Scribd Logo
Upload

Welcome to Scribd!

  • 103 views

    Shodan For Penetration Testers: Michael "Theprez98" Schearer

    Uploaded by

    Yamil Medina Carvacho
    SHODAN is a search engine that indexes banners from devices that respond to port scans, allowing users to search for unauthenticated or default credentialed devices. The document discusses how penetration testers can use SHODAN to identify vulnerable devices like Cisco routers with default credentials or unauthenticated access. Case studies demonstrate exploiting infrastructure through SHODAN searches for default passwords and exposing configuration pages. While useful for penetration testing, ethical issues around authentication are discussed.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Shodan For Penetration Testers: Michael "Theprez98" Schearer

    Uploaded by

    Yamil Medina Carvacho
    103 views79 pages
    SHODAN is a search engine that indexes banners from devices that respond to port scans, allowing users to search for unauthenticated or default credentialed devices. The document discusses how penetration testers can use SHODAN to identify vulnerable devices like Cisco routers with default credentials or unauthenticated access. Case studies demonstrate exploiting infrastructure through SHODAN searches for default passwords and exposing configuration pages. While useful for penetration testing, ethical issues around authentication are discussed.

    Original Title

    schearer-shodan

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    SHODAN is a search engine that indexes banners from devices that respond to port scans, allowing users to search for unauthenticated or default credentialed devices. The document discusses how penetration testers can use SHODAN to identify vulnerable devices like Cisco routers with default credentials or unauthenticated access. Case studies demonstrate exploiting infrastructure through SHODAN searches for default passwords and exposing configuration pages. While useful for penetration testing, ethical issues around authentication are discussed.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    103 views79 pages

    Shodan For Penetration Testers: Michael "Theprez98" Schearer

    Uploaded by

    Yamil Medina Carvacho
    SHODAN is a search engine that indexes banners from devices that respond to port scans, allowing users to search for unauthenticated or default credentialed devices. The document discusses how penetration testers can use SHODAN to identify vulnerable devices like Cisco routers with default credentials or unauthenticated access. Case studies demonstrate exploiting infrastructure through SHODAN searches for default passwords and exposing configuration pages. While useful for penetration testing, ethical issues around authentication are discussed.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 79

    SHODAN for Penetration Testers

    Michael theprez98 Schearer

    SHODAN for Penetration Testers


    What is SHODAN? Basic Operations Penetration Testing Case Study 1: Cisco Devices Case Study 2: Default Passwords Case Study 3: Infrastructure Exploitation Other Examples The Future Conclusions

    By pen testing, I mean


    Black/gray/white Ethical

    box testing

    hacking Security auditing Vulnerability assessment Standards compliance Training All of the above

    SHODAN for Penetration Testers

    WHAT IS SHODAN?

    What is SHODAN? (1)


    SHODAN

    (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly (http:// twitter.com/achillean) While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing

    What is SHODAN? (2)


    Typical

    search engines crawl for data on web pages and then index it for searching SHODAN interrogates ports and grabs the resulting banners, then indexes the banners (rather than the web content) for searching

    What is SHODAN? (3)


    Rather

    than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners Optimizing search results requires some basic knowledge of banners

    SHODAN for Penetration Testers

    BASIC OPERATIONS

    SHODAN Search Provider Firefox Add-on

    SHODAN Helper Firefox Addon

    Basic Operations: Search


    Search

    terms are entered into a text box (seen below) Quotation marks can narrow a search Boolean operators + and can be used to include and exclude query terms (+ is implicit default)

    Basic Operations: Login


    Create and login using a SHODAN account; or Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID Login is not required, but country and net filters are not available unless you login Export requires you to be logged in

    Basic Operations: Filters


    country: filters results by two letter country code hostname: filters results by specified text in the hostname or domain net: filter results by a specific IP range or subnet os: search for specific operating systems port: narrow the search for specific services

    country

    country, hostname, net, os, port

    port

    Basic Operations: Country Filter


    Filtering by country can be accomplished by clicking on the country map (available from the drop down menu) Mouse over a country for the number of scanned hosts for a particular country

    Find all apache servers in Switzerland

    Find apache servers running version 2.2.3 Top four countries matching your query

    Basic Operations: Hostname Filter


    Search results can be filtered using any portion of a hostname or domain name

    Find apache servers in the .nist.gov domain

    Find iis-5.0 servers in the .edu domain

    Basic Operations: Net / OS Filters


    The

    net filter allows you to refine your searches by IP/CIDR notation The OS filter allows you to refine searches by operating system

    Basic Operations: Port Filter


    SHODAN

    can filter your search results by

    port Current collection is limited to ports 21 (FTP), 22 (SSH), 23 (Telnet), and 80 (HTTP), while the overwhelming majority of collection is HTTP More ports/services coming (send requests to the developer via Twitter)

    Basic Operations: Searches


    Popular

    searches are available on the main page Logged in users can save searches and share them with other users

    Basic Operations: Export


    SHODAN

    lets you export up to 1,000 results per credit in XML format Credits can be purchased online Sample data export file is available

    SHODAN for Penetration Testers

    PENETRATION TESTING

    Pen Testing: Ethics (1)


    Is it acceptable under any circumstances to view the configuration of a device that requires no authentication to view? What about viewing the configuration of a device using a default username and password? What about viewing the configuration of a device using a unique username and password? Changing the configuration of any device?

