You’ve been SHODAN’d

shodan_largeSHODAN (Sentient Hyper-Optimized Data Access Network) was the fictional artificial intelligence bad girl of the computer game System Shock who, once she was hacked and her ethical restrictions removed, destroyed or subverted all around her with the exception of her hacker. IT Administrators responsible for the servers whose listening services are showing up in the search results of the new SHODAN Computer Search Engine should pray that the ethical restrictions of those ‘shodanning’ (googling counterpart?) or searching remain intact. Or even better, they should start the implementation of countermeasures (close unnecessary ports, etc).

The service, developed by John Matherly, is a search engine for servers, routers, load balances, computers: basically Internet facing devices that can be port scanned. It has been coined “Google for hackers”. By way of example, the site provides this sample search:

Let’s say you want to find servers running the 'Apache' web daemon. A simple attempt would be to use:

apache 

How about finding only apache servers running version 2.2.3? 

apache 2.2.3 

You can also narrow down the results using the following search parameters: 

country:2-letter country code
hostname:full or partial host name
net:IP range using CIDR notation (ex: 18.7.7.0/24 )
port:21, 22, 23 or 80

For example: get all web (port:80) hosts running 'apache' in switzerland (country:CH) that also have
 '.ch' in any of their domain names: 

apache country:CH port:80 hostname:.ch

Other Interesting Searches:

There will be a number of interesting enumerations discussed in the next few days, here are a few to try.

Search:

Ethical Considerations

There have been a number of posts citing problems with this service. Richard Bejtlich claims that this service was available from another firm if paid for back in 2004, and thus the big difference with SHODAN is that it is free. His prediction is that the service will be shut down in a few days once law enforcement or government makes contact with John Matherly. It is unclear exactly what grounds either would have for attempting to shut down the service.

In terms of ethical arguments, SHODAN is showing what is already “in plain view” for the networked world. That said, port scans have long been the subject of debate as to their legality and whether they are ethical or not, including arguments about the differences in intent between stealth versus normal port scans, and other such intricacies. Port scans can be a prelude to an attack (the metaphoric equivalent of trying door locks until you find an unlocked one). They have been argued to be a connection to a machine that is not explicitly authorized and therefore illegal, that they use resources on the target machine, that the scan could crash a very poorly configured target, and so forth.

While the argument drags on, the only federal case to provide any precedent is Moulton v. VC3 and the precedent set is that port scanning is not a violation of the Computer Fraud and Abuse Act because it does not meet the requirement for damage to the availability or integrity of the network. So is it illegal? Hardly, its just a port scan on a big scale.

When services are listening and Internet facing, they are ostensibly in the view of the Internet. Even if the intent is to commit a crime, this is the equivalent of standing on the street casing a target, nothing illegal has happened yet. The tool does allow the heretofore unavailable capability of casing millions of targets efficiently though.

Could be a Little Scary

Some have already uttered the typical condescension of the over confident technologist that this will be a script kiddies delight. Script kiddy is a lousy term, used many times by people who couldn’t run a script if their life depended on it, but we won’t spend time on that discussion here.

Look at you, hacker. A pathetic creature of meat and bone, panting and sweating as you run through my corridors. How can you challenge a perfect, immortal machine?
- SHODAN

Even if we can make the case that this is not unethical, it is a little scary if we start to map out the possibilities. While I can run port scans all day, I don’t have a ready-made, consistently updated database of scan results at my fingertips. This tool amplifies the affect of a vulnerability by allowing the second part of the exploit equation: fast enumeration of large number of vulnerable hosts. Thus the possibilities for automated attack are there. Instead of having to waste time attempting exploitation of non-vulnerable hosts, only use the exploit on known vulnerable hosts. Malware propagation finds a new vector, and soon it is going to be easy: “…I’m working on an API for easy programmatic access.” – John Matherly.

SHODAN results for "telnet" search.

SHODAN results for telnet search.

Positive Effects

Interestingly, if you attempt scans of vulnerable services, you will invariably find that while some are still open, others have been closed. We imagine what’s happening is that because the vulnerability has now been amplified (for example telnet listening on port 23), many administrators are getting a spike in connection requests and thus remediating the vulnerability. So one side effect already is improved security.

Googledorks?

The service has been compared to GHDB (the Google Hacking Database for ‘googledorks’) which is a database of sensitive information revealed through Google search and hosted by Johnny Long, a security researcher best known for popularizing Google hacking. This is an important project, and does a great deal to enumerate the dangers of allowing certain information to be indexable by search engines. It is not however the same type of information, SHODAN is actually providing data about the host rather then data explicitly served by the host. While an interesting comparison, the service is logically more akin to the results of doing an nmap scan of a host, but instead having the results of x number of scans available to easily search. The search results show data about machines, rather then data indexed off of web content.

Google Code Search

Another invalid comparison is citing Google code search. Yes, you can look for code vulnerabilities (insecure function usage, race conditions, etc.) using Google code search. But Google can only search code made public, most of the world’s code is still closed source. Even if you do find a vulnerability, you must then match it to an instance of that vulnerable code being used. In order to connect to the Internet, an organization must have some services listening on Internet accessible ports. The scale, the information, and the ease of identifying vulnerable targets is different.

FireFox Plugin

Sagar38 has already developed the Firefox plug in for performing searches: https://addons.mozilla.org/en-US/firefox/addon/51503/.

Next Steps

There is an aspect of the GHDB we would like to see adopted. The GHDB site provides a table mapping vulnerabilities to the corresponding search for vulnerable machines, taking the next logical step in communal intelligence. For example:

Date Title Summary Search
11/25/09 IIS 4.0 Vulnerabilities IIS 4.0 has multiple vulnerabilities as detailed on CERT IIS 4.0

What’s with the title?

Its like you’ve been port scanned, but the results were released to millions of your closest friends for further testing. To put it another way, if your IP addresses start showing up with vulnerable services, best to take countermeasures quickly.

Conclusions

This tool is already a little scary (telnet enumeration, etc. on a wide scale just became a whole lot easier), will get scarier as the API is released and further search results made available, and will get a whole lot scarier (first malware implementation of the API or screen scraping). It is fundamentally unlike Google hacking because it is a search for machine characteristics not data. Its ethical considerations are tantamount to those around port scanning, whatever your feelings there are. In general though, the evolution of tool sets continues moving quickly to the point where “security by hiding” is considerably less effective. Finally if SHODAN scales and evolves, John Matherly has created a very interesting tool which will have downstream effects for information security.

References

Filed Under: Enumeration

Tags: , , , ,

Comments (2)

Trackback URL | Comments RSS Feed

  1. [...] have been continuing to play around with the SHODAN Computer Search Engine after first looking at it last week. We continue to identify a variety of devices we sometimes note on security engagements (although [...]

  2. [...] You’ve been SHODAN’d – praetorianprefect.com [...]