Scouring the Web for Insecure Systems using Shodan-Fu
Shodan – “The computer search engine”, seems to be one of the most (if not the most) controversial search engines on the internet. Shodan searches for computer systems and not people or things. According to reports from major media it would seem that you can search for vulnerable power plants on a whim and control traffic lights with ease. But is it really that easy?
Well, yes and no.
I remember when Shodan first started offering it’s search engine publicly. One highly respected security guru said that it would be shut down in a week. Well, it has been quite a while and Shodan is still up and running. Granted if you know what to look for you can find vulnerable or completely open systems with a few simple search terms. But you can also do the same with Google if you know how to craft the search terms.
I don’t think it’s Shodan that is as much the problem, as it is that people keep putting completely insecure systems on the internet!
Or they leave very outdated systems out on the internet that haven’t been patched or updated in years!
For example a quick Shodan search for “IIS/2.0” returns about 90 systems that are still live on the internet! That Microsoft Web Server version is over 16 years old!
Here are some more:
- IIS/3.0 returns over 600 systems
- IIS/4.0 about 14,000
- IIS/5.0 about 500,000!
And IIS/5.0 is so much newer than 2.0, heck it was released with Windows 2000…
You can search for operating system versions too. How about “Windows NT 4.0”?
This returns about 900 systems.
“Microsoft-Windows-NT/5.1” Returns about 1800 systems. These are basically Windows XP systems running a web server – What could go wrong with that?
And that is just operating systems, you would be surprised how many wide open printers you will find out there. A quick search for network print server names will return thousands of printers many which have the security disabled.
And that is very sad as on many network print servers, turning on security is literally just a mouse click or two.
You can even refine your searches on Shodan using commands like port, country or even city.
But is it really that easy to find open security systems and SCADA systems as main media makes it seem? No, not really, you need to know very specific search terms to find these. But if you do know these terms, then it is a different story.
But sometimes these search words are very obscure, and of course they are not advertised.
But if you do know the terms you can find a lot of systems, like these overseas Wind Farm systems:
Wow, that is a lot of power and that is just one wind farm!
No worries though, the summary is a gimme, you are not allowed to change anything with these wind farm system without logging in. I hope they use complex passwords…
You can find some pretty funny stuff too doing Shodan searches, like this one:
I believe that Shodan is a critical tool for security specialists. With it you can search for your company and see what is actually out there. Many large companies have public facing systems that they have completely forgotten about. These systems may be exploitable and could allow an attacker into your internal system.
You can also check to see if you have public facing devices that are wide open. For example, what if your network administrator set up a print server and left it completely open on the internet. Do you really want someone from a different company or country going in to your print server and telling it to e-mail a copy of everything printed to them?
As usual with all security tools, some people will use Shodan for evil purposes. That is why it is critical that security departments use it first to check out their own company. Also make sure that login credentials for any publicly facing system has a long complex password.
A little bit of security goes a long way!
(When using Shodan remember, do not attempt to log in to a system that is not yours or try to access information that does not belong to you. Doing so is highly illegal and you could end up in jail.)