Scanning for Open and Vulnerable Systems with Shodan

I mentioned several times in the past how easy it is to scan for vulnerable systems in Shodan. I was recently asked to do some research with Shodan and in the past few weeks I have been able to dedicate a lot of time to it. In the course of my research, I found out a lot more about Shodan.

And what I found was just stunning.

During my time with Shodan, I only looked for completely open systems – no password hacking or trying default passwords. No configurations were changed and nothing was added or removed. I only viewed sites that were completely open through Shodan.

No I didn’t find any open US power grids or nuclear missiles that could be launched with a mouse click. The truth is many systems have some level of security or at least ask for a password.

But Shodan does come as advertised, I was easily able to find vulnerable systems, completely open computers and other devices that should never be publicly accessible from the web.

The trick to using Shodan effectively is to know keywords. Usually they are the manufacturer’s name, or a device model number, but sometimes they are the name of a very obscure embedded web server that you would never think to look for. But once you know these magic keys, in seconds you can search the world for these devices, or using the country or city search terms, you can refine your search to certain areas.

country:(2 Letter country code) or city:(city name)

Let’s start with security cams.

SECURITY CAMS

 

Granted most of the cameras you will find are harmless, many are probably left open on purpose. But some are not. There are many security and business surveillance cameras that are completely open to the web. Split mode cameras that show customer areas and secure employee areas.

The worst I found were these security systems that had constant video surveillance and also an alarm interface panel that showed motion detection, door sensors, heat, humidity and noise monitoring capability. All open to casual web viewers. And from what I saw, these were mostly installed in… Data Centers!

MONITORING DEVICES

You can also find Online UPS systems, remote power bars (reboot systems remotely), Smart Home control panels, and a sundry of device monitoring systems. One of my favorites was the one pictured above called “Stupid System” and as you can see ‘Use Password’ setting is set to “Off”…

ROUTERS, SWITCHES, PRINTERS, PHONE and HVAC SYSTEMS?

Yes, yes, and yes, all of the above. It is the internet, it is loaded with both wired and wireless routers and switches. Numerous unsecured Cisco switches are still out there. Many large companies and organizations leave their printers wide open to the world and with little effort you can find thousands of TCP/IP phones. Granted most are protected by a password, but what are the chances that the default password would work in many cases?

I also found IP phone meeting systems online that were completely open. These seemed to be corporate level business systems where you could run online meetings.

And surprisingly HVAC and building controls are still found completely open on the internet.

EMBEDDED DEVICES

What really struck me during my research was that an almost unlimited supply of open embedded web devices can be found on the web. These can be a range of devices from NAS devices to cameras, routers, control systems, to TVs and even DVD/DVR players. These devices come with some sort of embedded web server, usually Linux based. Because these devices don’t “Look” like computers, people plug them in to their network, set them up, and then usually forget about them.

But like computers, these devices have updates and are susceptible to vulnerabilities and exploits just like their workstation and rack server friends. And many of these devices, if hacked, are sitting inside the firewall zone!

Actually Metasploit has a library that includes many exploits for these embedded devices, you can also tie Metasploit in with Shodan to search for them.

CONCLUSION

I hope you found this non-exhaustive report on Shodan and some of its capabilities educational. If you are on the IT security team of a large company, organization or institute, you NEED to learn how to use Shodan effectively and SCAN your network range to see if any unsecured device is publicly facing on the internet.

(net:IP range or subnet) or (hostname:website name)

Small business owners need to either check themselves or have their IT support company check their IPs to see if they have anything being shared on the web that they do not intend to share.

It also isn’t a bad idea for home users to run their IP address through Shodan to see if any personal devices are showing up on the open web.

(net:ip address)

Use long complex passwords. Check your network connected devices to make sure that they have the latest firmware and system updates. A little security goes a long way!

(Use Shodan responsibly, do not change settings or configurations on open systems that do not belong to you. Never try default passwords or try to brute force passwords on devices that do not belong to you. Corporate IT employees should obtain the proper authorization before scanning their networks.)

Viruses making a Comeback according to Microsoft Security Report

Just when you thought Viruses where on the way out, it looks like they may be raising their ugly head yet again. According to Microsoft, virus global detection rate hit 7.8% in the fourth quarter of 2012 with some nations reaching over 40%.

With the increase of Trojans and credential stealers, many thought we had seen the last days of old fashioned file infecting viruses. But Tim Rain, Microsoft’s Director of Trustworthy Computing, says that it looks like Virus use is again trending upwards, with some locations being hit harder than others:

“Locations with high levels of Viruses included Pakistan (Viruses found on 44% of systems with detections), Indonesia (40%), Ethiopia (40%), Bangladesh (38%), Somalia (37%), Egypt (36%), and Afghanistan (35%).  Looking at this list of locations it seems that most of these places don’t have the same levels of Internet connectivity/bandwidth that locations in North America and Europe have.”

And one virus seems to stand above the rest – Win32/Sality, a polymorphic file infector. According to Microsoft, Sality was detected on over 8 Million Windows XP machines in 2012. The virus was not as effective against Microsoft’s newer operating systems.

Just a reminder to keep your systems and anti-virus program up to date and if your company is still running Windows XP, it is really time to move on to Windows 7 at least. Windows 7 has several security enhancements making it inherently more secure against online threats as compared to the aging XP.

For more information check out the Microsoft Security Intelligence Report.

US Navy succesfully Launches first Drone from Aircraft Carrier

Syria Goes Dark: Worldwide Internet Traffic To/ From Syria Shutdown

Syria’s nationwide internet service goes dark again and some mobile networks are down, as the civil war there drags on.

The image above from Akamai’s Twitter feed shows the “switch” being thrown as Syria traffic drops to nothing.

According to Renesys, Syrian connectivity went dark at 18:43 UTC, when Border Gateway (BGP) Routes went down:

The internet relies on BGP to route internet traffic across the world. When Syrian BGP routes were removed from the routing table, Syria effectively became dead in the internet water. It is unsure at this time if internal access has also been shut off.

Early reports say the Syrian government claims the outage is from a terrorist attack, but rebels say that the outages usually occur during times of government military attack.

For more information including a technical explanation of how Syria shut off it’s internet, check out Umbrella Security Lab’s post.