How hacker search engines can be useful to you. How to use the Shodan search engine to secure your network

Shodan is a search engine that allows you to find devices with open access, cameras, connected devices and much more. In short, absolutely everything that connects to the Internet.

Shodan was created in 2009 by John Matherly and this moment This is the largest database of vulnerable devices.

At its core, Shodan is a site that allows anyone to check their device for vulnerabilities, but it doesn’t matter whether they were found or not, your device will go into their database. If a vulnerability is found, they will also be indicated, with an address at which a connection can be established. Therefore, think about whether you need it.

There is already an article on the site about this method, in my opinion, it will be safer.

Shodan itself has the following properties:

• Explore the Internet of Things– Use Shodan to see what devices are connected to the Internet, see their location and who is using them.
• Monitor Network Security– Monitor all computers on the network that are directly accessible from the Internet. Shodan allows you to understand your digital footprint.
• See the Big Picture –Websites are only one part of the Internet. There are power plants, smart TVs, refrigerators and much more that can be found in Shodan!
• Get a Competitive Advantage – Who is using your product? Where are they located? Use Shodan to perform empirical market analysis.

Shodan - a search engine for hackers | Search in Shodan

Shodan positions itself as a search engine, so we won’t have any problems with searching. However, I personally don’t understand why such a resource is in the public domain.

And guess what? If you answered that the search is carried out using address bar, then you are right!

Of course, for API usage or a full-fledged search with filters will have to be paid, but you can still find a lot of things.

An example of a search for Webcams. By the way, Shodan includes the ability to view the location of an object on a map.

You can also see detailed information about this or that webcam, in our case.

As I already said, the resource is paid and not available to most. The prices are quite high, except for the freelance package. You can see this for yourself.

Shodan - a search engine for hackers | Developers Mode | Enterprise Access

Enterprise Access to Shodan – includes many additional features:

• Ability to save data.
• License for data use.
• Using Shodan to validate your firewall rules, monitor your device, and save vulnerabilities to the cloud.
• Your own database in Shodan.
• + 300 ports and +1 billion banners per month – promoting your resource.
• Real-time stream.
• Hard Drive Delivery – Receive information from Shodan about your registered product every month.

Unlimited access.

Many people have probably heard about the formidable Shodan search engine, which is so actively used by various enthusiasts. This search engine was developed by web developer John Matherly and is focused primarily on searching for devices connected to the Internet. Shodan searches for device ports and, based on the response banners received, draws conclusions about devices and services. But Shodan is not as harmless as it seems at first glance.

Introduction

Please note that the article is written for informational purposes only and does not encourage readers to commit illegal actions!

On the right you can see lines like Welcome to ASUS GT-AC5300 FTP service. 230 Login successful - they mean that the authorization was successful.

But that is not all. If you separately enter the query Login successful into the search, it will return big list everything you can connect without logins and passwords. And there, it should be noted, there are a lot of interesting things, sometimes even large sites.

Government agencies are also under attack

The icing on the cake: not everything is protected perfectly, no matter how it may seem to the contrary. And the more complex the system at first glance, the weaker its protection.

But let’s return to the search query: if you add Login successful WARNING to the search, you can see an interesting result (Figure 3).

Figure 3.List of computers, vulnerable when requesting to add a WARNING key to a Login successful request

Here you can also see computers of corporations and government organizations in various countries that are open to access (Figure 4).

Figure 4. Display of one of the government computers for a vulnerable request

Pay attention to the red marker: there is a stern warning that this is one of the US government computers.

Storming the fortress

So, half the work is done, all that remains is to check whether Shodan actually knows which of the walls of the fortress has a hole. Let's look directly at the FTP request. What do we see?

Figure 5.

This is how you can log into the computer of this resource without any obstacles, without using much effort or third-party software.

conclusions

Every day in computer systems attackers penetrate to obtain personal data and confidential information. Often they carry out their insidious intent due to mistakes made system administrators who are not able to properly configure the equipment due to lack of knowledge in the field of information security or because of their elementary laziness. It’s even worse when such specialists work at enterprises and produce finished devices, initially programming them incorrectly. There are plenty of such “craftsmen” among employees of government organizations. Therefore, you should not be surprised if one day nuclear missiles suddenly fly spontaneously, because even the most high-profile precedents can begin with a vulnerability in the router.

So, to summarize: a seemingly secure system or resource may have a breach on some side. It turns out that through this hole you can easily penetrate any resource without any effort. Security guards in organizations of any size, and ordinary people(after all, everyone has something to lose!) It is worth remembering that the fortress cannot stand when there is a huge hole in one of the walls.

