This document discusses using the search engine Shodan to find exposed devices and systems online. It provides example search queries that can be used on Shodan to find devices by port, banner contents, or country. It also discusses how information can be gathered from devices using SNMP and how Nmap can be used with Shodan search results to take screenshots of websites with no authentication. The document suggests some potentially concerning searches related to SCADA systems and critical infrastructure.
4. I AM NOT
RESPONSIBLE FOR ANY ILLEGAL
ACTS OR ACTIONS THAT YOU
PRACTICE OR ANYONE THAT
LEARNS SOMETHING FROM
TODAY’S PRESENTATION.
5. Causing Chaos.
If you guys were an attacker that
This is what I would do, control as
was out to cause am gonna talk
machines real damage or
manythat’s whatin that country,
And
get profit, critical systems andon
penetrate how would you go get
about today.
about it ?
as much info as possible.
10. Business
And that’s all really neat and pretty,
however there are 2 problems with
that! These guys don’t give a f***.
Management Blackhats
11. Management
Cares about:
• Money
• Money
• Money
Does:
• Will lie for PCI DSS
This shit gives us,
• Approves every single thing even if it
security peeps,
doesn’t match security department goals headaches!
but gets them moneys.
12. Blackhats
I managed to acquire video
footage that shows these guys in
action and their vision of the
world, lets have a sneek peek!
14. Tonight only, I ask one thing of u
Leave your whitehats and CISSPs at
home, and embark on a journey
with me to make the world…
15. SHODAN
SHODAN is a search engine that lets you find specific computers (routers,
servers, etc.) using a variety of filters. Some have also described it as a public
port scan directory or a search engine of banners.
Another way of putting it would be:
22. SHODAN
Accessing that website will give u a bar, where you can type queries
and obtain results.
Your queries, can ask for PORTS, Countries, strings contained in the
banners, and all sorts of other things
Following is a sample set of queries that can lead to some interesting
results:
37. SHODAN QUERIES OF AWESOMENESS
port:23 country:PT
Username:admin
Password:smcadmin
38. SHODAN QUERIES OF AWESOMENESS
port:23 list of built-in commands
Worldwide
Not a big number, however just telnet in and you get shell…
39. SHODAN QUERIES OF AWESOMENESS
port:161 country:PT
Worldwide
Portugal
40. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2
• Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2
• Windows SYSTEM INFO 1.3.6.1.2.1.1.1
• Windows HOSTNAME 1.3.6.1.2.1.1.5
• Windows DOMAIN 1.3.6.1.4.1.77.1.4.1
• Windows UPTIME 1.3.6.1.2.1.1.3
• Windows USERS 1.3.6.1.4.1.77.1.2.25
• Windows SHARES 1.3.6.1.4.1.77.1.2.27
• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3
• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1
• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
41. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2
• Linux SYSTEM INFO 1.3.6.1.2.1.1.1
• Linux HOSTNAME 1.3.6.1.2.1.1.5
• Linux UPTIME 1.3.6.1.2.1.1.3
• Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3
• Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4
• Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
• Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
42. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8
• Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2
• Cisco SYSTEM INFO 1.3.6.1.2.1.1.1
• Cisco HOSTNAME 1.3.6.1.2.1.1.5
• Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4
• Cisco UPTIME 1.3.6.1.2.1.1.3
• Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1
• Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18
• Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2
• Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5
• Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5
• Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2
• Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
63. A little tip…
If you want to quickly check for
stuff (web related) that has no
authentication, use NMAP!
64. A little tip…
First, let’s get wkhtmltoimage:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-
i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
cp wkhtmltoimage-i386 /usr/local/bin/
Next, let’s get and install the Nmap module:
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap --script-updatedb
65. A little tip…
Then, do your shodan search and use:
This automatically exports a list of ips
u can import into nmap
74. Shodan – the bad part
• Imports nmap scans from their
servers, so its not always 100%
updated! Confirmed this by
correlating some of the shodan
results with our personal results!
• For example on mysql servers,
Shodan would find 785, where our
results showed 3000+
75. Shodan – the good part
• Good querying system
• If port scanning is illegal in your
country, you’re out of trouble if
u use shodan, because ur just
querying data acquired by them.
SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.