Server Remote Control iLO Boards Found on Shodan

I’ve been spending way too much time with Shodan (the computer search engine) lately. But what really bothers me is, every time I put time into searching for new things, I find them. And many times what I find boggles the mind.

Recently I found several search terms that bring up built in Server remote control iLO boards.

Integrated Lights Out, or iLO boards are installed on many servers. They are remote support solutions that allow an administrator to  log into the computer and manage it from afar. Most allow complete control of the server including remote keyboard and mouse, the ability to power cycle the system and mount and access additional media remotely.

So far, I have found eight unique search strings on Shodan (like this) that reveal iLO boards for Dell, HP, Fujitsu and Sun servers.

When I was a server team guy for a large corporation, we regularly used these to completely set up and configure heavy duty servers that were located in different states. The local IT techs would unbox the server and plug it into a network jack. We would then log in to the iLO and install the Operating System, web apps, or whatever else was needed, remotely, without ever physically touching the box.

We also used them for trouble shooting. If a remote server had locked up and not responding at all, we would log in remotely to the iLO board and be able to service the system. Again without ever physically touching the system.

The fact that iLO boards can be found online is rather concerning. Granted many are there purposefully (so they can be remotely managed!) and are protected by a strong password. But several appeared to be using the default password.

If your company uses iLO boards on your servers, check them and make sure you are not using the default passwords! Change iLO passwords to long complex strings that you would use on any important system that is publicly available online. Disable or remove iLO boards (check your documentation) if they are not needed.

A little security can go a long way in protecting your servers from online threats.

Advertisements

Shodan Keyword Search for Friday, May 31st

After spending a lot of research time on Shodan, the ‘computer search engine’, I have acquired quite an extensive keyword search term list – 6 pages and growing! Shodan is great for finding tons of systems online, and is great for pentesting, but you need to know what keywords to use. So I thought I would pass some along to my readers.

I haven’t really found a good list online, and there is already an extensive search database for Google keywords (called the Google Haking Database or Google Dorks), so I figured every Friday I will share some of them, making Fridays “Shodan Dork Day“.

So without further ado, here are the search terms for May 31st:

OPERATING SYSTEMS/ SERVERS

  • IIS/2.0
  • IIS/3.0
  • IIS/4.0
  • IIS/5.0
  • Windows NT 4.0
  • Microsoft-Windows-NT/5.1
  • os:Mac 200 ok
  • title:”Mac OS X Server”
  • iTools
  • rumpus
  • iPhone
  • SMSLockSys (iPhone)
  • Raspberri Pi

For the record, I will not share SCADA search terms (there are already lists of these out there) or some of the other questionable keywords that I have found.

This is for educational purposes only. Some of the Shodan searches reveal unsecure systems. Never try to alter, hack or crack systems that you do not own or have permission to access.

Surf responsibly…

Scouring the Web for Insecure Systems using Shodan-Fu

Shodan

Shodan – “The computer search engine”, seems to be one of the most (if not the most) controversial search engines on the internet. Shodan searches for computer systems and not people or things. According to reports from major media it would seem that you can search for vulnerable power plants on a whim and control traffic lights with ease. But is it really that easy?

Well, yes and no.

I remember when Shodan first started offering it’s search engine publicly. One highly respected security guru said that it would be shut down in a week. Well, it has been quite a while and Shodan is still up and running. Granted if you know what to look for you can find vulnerable or completely open systems with a few simple search terms. But you can also do the same with Google if you know how to craft the search terms.

I don’t think it’s Shodan that is as much the problem, as it is that people keep putting completely insecure systems on the internet!

Or they leave very outdated systems out on the internet that haven’t been patched or updated in years!

For example a quick Shodan search for “IIS/2.0” returns about 90 systems that are still live on the internet! That Microsoft Web Server version is over 16 years old!

Here are some more:

  • IIS/3.0 returns over 600 systems
  • IIS/4.0 about 14,000
  • IIS/5.0 about 500,000!

And IIS/5.0 is so much newer than 2.0, heck it was released with Windows 2000…

You can search for operating system versions too. How about “Windows NT 4.0”?

This returns about 900 systems.

“Microsoft-Windows-NT/5.1” Returns about 1800 systems. These are basically Windows XP systems running a web server – What could go wrong with that?

And that is just operating systems, you would be surprised how many wide open printers you will find out there. A quick search for network print server names will return  thousands of printers many which have the security disabled.

And that is very sad as on many network print servers, turning on security is literally just a mouse click or two.

You can even refine your searches on Shodan using commands like port, country or even city.

But is it really that easy to find open security systems and SCADA systems as main media makes it seem? No, not really, you need to know very specific search terms to find these. But if you do know these terms, then it is a different story.

But sometimes these search words are very obscure, and of course they are not advertised.

But if you do know the terms you can find a lot of systems, like these overseas Wind Farm systems:

Wind Farm

Wow, that is a lot of power and that is just one wind farm!

No worries though, the summary is a gimme, you are not allowed to change anything with these wind farm system without logging in. I hope they use complex passwords…

You can find some pretty funny stuff too doing Shodan searches, like this one:

Shodan Funny

I believe that Shodan is a critical tool for security specialists. With it you can search for your company and see what is actually out there. Many large companies have public facing systems that they have completely forgotten about. These systems may be exploitable and could allow an attacker into your internal system.

You can also check to see if you have public facing devices that are wide open. For example, what if your network administrator set up a print server and left it completely open on the internet. Do you really want someone from a different company or country going in to your print server and telling it to e-mail a copy of everything printed to them?

As usual with all security tools, some people will use Shodan for evil purposes. That is why it is critical that security departments use it first to check out their own company. Also make sure that login credentials for any publicly facing system has a long complex password.

A little bit of security goes a long way!

(When using Shodan remember, do not attempt to log in to a system that is not yours or try to access information that does not belong to you. Doing so is highly illegal and you could end up in jail.)