DANGEROUS SEARCH ENGINES FOR IOT; Shodan, Censys and Thingful

-

 

 Get to know Shodan, the scariest Search Engine on the Internet

What is Shodan?

Shodan was created by computer scientist John Matherly as a hobby. Matherly wanted to track any type of device connected to the internet. This is how Shodan became real in 2009.

Shodan indexation works by searching open ports of any service or device. This means that Shodan, unlike any normal search engine, does not focus on searching web pages but on collecting the banners of the services (server response to a request). These services include HTTP, HTTPS, FTP, SSH, Telnet, SNMP and SIP protocols. Then, the user can search for devices by regions or geographic areas applying Shodan filters.

 

How Does Shodan Work?

Shodan works by requesting connections to every imaginable internet protocol (IP) address on the internet and indexing the information that it gets back from those connection requests.

Shodan crawls the web for devices using a global network of computers and servers that are running 24/7.

An IP address is your device’s digital signature — it’s what allows Google to tailor searches to your location, and it’s what allows all internet-connected devices to communicate with each other (VPNs like ExpressVPN hide your IP address so that you can’t be tracked by your ISP or other browser-tracking tools online).

Internet-connected devices have specific “ports” that are designed to transmit certain kinds of data. Once you’ve established a device’s IP address, you can establish connections to each of its ports. There are ports for email, ports for browser activity, ports for printers and routers — 65,535 ports in all.

When a port is set to “open”, it’s available for access — this is what allows your printer to establish a connection with your computer, for example. The computer “knocks” at the open port, and the printer sends a packet of information called a “banner” that contains the information your computer needs to interact with the printer.

Shodan works by “knocking” at every imaginable port of every possible IP address, all day, every day. Some of these ports return nothing, but many of them respond with banners that contain important metadata about the devices Shodan is requesting a connection with.

Banners can provide all sorts of identifying information, but here are some of the more common fields you will see in a banner:

  • Device name: What your device calls itself online. For example, Samsung Galaxy S21.
  • IP address: A unique code assigned to each device, which allows the device to be identified by servers.
  • Port #: Which protocol your device uses to connect to the web.
  • Organization: Which business owns your “IP space”. For example, your internet service provider, or the business you work for.
  • Location: Your country, city, county, or a variety of other geographic identifiers.

Some devices even include their default login and password, make and model, and software version, which can all be exploited by hackers.  

 

What Can You Find on Shodan?

Search engine Shodan

Any device connected to the internet can potentially show up in a Shodan search.

 Since Shodan went public in 2009, a pretty large community of hackers and researchers have been cataloging the devices they’ve been able to find and connect with on Shodan — things like:

  • Baby monitors
  • Internet routers.
  • Security cameras.
  • Maritime satellites.
  • Water treatment facilities.
  • Traffic light systems.
  • Prison pay phones.
  • Nuclear power plants.

Before you freak out and go hide in a bunker, remember that Shodan merely indexes publicly available information. Yes, it can show users a nuclear power plant’s server banner, but that doesn’t mean that anyone with an internet connection can cause a nuclear meltdown. In the case of industrial computers and old SCADA systems, many of them are protected by passwords, two-factor authentication, firewalls, and strict security protocols.

However, Shodan does reveal just how much of our information is publicly available. If your webcam is internet-facing, and you haven’t changed its default logins, hackers can access it without your knowledge, gaining an easy window into your home. In fact, webcams are one of the most commonly searched terms on Shodan’s “Explore” page. This is another reason why it’s so important to use an antivirus program like Norton which can flag network vulnerabilities and give you a warning if other apps or users are accessing your webcam or microphone. 

 

Shodan´s danger

As mentioned earlier, Shodan can be good or bad, everything depends on the hands that control it. Unfortunately, Shodan still attractive to cybercriminals and hostile nations interested in activating a large-scale war similar to a cyber Blitzkrieg.

If Shodan is capable of tracking SCADA systems as we mentioned above, the national security of many countries could be compromised since an attack on their infrastructure is possible by using Shodan.

Currently, any user can get 10 results in an average search with Shodan. Registered users in the Shodan platform can obtain up to 50 results per search. To become a registered user you must pay a fee and explain the reasons why you want to use Shodan.

 

 

censys search engine

 

What is Censys?

Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap, the most widely used tool for Internet-wide scanning. So, Censys is a platform that helps information security practitioners discover, monitor, and analyze devices that are accessible from the Internet. Censys regularly probe every public IP address and popular domain names, curate and enrich the resulting data, and make it intelligible through an interactive search engine and API. Enterprises use Censys to understand their network attack surfaces. CERTs and security researchers use it to discover new threats and assess their global impact. From the creators of ZMap, the leading Internet-wide scanner, censys mission is to make security be driven by data.

 How to use Censys?

Censys maintains three datasets through daily ZMap scans of the Internet and by synchronizing with public certificate transparency logs:

You can search for records that meet certain criteria (e.g., IPv4 hosts of google.com, or browser trusted certificates for google.com), generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.

Censys also post all of thier raw data, provide programmatic access through a REST API, and publish reports on protocol deployment and the supporting PKI.

 

1. Simple Search

If you simply search for a word or phrase, Censys will return any records that contain the phrase. For example, searching for google will return any records that contain the word google. Searching for 23.0.0.0/8 will return all hosts in that network. Here are some simple search example -

2. Advanced Search

Censys data is structured and supports more advanced queries including searching specific fields, specifying ranges of values, and boolean logic. For example, you can search for hosts with the HTTP Server Header "Apache" in India by running the query 80.http.get.headers.server: Apache and location.country_code: IN.

 

Hosts – Censys

 

3. Censys REST API

The Censys REST API provides programmatic access to the same data accessible through the web interface. All API endpoints are hosted at https://censys.io/api/v1/ and require authenticating with HTTP basic auth using the API ID and secret that are shown under My Account. This page also lists the rate limits that apply to your account.
Censys provide the following API endpoints: search, view, report, and data.

 

Sss14khawaja Thingful IOT Search engine

 

 What is Thingful? 

Thingful (www.thingful.net) is a web-based search platform for finding and using open IoT data from around the world. While in and of itself not an attack surface management tool, Thingful can be leveraged to provide information about categories of IoT data, which could further be utilized for other threat intelligence activities. Thingful’s mining capabilities allow for considerable vertical diversity, such as weather, energy, or telecommunications, which could be useful for situational awareness and operational analysis with a high degree of specificity. Thingful’s API allow for the extensible use of its real time IoT data in a host of developed applications, including GIS, supply chain optimization and logistics, manufacturing optimization, etc.

Potential Use Cases for Thingful

Thingful can also be used in automatic discovery of IoT data pathways, and thereby support attack surface reduction activities; however, that capability is not its primary purpose. Thingful’s main use cases are focused on the manipulation of IoT data in ways that unlock value and visibility within an identified dataset. Specifically, the ability to organize, access, respond and unlock IoT data streams into useful ‘data pipes’ for consumption is key to Thingful’s business model. Further, it is quite possible that the IoT use cases defined by Thingful could be adapted to assist in more complex cyber security threat hunting and identification activities, if an organization wished to do so. 

Assess Public Asset Risk Profile

Each finding represents a distinct system, and each system may have many entries for services running on different ports. For each system, service, and port that is exposed, ask the following questions:

• Why does this system and service need to be running? Equipment often enables capabilities by default that are not necessary in normal operations. 

• What is the business need requiring this system, service, and port to be exposed to the Internet? Administrative tools may be inadvertently configured to connect on an Internet-accessible interface. 

• Can this system, service, or port reside behind a VPN? VPNs add strong authentication mechanisms and remove a direct link to potential adversaries. 

• Can the service offer strong, multi-factor authentication? Contact your vendor to explore options. 

• When was the last time this system or service was fully updated? There may be a valid business justification for why a system was not updated; otherwise, follow your change management process and update your systems on schedule. 

• When was the last time this system or service was hardened? Contact your vendor for best practices and support.

Thingful Search Capabilities

The Thingful search function is more traditional to a search engine. Using the search bar, type in your IP address, device type, or location, and you will retrieve a map pointing to available information relevant to your search.

 

 

Comments

Post a Comment

Popular posts from this blog

How To Hack bWAPP

-
Image
Why bWAPP? 😮 bWAPP, or a  buggy web application , is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over  100 web vulnerabilities ! It covers all major known web bugs, including all risks from the OWASP Top 10 project. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP. Another possibility is to download the  bee-box , a custom Linux VM pre-installed with bWAPP. You can download bWAPP using this link here  bWAPP, a buggy web application! (itsecgames.com) . AIM: Perform SQL Injection Attack on Bwapp using SQLMAP and get OS shell REQUIREMENTS: ·        OS – Windows ·        Tools – Bwapp, Sqlmap, FOLLOW THE STEPS IN THE IMAGES B
Read more