We have been continuing to play around with the SHODAN Computer Search Engine after first looking at it last week. We continue to identify a variety of devices we sometimes note on security engagements (although usually on internal networks) that should not be externally accessible and are either still using factory default credentials or are not using any credentials for access to administrative interfaces. Accessing the administrative panels of these devices would allow a bad actor to further compromise the organization running the device on its network. We can quantify that we are seeing results not just for poorly configured home offices or small businesses, but large and medium businesses who would experience significant negative effects when breached or their devices tampered with. We’ll continue to blog about our findings until we get bored with it. Today’s search demonstrates how we found a few hundred accessible interfaces for IP Camera DVR surveillance systems.

We start by browsing to SHODAN and performing a search for “webcam” and reviewing what shows up. This result catches our eye:

HTTP/1.0 200 OK 
Connection: close 
Server: SQ-WEBCAM 
Content-length: 2936 
Cache-control: no-cache 

So we refine the search by only looking for “Server: SQ-WEBCAM“. 765 results, most with the format above (see screenshot at the bottom of the post).

The IP address of most of the results opens up a login page as follows:

AVTech-AVC-787 authentication page.

AVTech AVC 787 DVR

The role of the DVR in the overall surveillance system.

No comment.

The Envelope Please

The majority of these surveillance systems are setup with the default id and password, we know that from experience. Once you are logged into the system as administrator, you can view a live feed or feeds, adjust the cameras position and zoom, play back recorded video, and if you wanted to coordinate a burglary you can go ahead and stop the devices recording. Here are some screenshots (taken from the product manual):

What a live view looks like.

A playback of recorded video.

Reviewing multiple cameras live.

SHODAN Search is the same as Google Hacking?

There is someone out there who will say, “Yeah, but I could look at webcams with Google Hacking”. First, this is not a webcam, but let’s explore the thought anyhow. Let’s find a string related to the authentication page we want to find and Google it. We’ll use: “any time & any where ip surveillance new generation” “……video web server”. We retrieve 7 results, four different web sites, none the actual login page.

We try this search with SHODAN: “Server: SQ-WEBCAM”. 765 results returned, most are relevant. Even if both start by using spiders to find accessible hosts, the difference after finding that host is akin to the results of an NMAP scan on server characteristics being compared to what is essentially a search of server content found by a bot. Both are valuable tools, but they do not perform the same function.

IP Surveillance DVR.

Finally

We continue to hear some discussion of legal and ethical aspects to SHODAN. It is interesting, but it has to get past the level 0 discussion into more sophisticated arguments. We will note briefly that no cracking is demonstrated above, the screenshots are from a PDF manual and not anyone’s actual surveillance system.

We covered the legality question briefly in the first SHODAN post, the ethics question is murkier because it is a reflection of personal values for most people. We will state that if a device is Internet accessible, it is available to be scanned like a web page or anything else, the online equivalent of looking at something in plain view. If a device has no authentication mechanism, then it falls under that umbrella. Therefore in our opinion SHODAN is only efficiently displaying what is already in plain view. It changes the game in doing that because it magnifies the ability to identify poorly configured environments visible by external scan, but the activity at its atomic level (an NMAP style scan) was already an available technique.

If a device has a poorly configured authentication mechanism, or is still using a factory default id and password, this is irresponsible but accessing the service through the authentication is logically different than performing a perimeter scan.

Companies should and sometimes do advise people to change the factory default authentication on the devices they sell. Sometimes the setup mechanisms force a password change. Better mechanisms exist that avoid using common defaults, however they add complexity to the sales process. An IT professional who has the experience to know the proper way to set devices up, but sets up these devices without changing the default credentials is not exercising due care in his or her profession. A company that allows a person who does not have the requisite experience to set up such systems is also not exercising due care. Should they be the victim of cybercrime because of it? Of course not, but they are still acting foolishly, lazily, or both, and because of it are being irresponsible with both their own resources and the data they collect from customers and stakeholders.

On a related note…

In a conversation with the creator of SHODAN, he mentioned that he will be setting up a Googledorks style page where people can contribute the results of searches and vulnerabilities. When that’s up, we anticipate a number of other search types contributed by the security community coming to light right alongside the vulnerabilities inherent in the devices showing up in the results. This example isn’t really a vulnerable service in the idea that an exploit would be required though, this is just an example of hundreds of poorly configured devices with weak security by default settings.

We also note today the following update from SHODAN: “Updated the index, now with 4x more data. Let me know through Twitter which services/ ports you would like to have indexed.”

Contribute some of your searches or ideas in the comments of the blog, we want to see what creative results people are coming up with.

Related Posts:

• 114,000 iPad Owners: The Script that Harvested Their E-mail Addresses
• You’ve been SHODAN’d

The service, developed by John Matherly, is a search engine for servers, routers, load balances, computers: basically Internet facing devices that can be port scanned. It has been coined “Google for hackers”. By way of example, the site provides this sample search:

Let’s say you want to find servers running the 'Apache' web daemon. A simple attempt would be to use:

apache 

How about finding only apache servers running version 2.2.3? 

apache 2.2.3 

You can also narrow down the results using the following search parameters: 

country:2-letter country code
hostname:full or partial host name
net:IP range using CIDR notation (ex: 18.7.7.0/24 )
port:21, 22, 23 or 80

For example: get all web (port:80) hosts running 'apache' in switzerland (country:CH) that also have
 '.ch' in any of their domain names: 

apache country:CH port:80 hostname:.ch

Other Interesting Searches:

There will be a number of interesting enumerations discussed in the next few days, here are a few to try.