    Pen Testing: Ethics (2)


    Default username and password Changing configurations

    No authentication

    Unique username and password

    Pen Testing Applications


    Using

    SHODAN for penetration testing requires some basic knowledge of banners including HTTP status codes Banners advertise service and version Banners can be spoofed (unlikely?)

    Pen Testing: HTTP Status Codes


    Status Code 200 OK Description Request succeeded

    401 Unauthorized Request requires authentication 403 Forbidden Request is denied regardless of authentication

    Pen Testing: Assumptions


    200

    OK banner results will load without any authentication (at least not initially) 401 Unauthorized banners with Wwwauthenticate indicate a username and password pop-up box (authentication is possible but not yet accomplished, as distinguished from 403 Forbidden) Some banners advertise defaults

    SHODAN for Penetration Testers

    CASE STUDY: CISCO DEVICES

    Case Study: Cisco Devices


    Here is a typical 401 Unauthorized banner when using the simple search term cisco:

    Take note of the Www-authenticate line which indicates the requirement for a username and password

    Case Study: Cisco Devices


    Now consider an example of a 200 OK banner which does not include the Wwwauthenticate line:

    Case Study: Cisco Devices


    A comparison of the two banners finds the second banner to include the Last-modified line which does not appear when Www-authenticate appears:

    In fact, among cisco results these two lines are more than 99% mutually exclusive

    Case Study: Cisco Results


    Search cisco cisco-ios cisco www-authenticate cisco last-modified cisco last-modified www-authenticate Results 251,742 226,184 225,402 4,265 56

    Case Study: Cisco Results


    This

    suggests that Cisco 200 OK banners that include the Last-modified line do not require any authentication (at least not initially) The results on the previous slide suggest there are potentially 4,200+ Cisco devices that do not require authentication

    Surely these HTML links will require some additional authentication

    Nope. No authentication required for Level 15! No authentication required for configure commands

    No authentication required for Level 15 exec commands

    show running-config

    show cdp neighbors

    SHODAN for Penetration Testers

    CASE STUDY: DEFAULT PASSWORDS

    Case Study: Default Passwords (1)


    The

    default password search locates servers that have those words in the banner This doesnt suggest that these results will be using the defaults, but since theyre advertising the defaults they would potentially be the lowest hanging fruit

    Case Study: Default Passwords (2)


    An example of a default password result:

    The server line indicates this is likely to be a print server; also note the 401 and Wwwauthenticate which indicates the likelihood of a username and password pop-up box

    Case Study: Default Passwords (3)


    This

    does not suggest that this device is using the default password, but it does mean that it is a possibility While no username is listed, a null username or admin is always a good guess And did it work?

    SHODAN for Penetration Testers

    CASE STUDY: INFRASTRUCTURE EXPLOITATION

    PWN w to Ho n ISP a

    PWN Case Study: ow to H n ISP switches Two Cisco 3750 infrastructure a

    with direct access to Cisco 7606 Router VLAN IDs for internal ISP network, hotels, condos, apartments, convention center, public backbone SNMP server IP address and community strings

    SHODAN for Penetration Testers

    OTHER EXAMPLES

    Some general observations

    javascript:SnapshotWin() client.html

    javascript:SnapshotWin() client.html setup/config.html

    system.html security.html network.html wireless.html ddns.html accesslist.html audiovideo.html cameracontrol.html mailftp.html motion.html application.html syslog.html parafile.html maintain.html

    SHODAN for Penetration Testers

    THE FUTURE

    The Future
    API

    in the works for program integration Summary report for export option Software fingerprints Collection of HTTPS

    SHODAN for Penetration Testers

    CONCLUSIONS

    Conclusions
    SHODAN

    aggregates a significant amount of information that isnt already widely available in an easy to understand format Allows for passive vulnerability analysis Bottom line: SHODAN is a potential gamechanger for pen testers that will help shape the path for future vulnerability assessments

    Authors and add-ons


    John

    Matherly (http://twitter.com/achillean) Gianni Amato (SHODAN Helper) sagar38 (SHODAN Search Provider)

    SHODAN for Penetration Testers

    QUESTIONS

    SHODAN for Penetration Testers


    Michael theprez98 Schearer

    You might also like