Shodan search engine

All users are familiar with such search engines as Google, Yandex, Rambler, Yahoo, Bing, and many more both domestic and foreign (for example Chinese) search engines can be listed.

Such search engines search the Internet for web pages, pictures, videos, documents and news.

But in narrow circles, for example, services specializing in intelligence, cybersecurity and cyberattacks use.

What is the SHODAN search engine? The SHODAN system polls the ports of machines connected to the network and collects the banners issued in response, after which it indexes these banners for subsequent quick search of the corresponding devices. As a result of such processing, instead of providing specific content of pages containing specific search word request, SHODAN helps its users find specific network nodes: desktop systems, servers, routers, switches, web cameras, printers, etc.

Unlike Google, which searches the Internet for simple sites, Shodan works with the shadow channels of the Internet. Shodan operates 24 hours a day, 7 days a week, collecting information on 500 million connected devices and services every month.

In a talk given at the Defcon hacker conference, independent penetration test specialist Dan Tentler demonstrated how SHODAN can be used to find:

1. thermal evaporation systems;
2. countless traffic lights;
3. boilers for heating water under pressure;
4. garage door control systems;
5. traffic management system for an entire city, switchable to " test mode»by entering a single command;
6. a hydroelectric power plant control system, two turbines of which generate 3 megawatts of energy each;
7. control systems for the water park, gas station, hotel wine cooler and crematorium;
8. command and control systems of nuclear power plants and atomic particle accelerators.

And what's especially notable about Shodan, with its terrifying capabilities, is the fact that very few of the systems mentioned have any kind of security system.

“It can cause serious harm,” Tentler said of the potential for such capabilities to fall into the wrong hands.

Most often, this mysterious and massive carelessness of people is explained something like this: for very many of all these industrial devices There was never any provision for online work at all. It is known that many companies want to purchase systems that allow them to control, say, a heating system using a computer. But how is the control computer connected to the heating system? Instead of connecting them directly to each other, many IT departments simply plug both devices into the company's web server - unwittingly connecting their purely internal channels with the rest of the world. In other words, a monstrous insecurity similar decisions is explained by the fact that with a minimally competent approach, such things simply should not exist on the Internet in principle. And as information security experts hope, search engines like SHODAN can correct this disastrous situation.

But how can we ensure that SHODAN is used only for good deeds? The owner of the engine, John Matherly, limits searches for users in his system to a ceiling of 10 results without registration and 50 with a registered account. If the user wants to see everything that SHODAN has on a given account, then Matherly requires additional clarifying information regarding what the purpose of these searches is. Plus some payment for services.

SHODAN's primary users are penetration testers, security professionals, academic researchers and law enforcement agencies. Naturally, Matherly admits that attackers can also use his search engine as a launching pad for their nefarious deeds. But this aspect of the researcher is not particularly worried. Because cybercriminals are known to usually have access to botnets - that is, large complexes of computers already infected with malware codes - that are capable of doing the same task as SHODAN. But only without exposing your criminal interests in legal community information protection. In addition, the vast majority of criminal cyberattacks are focused on theft of money and intellectual property. So far, nothing is known about malicious attempts by criminals to blow up heating systems in houses via the Internet or massively cut down traffic lights in cities. Well, security professionals, for their part, are trying in every possible way to prevent the development of events in such scenarios. Including, with the help of SHODAN, identifying all those unprotected, but massively connected in shared network devices and services.

If you do a simple search for “default password”, you can find infinite number printers, servers and control systems with the login “admin” and password “1234”. Even more connected systems do not have access credentials at all - you can connect to them using any browser.

Its developer, John Matherly, was asked to answer questions related to the work of Shodan.

IN: John, how did you get started on Shodan?

ABOUT: I started in my free time With Dell computer for $100 and worked little by little for three years. When I started I was adding 10,000 – 100,000 discovered devices per month, now I'm adding hundreds of millions. The speed at which I can work has now increased significantly.

IN: That's a lot. What is the purpose of creating Shodan?

ABOUT: It's not being used exactly for what I designed it for. In fact, I created Shodan so companies could track where their software. Now it is used by security experts to search for programs, devices and vulnerabilities in various systems protection.

IN: Does Shodan work like Google?

ABOUT: Yes, they are similar. But Google bots follow the links - I don’t do that. The only thing I do is pick a random IP from all the existing ones, it doesn't matter if it's online or in use at all - and try to connect to it through different ports. This is not some visual system, in the sense that you cannot use a certain browser for these purposes. Most people won't even be able to detect this easily because there is no visual representation of this information.

IN: So what are the devices that you can access that happen to be connected to the internet? Anything you didn't expect to see?

ABOUT: One of such devices turned out to be, for example, a cyclotron - a charged particle accelerator. This is equipment for theoretical physics experiments, it is very, very unstable, and should not be connected to the Internet under any circumstances. There were also various strange things like crematoria. You see the person's name appear in the system and gain access to various settings cremation. It doesn't require any authentication, no passwords, nothing. There was also a huge megawatt hydroelectric power plant online in France. Interestingly, it already had a history of failures; the town next to it was once flooded due to an error at the station.

IN: Shouldn't things like power plants have more extensive protection systems?

ABOUT: One of the reasons why this happens is because people are trying to save money. The Internet didn't even exist at the time most of these stations were built, so they simply bought an adapter to connect the complex to the Internet and save some money on deploying a full-fledged secure system. It is quite obvious that they did not think about safety at all.

IN: Are you saying that so many things don't even require a password?

ABOUT: Yes it is. And even those devices that require authentication often use default settings, so all you need to do is go to Shodan and look for devices that use the default password.

IN: How do you feel about the potential threat arising from this state of affairs?

ABOUT: There are different levels of security problem. Internet-connected webcams may pose a minimal threat, but they can clearly violate personal privacy. Small devices are technically not a threat national security on their own. But if you have the ability to compromise hundreds of thousands of these devices, then it really becomes a national security issue because by having control of that many devices in one country, you can do an incredible amount of harm. Therefore, the problem becomes critical when large quantities are involved.

IN: Are you surprised that nothing serious has happened so far?

ABOUT: I think people underestimate the number technical knowledge necessary to move from discovery to successful use. And secondly, you never know how long the system has actually been exposed. You can access it, run some program in sleep mode, and when you need to use it for some strategic purpose, you can enter it again.

IN: So there could be a dormant virus on some important system right now?

ABOUT: Yes, it's quite possible. I mean, you need some knowledge anyway - you can't be a 16-year-old who just plugged into the control system of a power plant, it's not that simple. You can find it using Shodan, but to install your code into it you will need real knowledge how this device works, especially when it comes to complex systems such as a power plant.

IN: What, then, stops well-trained criminals from using Shodan to cause harm?

ABOUT: People who actually know what they're doing and intend to do something illegal won't use Shodan to do it because they don't want to leave a trail that could be traced to them. Shodan is not an anonymous service. If you want to use it to get more than 50 responses to a query - and 50 is quite a bit - you'll need to provide your personal information, as well as a certain fee. If someone wants to do something really illegal, they use botnets that will collect the same information for them.

This article is intended for those who either have not heard of Shodan at all, or have heard of it, but have not understood how to use it. I did not find similar materials in Russian, I gleaned some of the information, and added the rest from personal experience. I will give examples of using the “most terrible Internet search engine” called Shodan. The service was developed by web developer John Matherly and is focused primarily on searching for devices connected to the Internet.

Shodan polls device ports and, based on the response banners received, draws conclusions about devices and services. The search engine is paid, an annual subscription will cost $20, however, you can try it in action for this: after free registration 50 search results available. You will find the history of creation and the biography of the author yourself if you are interested, but for now let’s get down to business:

Filters

Search results can be filtered using the following constructs:

• country: country, in the format RU, UK, US, etc., for example: nginx country:RU
• city: city, for example: nginx city:"Moscow" country:RU
• os: operating system, for example: microsoft-iis os:"windows 2003"
• port: port in format 21, 80, 443, etc., for example: proftpd port:21
• hostname: allows you to search based on domain, for example: nginx hostname:.de

Example 1: Cisco Devices

In order to understand the first example, you need to remember the basic HTTP response codes:
HTTP status codes:

• 200 OK Request succeeded;
• 301 MovedPermanently Assigned a new permanentURI;
• 302 FoundResides under a different URI;
• 401 Unauthorized Request requires authentication;
• 403 ForbiddenRequest is denied regardlessof authentication.

IN in this example we will try to find Cisco devices with a web interface for access to which authorization is not required.
First, let's see what a typical "401 Unauthorized" cisco device banner looks like if we simply enter "cisco" in the search bar:

HTTP/1.0 401 Unauthorized
Date: Thu, 20 Oct 1994 05:18:36 GMT
Server: cisco-IOS
Connection: close
Accept-Ranges: none
WWW-Authenticate: Basic realm="level_15_access"

Please note that the line "WWW-Authenticate: Basic realm="level_15_access" indicates the need to enter a login and password.
In turn, a device in which authorization is not required will return us a banner with status 200 (to do this, enter “200 cisco” in the search bar, and the Last-Modified line is a sure sign that this is “our client”:

HTTP/1.0 200 OK
Date: Mon, 08 Sep 2014 22:28:16 GMT
Server: cisco-IOS
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Expires: Mon, 08 Sep 2014 22:28:16 GMT
Last-Modified: Mon, 08 Sep 2014 22:28:16 GMT
Cache-Control: no-store, no-cache, must-revalidate
Accept-Ranges: none

Example 2: Default Passwords

There are many devices connected to the Internet with default logins and passwords, let's try to find something. To do this, write “default+password” in the search bar. Let's also add port:80 to select devices with www authentication.

As a result, we will see many banners containing the search phrase, and, as practice shows, large percentage devices will have a login/password like admin/password, admin/pass, etc.,

Example 3: CCTV cameras

If in case network devices While users in most cases set more or less strong passwords, the situation with other equipment is much worse. In this example we will look at CCTV cameras. At work, I often come across DVR video recorders, some of which have access to the network. We write in the search bar: DVR port:80 country:RU city:"Saint Petersburg" And we get a list of DVRs in St. Petersburg, about 200 devices were found.

Standard Accounts on such devices admin and user, passwords: admin, user, 1111, 1234, 123456, 8888 (can be found in the instructions). Already on the first page there is a device with a standard account:

Example 4: Popular Searches

In the Popular Searches section, you can look at query options, for example, a search for avtech IP video cameras in the USA: linux upnp avtech country:US, add to it the usual port:80 filter:

And again, on the first page of the search there is a device in which you can log in using admin/admin:

Results

To summarize, I would like to once again remind all users: please set strong passwords on ALL devices connected to the network; if you do not have “secret” data in your DVR or smart TV, this does not mean that these devices cannot become targets for attackers. even if just for fun.

CNN once called Shodan “the most terrible search engine on the Internet.” And even its name really sounds scary. Even though this was three years ago, Shodan hasn't evolved much since then. For those unfamiliar with Shodan, it searches for internet-connected devices around the world. This concept includes not only computers and smartphones, it can also find wind turbines, traffic lights, license plate readers, refrigerators and almost any other device connected to the Internet.

Let's not forget that many of these devices that we use every day are not secure. Therefore, such a search engine is a hacker's dream. Shodan is not the only search engine of this type. In this article we will look at four more search engines that focus on searching for vulnerabilities. Perhaps some of them are familiar to you.

First let's learn more about Shodan.

Shodan

Figure 1. Shodan search engine

Let us remind you that Shodan is not a new search engine, but it is constantly updated. Its name is a reference to SHODAN, a character from the System Shock series. The most common request in this search engine is “Server: SQ-WEBCAM” - shows the number of currently connected IP cameras. If you're trying out Shodan for the first time, enter this top query and see what comes up.

The main reason why Shodan is considered good search engine for hackers, lies in the type of information it is able to provide (for example, connection types). Although you can find similar information on Google, you must use the right search terms to do so, which are not always obvious.

Another one of the most popular queries in Shodan it is the "default password". You'll be surprised how many devices are listed in search results for this query. Let's hope yours isn't there, but if it is, you'd better change your password.

Shodan is quite useful if you are looking for more specific information. Good example: search for “SSH port:’22’”. You will see many devices running SSH and using port 22.

In the search results, you can also see the IP address, location, and ports that the device is using.

Shodan also usually shows some features of each device, for example: MAC algorithms, encryption algorithms, compression algorithms.

If you notice that information about your device that you don't want to make public appears in Shodan searches, you might want to consider patching it. This information is just as important to testers as it is to hackers.

Of course, also for regular user As a non-hacker or tester, it will be interesting to explore Shodan and see what information it produces.

Another scary query is “port: ‘6666’’ kiler,” which finds devices infected with the KilerRat Trojan.

Figure 2. KilerRat Trojan

KilerRat is a Trojan that provides remote access to the infected computer. It can steal credentials, change registry entries, and gain access to the user's webcam.

