerabilities
When putting together a report for a customer, I try to answer the inevitable question "How many others are similarly vulnerable?" Sometimes this question is in an attempt to justify a vulnerable configuration as commonplace or industry standard, or as a defensive mechanism for explaining why they continue to run Outlook Web Access on an IIS 5.0 server.

Using Shodan, you can quickly use the search criteria described in this article to answer that question. At the time of this writing, there appear to be no fewer than 18 publicly accessible IIS/5.0 servers running Outlook Web Access. Adding this level of detail to a penetration test report can help your customer to better understand the nature of the risk in the context of other similar configurations.

Search query: Microsoft-IIS/4.0 title:"outlook web"

Search query: Microsoft-IIS/4.0 title:"outlook web"

Scoping Targets by Network
Shodan can quickly disclose information about target devices scoped to a specific range of IP addresses. This can be useful for helping to get a quick understanding of your customer's assets and the services on those assets as known to Shodan.

For example, this author's office Internet access uses IP addresses in 100.10.23.0/24 block through Verizon FIOS. I can ask Shodan how many people with IP addresses in my network also have their routers available for remote authentication and access. Apparently, it's far too many.

Search query: net:100.10.23.0/24 unauthorized

Search query: net:100.10.23.0/24 unauthorized

Scoping Targets Without IP Ranges
Sometimes the point of contact you are working with to scope your penetration test might not be aware of the company's entire web presence. By searching for identifying features of the website (such as the copyright notice), you may be able to find lesser-known sites for a given organization.

As a penetration tester, identifying targets that are owned by an organization that they don't know allows you to clearly demonstrate your value and usefulness as a security analyst.

For example, a search for html:"eBay Inc. All Rights Reserved" shows a small number of sites (eBay has excluded a lot of their web properties from Shodan) that may not be as well known:

Search query: html:"eBay Inc. All Right Reserved"

Search query: html:"eBay Inc. All Right Reserved"

If your target is large enough to have Regional Internet Registry allocations (where the WHOIS information reflects the organization name), you can combine negative searches to exclude the known ranges with the html filter (searching for copyright or other unique strings) or the "org" filter.

Search query: title:"eBay Deals" -org:"EBAY"

Search query: title:"eBay Deals" -org:"EBAY"

Shodan and You

Using the power of Shodan and some creative thinking, you can provide additional value to your penetration tests. Use some of these ideas in your next pen test and see if you can find some targets that were supposed be in scope, but weren't! Above all, have fun discovering new things on the Internet and providing more value to target system personnel.

-Josh Wright and Jeff McJunkin

 

SANS Note:

Josh Wright is teaching SANS SEC575: Mobile Device Security and Ethical Hacking in Tysons Corner, VA in October 2017. Or you can take SEC575, anytime with Josh - 4-months of access to course materials and hands-on labs - OnDemand!

575_JoshuaWright6

SANS Pen Test HackFest 2017

800x320_PT-Hackfest-2017

  • 2-Day Penetration Testing & Ethical Hacking Summit w/ 20+ Speakers
  • 3-Nights of SANS NetWars CtF w/ Coin-A-Palooza, your chance to earn up to five SANS Pen Test Challenge Coins
  • 1-Night of SANS CyberCity Missions - Hack/Defend a Modern City
  • Special Field Trip Experience for all Summit Attendees
  • 9 SANS Training Courses - 6-days of amazing SANS Training
  • https://www.sans.org/hackfest

Post a Comment






Captcha


* Indicates a required field.