Scanning for Open and Vulnerable Systems with Shodan

I mentioned several times in the past how easy it is to scan for vulnerable systems in Shodan. I was recently asked to do some research with Shodan and in the past few weeks I have been able to dedicate a lot of time to it. In the course of my research, I found out a lot more about Shodan.

And what I found was just stunning.

During my time with Shodan, I only looked for completely open systems – no password hacking or trying default passwords. No configurations were changed and nothing was added or removed. I only viewed sites that were completely open through Shodan.

No I didn’t find any open US power grids or nuclear missiles that could be launched with a mouse click. The truth is many systems have some level of security or at least ask for a password.

But Shodan does come as advertised, I was easily able to find vulnerable systems, completely open computers and other devices that should never be publicly accessible from the web.

The trick to using Shodan effectively is to know keywords. Usually they are the manufacturer’s name, or a device model number, but sometimes they are the name of a very obscure embedded web server that you would never think to look for. But once you know these magic keys, in seconds you can search the world for these devices, or using the country or city search terms, you can refine your search to certain areas.

country:(2 Letter country code) or city:(city name)

Let’s start with security cams.

SECURITY CAMS

 

Granted most of the cameras you will find are harmless, many are probably left open on purpose. But some are not. There are many security and business surveillance cameras that are completely open to the web. Split mode cameras that show customer areas and secure employee areas.

The worst I found were these security systems that had constant video surveillance and also an alarm interface panel that showed motion detection, door sensors, heat, humidity and noise monitoring capability. All open to casual web viewers. And from what I saw, these were mostly installed in… Data Centers!

MONITORING DEVICES

You can also find Online UPS systems, remote power bars (reboot systems remotely), Smart Home control panels, and a sundry of device monitoring systems. One of my favorites was the one pictured above called “Stupid System” and as you can see ‘Use Password’ setting is set to “Off”…

ROUTERS, SWITCHES, PRINTERS, PHONE and HVAC SYSTEMS?

Yes, yes, and yes, all of the above. It is the internet, it is loaded with both wired and wireless routers and switches. Numerous unsecured Cisco switches are still out there. Many large companies and organizations leave their printers wide open to the world and with little effort you can find thousands of TCP/IP phones. Granted most are protected by a password, but what are the chances that the default password would work in many cases?

I also found IP phone meeting systems online that were completely open. These seemed to be corporate level business systems where you could run online meetings.

And surprisingly HVAC and building controls are still found completely open on the internet.

EMBEDDED DEVICES

What really struck me during my research was that an almost unlimited supply of open embedded web devices can be found on the web. These can be a range of devices from NAS devices to cameras, routers, control systems, to TVs and even DVD/DVR players. These devices come with some sort of embedded web server, usually Linux based. Because these devices don’t “Look” like computers, people plug them in to their network, set them up, and then usually forget about them.

But like computers, these devices have updates and are susceptible to vulnerabilities and exploits just like their workstation and rack server friends. And many of these devices, if hacked, are sitting inside the firewall zone!

Actually Metasploit has a library that includes many exploits for these embedded devices, you can also tie Metasploit in with Shodan to search for them.

CONCLUSION

I hope you found this non-exhaustive report on Shodan and some of its capabilities educational. If you are on the IT security team of a large company, organization or institute, you NEED to learn how to use Shodan effectively and SCAN your network range to see if any unsecured device is publicly facing on the internet.

(net:IP range or subnet) or (hostname:website name)

Small business owners need to either check themselves or have their IT support company check their IPs to see if they have anything being shared on the web that they do not intend to share.

It also isn’t a bad idea for home users to run their IP address through Shodan to see if any personal devices are showing up on the open web.

(net:ip address)

Use long complex passwords. Check your network connected devices to make sure that they have the latest firmware and system updates. A little security goes a long way!

(Use Shodan responsibly, do not change settings or configurations on open systems that do not belong to you. Never try default passwords or try to brute force passwords on devices that do not belong to you. Corporate IT employees should obtain the proper authorization before scanning their networks.)