Search:

• “Oracle HTTP Server”
• “telnet”
• ““cisco-ios” port:80“
• “PHP 5.1.1“
• “port:23 “list of built-in commands”” (provides a list of BusyBox installs, a built in shell, credit HD Moore)
• “IIS 4.0” (old, vulnerable web server)

Ethical Considerations

There have been a number of posts citing problems with this service. Richard Bejtlich claims that this service was available from another firm if paid for back in 2004, and thus the big difference with SHODAN is that it is free. His prediction is that the service will be shut down in a few days once law enforcement or government makes contact with John Matherly. It is unclear exactly what grounds either would have for attempting to shut down the service.

In terms of ethical arguments, SHODAN is showing what is already “in plain view” for the networked world. That said, port scans have long been the subject of debate as to their legality and whether they are ethical or not, including arguments about the differences in intent between stealth versus normal port scans, and other such intricacies. Port scans can be a prelude to an attack (the metaphoric equivalent of trying door locks until you find an unlocked one). They have been argued to be a connection to a machine that is not explicitly authorized and therefore illegal, that they use resources on the target machine, that the scan could crash a very poorly configured target, and so forth.

While the argument drags on, the only federal case to provide any precedent is Moulton v. VC3 and the precedent set is that port scanning is not a violation of the Computer Fraud and Abuse Act because it does not meet the requirement for damage to the availability or integrity of the network. So is it illegal? Hardly, its just a port scan on a big scale.

When services are listening and Internet facing, they are ostensibly in the view of the Internet. Even if the intent is to commit a crime, this is the equivalent of standing on the street casing a target, nothing illegal has happened yet. The tool does allow the heretofore unavailable capability of casing millions of targets efficiently though.

Could be a Little Scary

Some have already uttered the typical condescension of the over confident technologist that this will be a script kiddies delight. Script kiddy is a lousy term, used many times by people who couldn’t run a script if their life depended on it, but we won’t spend time on that discussion here.

Look at you, hacker. A pathetic creature of meat and bone, panting and sweating as you run through my corridors. How can you challenge a perfect, immortal machine?
- SHODAN

Even if we can make the case that this is not unethical, it is a little scary if we start to map out the possibilities. While I can run port scans all day, I don’t have a ready-made, consistently updated database of scan results at my fingertips. This tool amplifies the affect of a vulnerability by allowing the second part of the exploit equation: fast enumeration of large number of vulnerable hosts. Thus the possibilities for automated attack are there. Instead of having to waste time attempting exploitation of non-vulnerable hosts, only use the exploit on known vulnerable hosts. Malware propagation finds a new vector, and soon it is going to be easy: “…I’m working on an API for easy programmatic access.” – John Matherly.

SHODAN results for telnet search.

Positive Effects

Interestingly, if you attempt scans of vulnerable services, you will invariably find that while some are still open, others have been closed. We imagine what’s happening is that because the vulnerability has now been amplified (for example telnet listening on port 23), many administrators are getting a spike in connection requests and thus remediating the vulnerability. So one side effect already is improved security.

Googledorks?

The service has been compared to GHDB (the Google Hacking Database for ‘googledorks’) which is a database of sensitive information revealed through Google search and hosted by Johnny Long, a security researcher best known for popularizing Google hacking. This is an important project, and does a great deal to enumerate the dangers of allowing certain information to be indexable by search engines. It is not however the same type of information, SHODAN is actually providing data about the host rather then data explicitly served by the host. While an interesting comparison, the service is logically more akin to the results of doing an nmap scan of a host, but instead having the results of x number of scans available to easily search. The search results show data about machines, rather then data indexed off of web content.

Google Code Search

Another invalid comparison is citing Google code search. Yes, you can look for code vulnerabilities (insecure function usage, race conditions, etc.) using Google code search. But Google can only search code made public, most of the world’s code is still closed source. Even if you do find a vulnerability, you must then match it to an instance of that vulnerable code being used. In order to connect to the Internet, an organization must have some services listening on Internet accessible ports. The scale, the information, and the ease of identifying vulnerable targets is different.

FireFox Plugin

Sagar38 has already developed the Firefox plug in for performing searches: https://addons.mozilla.org/en-US/firefox/addon/51503/.

Next Steps

There is an aspect of the GHDB we would like to see adopted. The GHDB site provides a table mapping vulnerabilities to the corresponding search for vulnerable machines, taking the next logical step in communal intelligence. For example:

What’s with the title?

Its like you’ve been port scanned, but the results were released to millions of your closest friends for further testing. To put it another way, if your IP addresses start showing up with vulnerable services, best to take countermeasures quickly.

Conclusions

This tool is already a little scary (telnet enumeration, etc. on a wide scale just became a whole lot easier), will get scarier as the API is released and further search results made available, and will get a whole lot scarier (first malware implementation of the API or screen scraping). It is fundamentally unlike Google hacking because it is a search for machine characteristics not data. Its ethical considerations are tantamount to those around port scanning, whatever your feelings there are. In general though, the evolution of tool sets continues moving quickly to the point where “security by hiding” is considerably less effective. Finally if SHODAN scales and evolves, John Matherly has created a very interesting tool which will have downstream effects for information security.

References

• SHODAN
• Where’s the Controversy about Shodan?
• SHODAN The Computer Search
• Shodan: Another Step Towards Intrusion as a Service
• SHODAN, The Best Computer Search Engine, Ever

Related Posts:

• 114,000 iPad Owners: The Script that Harvested Their E-mail Addresses
• SHODAN: Cracking IP Surveillance DVR