In this post I’ll demonstrate how search engine SHODAN can be used to identify and access unprotected network devices….and there are many such devices on the Internet.
Since SHODAN appeared onto the Internet scene, I’ve used it a fair bit for enumerating information from target address ranges. I’ve also just finished watching a a great DEFCON 18 presentation titled SHODAN For Penetration Testing by Michael Schearer
For those unaware, SHODAN is a Computer Search Engine that crawls the Internet, collects banner and version information for IP addresses offering FTP, HTTP, TELNET and (if you pay SHODAN for ‘credits’) HTTPS/SSL services. SHODAN then indexes this gathered data ready for anyone to search. Why is this useful? For ethical and not so ethical reasons, it offers a way of gathering technical information about a target IP, IP Network/Range, domains etc. and could include Server version information, HTTP Header results and FTP login banners for IPs that SHODAN has crawled.
Its a very useful tool and, as I am about to explain, can be used in the same way that Google is used to make clever search queries that, for example, would return all URLs that have “passwords.xls” in them
Here is the SHODAN homepage (www.shodanhq.com). At the top is the search box. I’ve logged into SHODAN using a GMail account and this gives access to additional search ‘operators’.
In my last post, I used Cisco IOS devices as my target and I’m going to do the same here
As you may already be aware, Cisco IOS devices typically support Telnet, Web and SSH as for remote device management. I already know that the web services in Cisco IOS set the “server” HTTP header to “cisco-ios”. I want to create a query that will give me all these Cisco IOS devices running the IOS web service on TCP port 80 (HTTP).
Shodan Search Query = “cisco-ios port:80”
This query searches for hosts that have port 80 open, and contain “cisco-ios” in the “server” HTTP header results:
Quite a number of results have been return. The IP address (and DNS name) of the host appears on the left (I’ve blacked out this information). The banner data, grabbed by Shodan when crawling, is on the right next to each host. I’m going to narrow my search a bit and modify my query to only include IP address registered in the UK; country code of “GB”
Shodan Search Query = “cisco-ios port:80 country:GB”
This query searches for hosts that have port 80 open, and contain “cisco-ios” in the “server” HTTP header results and limits the results to UK registered IP addresses.
These results are only for UK registered addresses; the little flag icon below the IP address indicates this. You will notice the HTTP banner information returned for each host address indicates the host responded with a “ HTTP 401 Unauthorized”, since Shodan stores and indexes these banner/HTTP responses for each host. I want to identify hosts that do NOT return a HTTP 401 error. I’m going to modify my search query a bit more to include only results where a “ HTTP 200 OK” response are received.
Shodan Search Query = “cisco-ios 200 port:80 country:GB”
This query searches for hosts that have port 80 open, and contain “cisco-ios” in the “server” HTTP header results, limits the results to UK registered IP addresses and returns only those hosts with a HTTP 200 OK response.
Now I have a list of IP addresses that returned an HTTP “200 OK” when SHODAN crawled them. With this information provided by SHODAN, I’ve now identified many Cisco IOS devices on the Internet, running a web server that require no authentication
SHODAN provides a link to the IP address on the left. You click that and your browser will connect to that IP over HTTP.
Oh dear…this router is accessible. I could modify the URL and list the IOS configuration if I wish…..
Or I can execute commands using the “configure” link
SHODAN can be used for many different search queries. If you have an idea of what your looking for (banners, headers etc) you can ask SHODAN and see what you get in return. SHODAN can be used to identify hosts that are running vulnerable HTTP/FTP/Telnet services; if you know the tell-tale banners then ask SHODAN!
Using the example above, many Cisco IOS provide unauthenticated access. Perhaps the administrators aren’t even aware?