I want to preface this article with saying, please do not do use any of this information to do ANY sort of crime. This article is meant for hired professionals looking to assist with their clients or employers.
Now that I got that out of the way, let’s think like an adversary looking to get some real easy targets.
What is Shodan?
There are few sites like it, notably Binary Edge, that scan the entire internet, on our behalf. When I say scanning, it’s a mix of tools we are familiar with such as Nmap, Webscreenshot, etc. However services like Shodan do this 24/7 and make the results searchable through filters and facets. This is powerful from an attackers perspective because the only footprint produced, is the access to Shodan’s web servers.
This is called passive reconnaissance and is labeled as T1596 on MITRE ATT&CK, and will leave no trace on your network.
Hunting for your Target
This really depends on what you are looking to get. Money? “Payback”? Corporate Espionage? Actual Espionage? Lulz? The list goes on and on. But the first step an attacker needs to decide is, what does the end game look like. As defenders, I would HIGHLY encourage you look into creating a threat model, who are you most prevalent threats and what systems/person(s) are they going to target.
As adversaries, there is PLENTY to go around for all of the above. I will show you some tricks.
Shodan Filters
This is how you are going to get around to narrowing down your search results on Shodan. A comprehensive list can be found here. These are your gateway to scoping down to a particular organization, port, service, etc.
Filters vs Facets
This confused me when I first started using Shodan, so let me break it down Barney style.
Searching via Port Number
This is one of the simplest searches you can do on Shodan, and I will make sure you get some results that can result into Incident Response teams getting paged.
port:3389 (RDP)
port:23 (Telnet)
port:445 (SMB/Samba)
port:5900,5800 (VNC)
port:88 (Kerberos)
port:3306 (MySQL)
port:1433,4022,135,1434 (MS SQL)
port:9200,9300 (Elasticsearch)
These will get you started on finding some really concerning results. As we go on, I will lean away from using ports, as services can be ran on any port.
Searching for Organizations
There a few ways this can be accomplished, and I will show you the ways I am aware of. Some of these techniques are easy to remember, so require you to visit back here to copy paste the filter :).
Autonomous System Numbers
This is a fairly easy way to search for an organization. If it has an ASN, it can be searched by that AS Number. If you are looking to find an Autonomous System Number, I recommend using Hurricane Electric’s BGP Tool. The search below is (without quotes) “asn:AS100”
“Org” Filter
Now I cannot say for certain if this is how Shodan aggregates data, but I believe it’s a combo of ALL ASN’s that an organization can own. The search below: org:”Amazon”
Filtering by SSL Certificate
This is the way. This method will cover a wide-range of systems (On-Prem, cloud, etc). Shodan supports the use of wildcards, so you can cast a wide net on corporate subdomains. The filter is ssl.cert.subject.cn:
Below are some examples
As you see in the third example, I made use of filtering OUT results. This is as easy as putting a “-” in front of the filter.
Searching via Favicon Icon
This is the best way to get around WAFs (Web Application Firewalls). Typically, larger sites will host their site behind services like Cloudflare and Fastly. Not only does this speed up their websites, but any attacker looking to DDoS via Domain name, will more than likely fail. However, there is 1 weakness with using services like Cloudflare and Fastly. It does not protect websites from direct attacks.
You see, when you attack via Domain Name, you will have to use DNS (which resolves a Domain name to IP). When this happens, you will resolve to one of Cloudflare’s IPs, and any attack will get thwarted. However Cloudflare/Fastly are no more than a Proxy. Meaning if an attacker finds the Origin IP, they can just slam that directly versus using DNS. So lets find Origin IPs!
The above image, I randomly picked a website with a Favicon that was hosted on Cloudflare (my search was “isp:cloudflare port:443 -http.title:”400 The plain HTTP request was sent to HTTPS port””) and clicked on one of the Favicon icons. Which lead me to this search (isp:Cloudflare port:443 -http.title:”400 The plain HTTP request was sent to HTTPS port” http.favicon.hash:1884828533). All I did was remove the isp filter, and bam, Origin server detected.
If you are interested in calculating a Favicon hash, I will write up another blog and link it back here. It’s somewhat cumbersome.
Once you have the Origin server, you can run Shodan On-Demand scans, etc.
Finding Exposed SMB and Connecting to them
I just want to reiterate, please only do this if you have permission… This is where shit gets scary.
So SMB, everyone’s favorite protocol to be exposed on the internet, right next to Elasticsearch Indices containing Social Security numbers. SMB for those that do not know, is a protocol meant to communicate data within an intranet (not internet). Do you have a Share-drive/Mounted drive? That uses SMB or NFS.
Typically, SMB runs on port 445, so lets do a basic port search on Shodan.
Nice, 1.2M results. Let’s take a look at some of these results.
Hmmmm, some of the responses we get contain “SMB Version: 1” and “Authentication: enabled”. Let’s see what happens if we search something like “port:445 “Authentication: disabled””.
Fun, you can see our quoted search is also highlighted in the search results… So fun trick on scoping down a target! So all of these results are SMB with AUTHENTICATION DISABLED. WE CAN LITERALLY CONNECT TO THESE SHARE DRIVES NOW, EXFIL DATA, DEPLOY RANSOMWARE, ADD PERSISTENCE, ETC.
As before, we can tweak our search to find more menacing targets… AGAIN, please do NOT do this on systems you do not have permission to access.
PWN’ing Databases
SMB is a very lucrative path into a network, and using Linux tools such as grep, find, scp, etc, you can find yourself in some really gnarly parts of a network. Start doing internal recon using Python Responder and Bloodhound… But the juicy bits are in exposed Databases.
Let’s do some basic recon on some commonly used Databases and find ways on accessing them.
We can either go one by one (which is what I like to do, to find what an exposed DB looks like vs one that isn’t exposed)… Let’s use ElasticSearch as an example. A simple “product:elastic” will work.
Immediately you can see what an exposed ElasticSearch DB looks like and which one is not “exposed”. I will add the word “Indices” to my search.
Wasn’t hard to find some results, even one with over 2TB of data. The easiest (but probably not the smartest way) to view this is using a browser add-on called “ElasticVue”.
Webcams and Desktops
This is typically the number 1 question I get when someone is coming to me for Shodan advice. “How can I view webcams?” Please stop, it’s weird… But since it is important for Corporate Espionage, I will show you.
Shodan has a filter named “has_screenshot:”, and it is boolean based “has_screenshot:true”. The only results you will get are of screenshots of miscellaneous systems, to include RDP, VNC and yes, security/webcams.
The best way to view all of these in an easy to view fashion is by using images.shodan.io and using the above search term. Which actually, is redundant… since images.shodan.io is only screenshots…. whatever.
To boil down to exactly what you want, you will use the “screenshot.label:” filter. Which can take one of the following arguments: desktop, webcam, ics, loggedin, terminal, blank, pos, screensaver, windows. You can pick your poison. I will show a few examples.
Bonus Content
Who doesn’t like some bonus content? These are nothing but for lulz and I won’t share the search queries for them.
Final Comments
Cybersecurity is a job field as well as something a lot of us fail at. Check out me.shodan.io for any exposures on your own IP, check you ASNs and of course… Reach out to Blackburn Security if you are needing a Penetration Test, Vulnerability Management or a report on your organization’s internet footprint. I can be reached at cody@blackburnsecurity.com, you can add me on Linkedin https://linkedin.com/in/codybernardy or follow me on Twitter @TwutterSupport.
Cheers y’all,
Cody.
