By: Walker Rowe, January 26, 2017 (09:40 AM)

Shodan: The Hacker’s Device Search Engine

Shodan IoT Search Engine

There is a new tool on the internet that is nothing short of incredible: Shodan. It can be characterized as a search engine for hackers. But it does have legitimate uses, such as testing defenses and exposing vulnerabilities in one’s own network.

What Shodan does is scan every single device on the internet and the report back on the type of device it is, what version of software it is running, and gather as much configuration information as is possible. It works for both consumer and business internet gear and software and industrial equipment.

 

A hacker can use Shodan for different purposes. For example it can find:

  • Web sites and other software that use the default password.
  • Web servers that have not been patched for the HeartBeat bug.
  • MongoDB databases that do not have a password.
  • And search any other device that has specific security flaws.

For example, here is part of the Shodan report on a web server with the HeartBleed bug (HeartBleed lets a hacker read encrypted traffic.).

{
"opts": {
"heartbleed": "... 174.X.X.X:8443 - VULNERABLE\n",
"vulns": ["CVE-2014-0160"]
}
}

The way that Shodan works is it generates random IP addresses and scans those and the ports used by specific software. The very long list of software that IT uses generally has a specific port assigned to it. Know the port and you know what is running there. But even if it is running on a non-standard port Shodan can figure out what is running there by looking through the response from the server.

Shodan saves search results in a database that is continually updated. The interface has a set of commands that lets the user hone in on a very specific set of servers.

MongoDB Ransomware

Take a look. If you click this link:

https://www.shodan.io/search?query=mongodb

It will show you all the MongoDB databases around the world connected to the internet.

Shodan query of MongoDB databases

 

There is a nice summary by country, by company, by OS etc.

Then click on any of the IP addresses listed to get further details on that device and port:

Shodan results for an instance of MongoDB

That’s a MongoDB database installed at Google in Mountain View, CA. As you can see when Shodan queried it it provided some information about its configuration details. Those are shown to the right in JSON format.

The reason we mention MongoDB is hackers recently discovered that they can attack MongoDB databases rather easily, since the default configuration is to have no userid and password. So they have stolen the database and emptied the database of all data except for the email address where the victim can hand over the ransom payment if they want to get their data back.

Better than a PortScan

The traditional way to scan the internet is use portscan. A portscan means to scan IP addresses looking for what port is open. From that you can conclude what software is running there. For example, port 80 is a web server and port 22 is ssh. But portscan justs lists that info in a hard-to-read format. And it does not save its results to a database. Shodan adds graphical features like a map to show where these devices are located. It echos header information to reveal details of what is there. It tries, for example, to connect to servers using all the different versions of SSL, to see if they use a weak one. It searches the server metadata so that users can use words, like “Mongodb” and “password.” And it gathers all this information on a continuous basis. That means a new search does not have to scan the whole internet. So it is fast, and up-to-date.

Where Does it Get Its Info?

Shodan knows what kind of device it is connected to. It uses nmap and other tools to determine that. Plus most devices respond with specific details when pinged. Shodan can tell a camera from a printer or Wi-FI router. It even saves screenshots of webcams and Windows server login screens. All of that is what makes this tool so perilous when it is given to the wrong people. And there are no controls on who can use it. Once they find something vulnerable, the hacker looks through their bag of tricks and deploys whatever attack works against that server or device type and version.

Here, for example, is the standard header that you can see when you open any web page. It gives information about the web server type and version:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sat, 03 Oct 2015 06:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6466
Connection: keep-alive

Here is a query run against an an industrial PLC controller. These operate machines in a factory. It gives the serial number, firmware version, and other info that can help flag any vulnerability.

Copyright: Original Siemens Equipment
PLC name: S7_Turbine
Module type: CPU 313C
Unknown (129): Boot Loader A
Module: 6ES7 313-5BG04-0AB0 v.0.3
Basic Firmware: v.3.3.8
Module name: CPU 313C
Serial number of module: S Q-D9U083642013
Plant identification:
Basic Hardware: 6ES7 313-5BG04-0AB0 v.0.3

Shodan Search Syntax

Shodan has a full search syntax. And users can save their searches for others to use. For example, here is how to search for web servers in Sweden that are running SSLversion 3 and have the CVE-2014-0160 vulnerability.

vuln:CVE-2014-0160 country:se ssl.version:sslv3

The user can use it on the web, or they can download it and use the command line interface. And it has an API. There are plugins for Chrome and Firefox and one for Metasploit too. That is the white hat hacker’s toolkit, although it certainly can be used for malicious purposes are well.

Shodan APIs

Shodan is free or the user can obtain more features by paying $49. Users can buy credits and download search results in XML, JSON, or CSV format for a fee. Plus you can buy the instruction manual for $4.99.

Shodan as a defense mechanism

Shodan can be used with Metasploit to probe one’s own security. Its syntax lets users run it against a specific subnet, thus checking a specific part of the network. The web version of Shodan cannot read internal IP addresses. But the command line version can do this. So those looking to test their own vulnerabilities would want to use that.

Walker Rowe

Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website SouthernPacificReview.com.

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies