Threat Inteliigence / OSINT / NETSEC / NATSEC

On a Shodan safari - about discovering what is connected to the Internet

In the last post, we visited airports and tracked planes. This time we will come back to earth, but we will once again wander to the distant corners of the globe. Observing the devices that surround us, it is not difficult to notice that more and more of them would like to connect to the Internet - TVs, refrigerators, vacuum cleaners, thermostats - all this gradually gains functionalities that can only be used after connecting to the Internet. The very phenomenon of the wide availability of devices exposed to the world, however, is not so new and in 2009 John Matherly created Shodan, a search engine for finding devices connected to the Internet, regardless of their type. The scope and amount of cataloged information is truly impressive, but we can look at how over the last 4 years the number of Let's Encrypt certificates has increased by over 10 million:

Shodan historical data for use of Let's Encrypt certs

If we look at the devices we see in Poland at the moment, we will find nearly 4 million of them:

Shodan offers several types of accounts, ranging from quite free to business at a price close to $900 per month.

Shodan paid accounts pricing

For most users, the most interesting option will probably be Shodan Memebership. In this variant, we pay only once and gain access to a number of the most useful functions, such as the use of search operators, monitoring changes for 16 IP addresses, access to the API or image search engine. Membership costs $49 once and is definitely worth the price, but it is worth looking for a promotion - on the occasion of Black Friday or other holidays, the price is often significantly reduced. I bought the account for $4, which in the context of the possibilities is a negligible expense.

Shodan is the best-known website of this type, but not the only one, so let's also take a look at the alternatives.

ZoomEye - A Chinese website that works on an almost identical principle to Shodan. For regional and political reasons, the results will not always be exactly the same and some of the things we find on ZoomEye will not be on Shodan and vice versa. Initially, we can get the impression that ZoomEye has much more data, e.g. the result for Poland will show over 24 million records:

However, we have to point out that ZoomEye mixes up-to-date and historical results, unlike Shodan showing the "for now" state. So again, depending on what data we need, it is worth visiting both websites. There are no dramatic differences in the acquired data, and the main difference will be the presentation of the data. Let's look at the first example of an IP address:

and Shodan:

Shodan results for host 109.95.158.64

Also ZoomEye has paid versions of accounts which give access to extended functionality such as downloading data sets or searching for IPv6.

Censys.io - and another search engine for things connected to the Internet. Censys, however, has a profile, let's say more "cyber", I used it quite often to map the infrastructure used in attacks, searching for connections between domains that used the same TLS certificate. A public example of such an analysis can be found in the report ThreatConnect "A Song of Intel and Fancy" in which the properties of the certificate were used to discover the infrastructure used by the Fancy Bear group. Returning to our sample host, we will again see a similar range of data:

Censys is a more business solution, apart from the free version, it does not have an account offer for private users with, for example, an extended package of functions. For the purposes of supplementing the results from other sites like Shodan, the free version should however be sufficient.

NSeakIX - a relatively new website whose purpose is to collect information about data leaks and open services. By entering our sample IP address, we will not find one table with a set of all data, but the division into individual websites and technologies:

In the Reports tab, you will also find descriptions of the vulnerabilities found, which have been reported to the owners and patched, LeakIX gives 30 days for reactions before the data is made public:

The idea of the website is open access to data, so there are no paid versions. However, we can set up an account that will allow us to report vulnerabilities as part of the website's activities.

So here is an overview of some interesting tools that allow you to collect information about devices connected to the Internet. We will now take a closer look at what we find in Shodan, but before we get to the point, it is worth quoting Uncle Spider-Man's words "With great power comes great responsibility". Since its inception, Shodan has met with criticism and controversy related to the fact that it allows you to easily search for vulnerable hosts, cameras accessible from the Internet or even control interfaces of industrial systems. Moreover, projects like AutoSploit automating unauthorized access by combining Shodan or ZoomEye functionality with offensive tools like Metasploit do not help. Personally, I am of the opinion that such services definitely help more than harm by showing the scale of availability of devices on the Internet and enabling researchers to effectively collect data, and companies to proactively assess the attack surface and resource availability. An episode of the comic book Little Bobby by Robert M Lee and Jeff Hass can be cited here:

Bearing this in mind, I would just like to appeal for elementary responsibility and decency in the activities carried out. If we find an industrial process control panel exposed to the Internet, it is clear that owners should take care of a better IT architecture in their organization, but let's not add fuel to the fire by irresponsible use of such access.

If we already have access to Shodan and a member account, we can start from the Explore tab, where we will find the most popular search filters, such as ICS mapping (industrial control systems), databases, computer game servers or webcams. ICS is always an interesting issue, so let's move on to this tab:

As we can see, Shodan himself suggests syntaxes for the search for the most popular types of industrial controllers. So let's look at an example at Siemens S7 - the same system that attacked Stuxnet at the Natanz uranium enrichment facility.

As we can see, the syntax of the default search is not particularly fancy - the Shodan hint is the port 102 itself, which is actually the default port for this type of device, but after all, any service can be run there. In the attached picture we can see a fragment of the search result that the HTTP server (returning code 200 - i.e. successful connection) is called IPCam Client, so not what we meant. Let's try to clarify our search a bit, the controller we are looking for is Siemens S7, so let's add "S7" as a parameter:

Now it's much better - the results are few, but the "ICS" tag and the information in the server's response let us assume that these are the controllers we want. So we can use them for a broader search.

Here we see at least a few elements that can act as a starting point - for example a part of PLC name. PLC stands for Programmable Logic Controller, so we can assume that such a sequence of characters will be present even if it is not the S7 model. So we can combine these modifiers and narrow the results down to the country we are interested in, e.g. Poland.

Now it looks quite nice, all results start with "Copyright: Original Siemens Equipment" which indicates we have what we are looking for. Shodan will also allow us to sort the results by city and organization:

If, on the other hand, we want to get a wider picture of what interfaces are exposed to the Internet, it is worth using the Images module, which collects screenshots for devices that provide some form of graphical interface - in the case of RDP, we can see, for example, the Windows login screen. The simplification here is that while the use of the "tag" option that searches for hosts of a given type requires a business account, in the Images search engine we can freely use "screenshot.label:". So if we want to see what interfaces for ICS devices in Poland have been caught by Shodan, we can use the query "screenshot.label: ics country: PL":

As we can see, the Istobal devices are by far the most popular among Shodan crawlers. A quick search will tell us that Istobal is a car wash manufacturer, and the interfaces found are probably the control panels of the car wash connected to the Internet.

The discovery of industrial systems is of course only a small section of Shodan's capabilities, but it illustrates both the capabilities of the tool and shows the scale of how many things, whether needed or not, are now connected to the network.

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEnglish