You are on page 1of 24

Shodan For the .Edu

2014 Educause Security Professionals Conference

7 May, 2014

Shawn Merdinger

Healthcare Security Researcher

Learning Objectives

Shodan Search Engine Overview Example Findings Search Terms and Parameters Developing Your .EDU's Shodan Strategy

What is Shodan?

Computer Search Engine One Man's Project launched in late 2009 John Matherly, Austin TX Significant Media Coverage “World's most dangerous search engine” - Washington Post “Nefarious tool that must be stopped” - Sen. Joe Leiberman My WhiteHat Legitimate Use Project SHINE (Shodan INtelligence Extraction) 1,000,000+ ICS/SCADA devices discovered & shared with DHS ICS-CERT Healthcare and Medical Device Exposure Current projects and conferences with Scott Erven

How Does Shodan Work?

Shodan

Scans the Entire Internet IPv4 Space

....

mostly

Hits dozens of TCP/UDP ports Captures service banner, no auth info queries if possible Places results into Web-based Search Engine

Users

Register for free Shodan account Search using Web interface or API Optional purchase

Export search results in CSV for other tools, parsing Telnet, SSL, etc. search capability

API: developers.shodan.io

Python, Ruby, PERL Use key for authentication (get when register)

John Matherly's Shodan Blog

Shodan's Limitations

This is just one man's project Does not cover IPv6 Space Constant tweaks, occasional glitches Not five nines uptime You don't have the same level of access as me

With that said .....

We're in a “Golden Age” of scanning

Leverage scans.io archived at UMich “Roll your own” with nmap, amap, mass-scan, etc. No excuse not to develop in-house capability ...

Other Tools Leveraging Shodan

Metasploit module Maltego SpiderFoot – (new) Shodan maps

Maps search term results

Not typically useful for single geographic location like .EDU, unless has remote sites

Still worth looking at for outliers, unknown systems Search using your .EDUs CIDR (like class B)

Shodan Maps Example

Mapping routers with backdoors

Example Shodan Discoveries

No longer telling .EDUs of findings: response failures, unable to grok & fix, 'kill the messenger' attitude, huge time suck, thankless work

Example Shodan Discoveries ● No longer telling .EDUs of findings: response failures, unable to grok &

Old and Busted

Example Shodan Discoveries ● No longer telling .EDUs of findings: response failures, unable to grok &

New Hotness

How I see .EDU networks ...

How I see .EDU networks ...

Expected

Webservers

Home routers

Webcams

lots

... VoIP systems

of webcams

IP Phones, VoIP routers & gateways, conference systems

Misconfigured commercial routers, switches

Embassies, hotel conference centers, target countries (Iran Particle Research University)

Printers

MFPs, scanners, complete OS, multiple services

Bigger threat than you may think

...

disaster

waiting to happen

Esoteric

Automated car wash systems (LaserWash) Cell tower UPS backup power + solar (900 in Italy) Gas station pumps (500 in Turkey) Red Light Traffic Ticketing Cameras Convenience store safes with current amounts Cisco Lawful Intercept Routers (CALEA)

“Taps” DSL and Cable Modems

...

only

“bad guys” of course

BlueCoat Proxies

ITAR Export Violation Used against Syrian protesters

Egregious

**Reported to DHS ICS-CERT**

Crematorium Caterpillar 7xx-series mining trucks (largest in world)

Mostly located at Canadian tar sands

...

mostly

...

SCADA/ICS systems

Egregious **Reported to DHS ICS-CERT** ● Crematorium ● Caterpillar 7xx-series mining trucks (largest in world) –

Power stations, water treatment, solar & windmill farms, TV station antennas

Traffic Lights (Die Hard 4 'fire-sale' style) Building control systems

HVAC, lighting, power, electonic door controllers

US Emergency Alert System (Zombie Alerts hacks via TV already)

Still vulnerable per IOActive research, DHS blamed user misconfig (wrong!)

Medical Devices and Healthcare

Fetal monitoring, neurosurgery VLANs, glucose meters, Windows XP Likely will start reporting exposed healthcare and medical devices to HHS OCR

Printer Attack: Script Kiddie

(Pre)-101

Printer Attack: Script Kiddie (Pre)-101 ● Discover Internet-facing .edu printers via Shodan (or scanning) ● Convert

Discover Internet-facing .edu printers via Shodan (or scanning) Convert child pornography image to PJL printable format One line of code via TOR. Script, loop, rinse 'n repeat. Reap Lulz.

'cat kp.img | nc xxx.xxx.xxx.xxx 9100' (plenty of other ways, too!)

Results?

Printer is now federal/state crime scene (connected PCs are also suspect) Hostile work environment class action lawsuit (HR, employee fallout)

Press, Press

and

moar Press (and all the incorrect stories as a bonus)

...

real

... Now that your security team is distracted .EDU tried to cover-up or doesn't report?

hackers go after $$$ data

$1,000,000 statue fine for Florida .EDUs

...

per

incident

And what happens to you? Ask Target's (now former) CISO, CIO, CEO

You will be the fall guy/gal (unless you have really covered yourself) Google searches for your name will have “child porn breach” associated

...

forever

port:9100 hostname:edu (38,613 hits)

SCADA on .EDU Networks

ModBus TCP/502 (653 hits)

SCADA on .EDU Networks ● ModBus TCP/502 (653 hits)

Niagara on .EDU Networks

Niagara Building Managment (898 hits)

Niagara on .EDU Networks ● Niagara Building Managment (898 hits)

Shodan Search Filters

...

The

“Magic”

Example Searches

Effective searches start with good questions!

What IP addresses are on my public network? How many Web servers are on my public network? What Cisco devices are on my public network? Do I have any VoIP phones on public IP? How many Windows XP are internet exposed? How many public IP printers have no password set? What is running Telnet, SSH, RDP, VNC, IPMI? What is running SNMP with 'public' community? Are there any SCADA/ICS devices exposed?

Develop A Strategy

Top level management buy-in, including IP takedown Start with a high-level search like your Class B CIDR Focus on top concerns

Misconfigured network infrastructure devices (routers, switches, voip)

Printers

...

you've

got the message by now, right?

Webservers running old IIS, OS running XP, etc. No auth services, SNMP SCADA/ICS General Information leakage ←huge risk by footprinting for attack

Develop public IP policy and gain control of assignment

Be militant about handing out public IP addresses Inventory, on-going daily/weekly scan diffs, etc.

Shodan Consulting

Contact me via shawnmer@gmail.com Estimates based on exposure, depth and time Outputs

Executive presentation outbrief

Overview of methodology and findings Priority remediation recommendations

Technical Report

Customized search terms for ongoing awareness strategy Host break-down and raw data sets Optional penetration testing and/or referral to security specialists

Doubts about my skillz? Email jmath@sutri.org and ask

“Who is the top Shodan researcher out there today?”

Thank You For Your Time Today

Contact Info

Shawn Merdinger, Healthcare Security Researcher shawnmer@gmail.com

Thank You For Your Time Today ● Contact Info – Shawn Merdinger, Healthcare Security Researcher –