PunkSPIDER

Figure 3. PunkSPIDER search engine

At first glance, PunkSPIDER does not look like a big and serious search engine, especially in comparison with Shodan. But their goals are similar. PunkSPIDER is a system for finding vulnerabilities in web applications. It is based on PunkSCAN, a security scanner. PunkSPIDER can search for vulnerabilities susceptible to the following types of attacks: Cross-site scripting (XSS), Blind SQL injection (BSQLI), Path Traversal (TRAV).

Even if you have no idea what these types of attacks are, you can still use PunkSPIDER to check your site for vulnerabilities.

Here is an example result for the query "site":

Scanned: 2016-08-11T20:12:57.054Z

Bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | xpathi:0 | Overall risk:0

The first line displays the domain. The second line shows the date and time the domain was added to the PunkSPIDER system. In the third line you can see a list various types attacks and whether places vulnerable to these attacks were discovered.

If you make more general queries using terms like "blog", " social media", "forum" or "porn", you will get hundreds of results. The fact that a site appears in the search results does not mean that it is infected. For more flexible use of PunkSPIDER, you can use the special help.

You can also check how this works with sites in Tor networks. If we search for “.onion” we get 588 results. It is not clear whether they are all infected or not, but this can be checked.

IVRE

Figure 4. IVRE search engine

The IVRE search engine, unlike Shodan or PunkSPIDER, is created for hackers, programmers, and testers. Even using the main console of this search engine requires basic knowledge network technologies.

So what is IVRE (Instrument de veille sur les réseaux extérieurs)? In fact, it's open source, written in Python with MongoDB. Uses tools such as Bro, Argus, NFDUMP and ZMap to display data about Internet-connected devices. IVRE also supports the ability to import data into XML format from Nmap and Masscan.

IVRE main website provides results Nmap scan, which can be sorted using keywords(in this sense there are similarities with Shodan). Here are some keywords to try: "phpmyadmin", "anonftp", "x11open". So filtering by "phpmyadmin" returns search results By phpMyAdmin servers, "anonftp" searches for FTP servers that provide anonymous access, "x11open" is looking for open servers X11. This may not be a revolutionary discovery, but if you spend some time and understand the principle and features of IVRE, you will discover how useful this search engine is.

The example below shows search results for the keywords "phpmyadmin" and "sortby:endtime".

Figure 5. Search results IVRE

For those who want to know more about technical features IVRE, it is recommended to visit their GitHub. You can also read them, although it has not been updated for a long time.

ZoomEye

Figure 6. Home page search engine ZoomEye

ZoomEye, like its counterparts, looks for Internet-connected devices and vulnerabilities. But before you say “we’ve been through this before,” let’s figure out what its features are.

The developers behind ZoomEye are Knownsec Inc. Chinese company, working in the security field, based in Beijing. The first version of this search engine was released in 2013, and the latest is known as ZoomEye 3.0.

Again, you can get more out of this search engine if you know the specific strings and keywords to search for what you need. Here are some examples:

Apache httpd- Finds results for Apache HTTP servers.

device:"webcam"- finds a list of webcams connected to the Internet.

app:”TED 5000 power use monitor”- finds a list of The Energy Detective (TED) monitors.

ZoomEye, like Shodan, allows you to easily filter search results by country, public devices, web services, etc. If you don't know what to look for, the search engine starts displaying popular queries.

In some cases, searching even for some random word can lead to quite interesting results. For example, try searching for the word “zombie.”

Censys

Finally, let's look at Censys. It, like the search engines described above, searches for devices connected to the Internet. Censys collects data using ZMap and ZGrab (a scanner application level, which works using ZMap), and scans the IPv4 address space.

You can experiment with Censys. Here are some examples you can use to search:

https://www.censys.io/ipv4?q=80.http.get.status_code%3A%20200 - this request allows you to search for all hosts with a specific code HTTP states.

You can also enter in search bar IP address, such as "66.24.206.155" or "71.20.34.200". Additionally, Censys can perform full text searches. If you search for "Intel" you will find not only Intel devices, but also hosts with the “Intel” entry in the registration data. As in most search engines, you can use logical operators"and", "or" and "not".

Again, this information is to help you know where to start. Further, as you gradually get to know the system, you will find much more useful functions.

What about the instruction manual?

Working with most of these search engines will take a little practice before they really become effective tools. But it will be interesting to just see how they work and what results they produce.

For those who are no longer new, these search engines can become powerful tools. They can also be very useful for developers.

So if searching for “SMTP server” or “APC AOS cryptlib sshd” makes you smile with understanding, you are highly recommended to try all the search engines described above.