If you’ve been keeping an eye on technology matters in the last few years you’ve more than likely heard the term ‘Internet of Things (IoT)’. It’s widely used to describe embedded ‘smart’ systems, usually running some form of Linux, that are connected to the Internet.
In this article I’ll be talking about systems that are accessible to the Internet or web-facing, what I mean by this is computer systems that are running services (e.g. a web server) that are not sitting behind a firewall (just on some ports, or all ports) – and thus anyone on the wider Internet can visit it.
Also, it goes without saying that everything discussed in this article is for educational purposes only, this is all publicly available information that is good for researching into what people are putting on the Internet and what risks they’re exposing themselves to.
These days everything is moving towards being Internet-connected, CCTV cameras, light bulbs, fridge freezers and even kettles. They’re hooked up to the web to allow for convenient features such as being able to control what lights are on in your home or to stick the kettle on while you’re on the way back to your house.
Problems arise however when these features are implemented poorly, and in a lot of cases the security of that smart device is nothing but an afterthought. A lot of these come with already outdated versions of Linux or BSD as well as out-dated versions of services such as OpenSSH, Samba etc. This exposes these systems to known security vulnerabilities that are fixed in later versions, but in a lot of cases, the device manufacturers won’t issue any updates because afterall, they’ve got your money already.
There are a number of responsible manufacturers out there, mainly large brandnames, but the sheer volume of cheap IOT devices being churned out from places like China is staggering.
Now that’s just for consumer equipment. There’s also a huge amount of enterprise and industrial systems accessible on the Internet. CCTV systems, SCADA systems, power plants, hydro-electric powerplants – you name it, someone’s most likely stuck it on the Internet. Similar to the consumer-grade kit I discussed above, a scary amount of these systems are running outdated versions of Linux and Windows – and the same goes for the services they’re running on them.
What seems to be a more common trend with enterprise and industrial systems however is poor firewall management. Consumer kit is generally plugged into a router, which then routes the device through a firewall and blocks anything you don’t need exposed to the Internet. This isn’t usually the case with industrial and enterprise stuff, I’ve seen a lot of instances where a system has been introduced to the Internet and presumably either routed through a poorly configured firewall or it’s not going through one. The result is you have services that are designed only to be used on a local network exposed to the wider-Internet. Bad news.
Samba/SMB is a good example of this, there’s a horde of systems out there that have no authentication required to access the contents of its drives – and through sheer stupidity the port used by that service, in SMB’s case port 445, is exposed to the Internet and not hidden behind a firewall. That results in anyone who goes looking for it to be able to map that drive to their system, and access anything on it, or even put anything on it.
What is Shodan?
This is where Shodan ties in. Historically finding web-facing systems other than web servers was a time-consuming thing to do, there are tools such as Mass-scan out there that allow you to scan IP ranges or the entire Internet across all ports or just some ports. This takes a long time to do with standard systems and Internet connections. There are some researchers out there that can scan the entire Internet for an entire port in a few minutes, but that’s using tailored systems connected to mammoth Internet connections.
Shodan is a search engine for finding specific devices, and device types, that exist online. It works by scanning the entire Internet and parsing the banners that are returned by various devices. Using that information, Shodan can tell you things like what web server (and version) is most popular, or how many TFTP servers exist in a particular location, and what make and model the device may be.
Although there are APIs and smartphone apps available, Shodan is primarily a website that you can just visit and search for particular devices. It’s not quite as simple as googling for the term ‘webcams’ or something similar, you have to know what you’re looking for.
Shodan does work through Netsurf on RISC OS, asthetically it does look a little off when compared to a browser on another OS – but from a technical perspective, it works just fine.
Know what you’re searching for
You can use Shodan to search for what particular ports are open on a specific IP address. In the screenshot above I’ve taken the IP address of the RISCOSBlog’s web server and entered it into Shodan’s search bar. It’s then given me information on where the server is located, who hosts the server and what widely used ports are open. Shodan doesn’t scan the entire Internet for every port, as that would a herculean task, instead it focuses on the most widely used ports used by web-facing servers.
The interesting searches on Shodan come from looking for interesting things you can find rather than just searching for open ports on an IP address. As Shodan works on the header output a system will chuck out when you query it, you’ll need to have an idea of what the headers for the systems you want to find contain.
An example being, if I use the ‘netcat’ tool on a FreeBSD box I use, I can query my file-server on port 22 (the SSH port) to see what version SSH I’m running, it’ll also tell me what operating system I have to. In the below example my file-server is running on local IP address 192.168.0.2
nc 192.168.0.2 22
The SSH service on that box has been kind enough to tell me that it’s running version 7.2 of the OpenSSH server software and it’s running on the FreeBSD operating system.
I can then take that output and query Shodan for ‘OpenSSH_7.2’. It then gives me a long list of IP addresses that have that version of OpenSSH public to the Internet as well as statistics on what it’s found.
In in this instance, it’s found 88,560 public-facing systems with that version of OpenSSH. The majority are in the United States, and the most popular OS running that version is FreeBSD.
This is all very interesting if you’re curious, but this is where keeping all your systems up to date really comes in, because if I can identify a version of a particular service, say SSH, which has an exploitable-vulnerability in it, then I can search for that vulnerable version of SSH on Shodan and it’ll output a list of potential victims should I want to do something nasty.
As with any search engine, Shodan works well with basic, single-term searches, but the real power comes with customised queries.
Here are the basic search filters you can use:
- city: find devices in a particular city
- country: find devices in a particular country
- geo: you can pass it coordinates
- hostname: find values that match the hostname
- net: search based on an IP or /x CIDR
- os: search based on operating system
- port: find particular ports that are open
- org: specify a particular ISP or organisation name
- before/after: find results within a timeframe
An example of filtering search queries to find what you want is: I know that the HTTP headers for systems that are running the Emby media server software will come back with ’emby’ in the name of it. So by using the below search term I can query for all Emby servers in the UK that have BT as their Internet Service Provider (ISP).
emby country: “GB” org: “BT”
Again, from a research perspective this is all pretty interesting, you can see there’s 12 systems running on BT Internet connections that have Emby running a port that Shodan scans (most likely 80 or 443). Emby defaults to port 8096 which isn’t scanned by Shodan so the vast majority won’t be visible.
If you were a bad guy however, then by researching the server software you’re querying for in Shodan, you’ll be able to pick up vulnerabilities you can exploit quite easily.
Emby for example, comes with authentication disabled by default. So there’s a good chance that at least some of the IP addresses in the list are probably running Emby instances that you can just log into without being asked for a password. A lot of users will set up a service and once it’s seen to be working, they’ll leave it rather than think about if it can be accessed by anyone else.
That’s reasonably harmless when you’re talking about a media server like Emby, but if you apply this logic to Telnet servers, MongoDB servers etc. then you’re starting to look at systems that have serious vulnerabilities in them. It would be trivial to search for MongoDB databases (again another service that defaults to no authentication) and then do whatever you want with the data it stores.
Other useful aspects of Shodan
You can use the “Explore” button on the main Shodan site to look at common searches and results, which are interesting and also pretty scary at times. You’ll find things like:
- SCADA systems
- Traffic lights
- Power plants
- Point of sale systems
- Industrial control systems
- Systems with default passwords
Here are a few other cool things you can do:
- Data Export: You can export your results in various formats using the top menu after you’ve performed a search.
- Browser Search: You can configure your browser to search Shodan when you search from the URL bar. Not compatible with any RISC OS browser.
- Shodan Free Account: You should create and log in to your free account when you search, as the interface is pretty nerfed if you don’t, e.g. not being able to see host information, etc. Search results are limited to a few pages for free accounts.
- Premium Accounts: A premium account is a one-time payment and it gives you increased access to the API and allows you to pull much more information than the free account will allow.
What have people found on Shodan?
If you start targetting specific services like known webcam makes or the VNC port 5900, you will start coming across systems that people have unknowingly left publicly accessible due to poor firewall management or by forgetting to setup authentication.
It’s worth noting that although these systems are, just like a HTTP website, openly accessible, it means that viewing only does not constitute unauthorised access – but intentionally messing with systems to cause damage or anything like that could end you up in legal hot water.
A number of security researchers are constantly finding interesting things on the Internet, a lot of them are things that definitely should not be exposed to the public, and some even allow you to mess with them.
Well-known security researcher Dan Tentler, who talks about the things he’s found on Shodan in this video, has found systems from hydro-electric plants to Internet-connected crematorium panels that allows you to control the furneses.