Exploiting Banners For Fun and Profit!

Exploiting Banners
for Fun & Profit!

Michael Schearer
Twitter: @theprez98
Michael Schearer
 Associate, Booz Allen Hamilton
 Founder and Owner, Leverage Consulting & Associates
LLC
 8+ years in the U.S. Navy as an EA-6B Prowler Electronic
Countermeasures Officer
 Veteran of aerial combat missions over Afghanistan and Iraq
 Spent 9 months on the ground in Iraq as a counter-IED
specialist
 Founding member of Church of WiFi and Unallocated
Space, and father of four
SHODAN for Penetration Testers
 What is SHODAN?
 Basic Operations
 Penetration Testing
 Case Study 1: Cisco Devices
 Case Study 2: Default Passwords
 Case Study 3: Huawei IP Phones
 Case Study 4: Infrastructure Exploitation
 Case Study 5: SCADA Devices
 Other Examples
 Conclusions
By pen testing, I mean…
 Black/gray/white box testing
 Ethical hacking
 Security auditing
 Vulnerability assessment
 Standards compliance
 Training
 All of the above
WHAT IS SHODAN?
What is SHODAN? (1)
 SHODAN (http://www.shodanhq.com/) is a
computer search engine designed by web
developer John Matherly
(http://twitter.com/achillean)
 While SHODAN is a search engine, it is
much different than content search
engines like Google, Yahoo or Bing
What is SHODAN? (2)
 Typical search engines crawl for data on
web pages and then index it for searching
 SHODAN interrogates ports and grabs the
resulting banners, then indexes the
banners (rather than the web content) for
searching
What is SHODAN? (3)
 Rather than to locate specific content on a
particular search term, SHODAN is
designed to help the user find specific
nodes (desktops, servers, routers,
switches, etc.) with specific content in their
banners
 Optimizing search results requires some
basic knowledge of banners
BASIC OPERATIONS
Basic Operations: Search
 Search terms are entered into a text box
(seen below)
 Quotation marks can narrow a search
 Boolean operators +, -, | can be used to
include and exclude query terms (+ is
implicit default)
Basic Operations: Login
 Create and login using a SHODAN account; or
 Login using one of several other options
(Google, Twitter, Yahoo, AOL, Facebook,
OpenID
 Login is not required, but country and net
filters are not available unless you login
 Export requires you to be logged in
Basic Operations: Filters
 after/before: limit results by date (day/mo/yr)
 country: filters results by two letter country code
 hostname: filters results by specified text in the
hostname or domain
 net: filter results by a specific IP range or subnet
 os: search for specific operating systems
 port: narrow the search for specific services
 SSL available with SSL add-on
apache country: CH
Find all ‘apache’ servers in Switzerland
apache 2.2.3
Find ‘apache’ servers running version 2.2.3
Top four countries

matching your query
Basic Operations: Hostname Filter
Search results can be filtered using any portion of
a hostname or domain name
Find ‘apache’ servers in the .nist.gov domain
Find ‘iis-5.0’ servers in the .edu domain

Basic Operations: Net / OS Filters
 The net filter allows you to refine your
searches by IP/CIDR notation
 The OS filter allows you to refine searches
by operating system
Basic Operations: Port Filter
 SHODAN can filter your search results by
port
 Current collection is ports 21 (FTP), 22
(SSH), 23 (Telnet), 80 (HTTP), 161
(SNMP) and 5060 (SIP)
 More ports/services coming (send
requests to the developer via Twitter)
Basic Operations: SSL Filters
 SSL filters are available for HTTPS data with SSL add-
on
 cert_version
 cert_bits
 cert_issuer
 cert_subject
 cipher_name
 cipher_bits
 cipher_protocol
Basic Operations: Searches
 Search history is optional, and disabled by
default
 By creating an account and enabling the
search history, users can save and tag
searches for future use
 Disabled search history prevents your
searches from being indexed
Basic Operations: Export
 SHODAN lets you export up to 1,000
results per credit in XML format
 Credits can be purchased online
 Sample data export file is available
Basic Operations: Add-ons
 HTTPS with SSL
 Extended Search (view up to 10,000
search results instead of 50)
 Telnet survey
PENETRATION TESTING
Pen Testing: Ethics (1)
 Is it acceptable under any circumstances to view
the configuration of a device that requires no
authentication to view?
 What about viewing the configuration of a device
using a default username and password?
 What about viewing the configuration of a device
using a unique username and password?
 Changing the configuration of any device?
Pen Testing: Ethics (2)
Default username Changing
and password configurations
Unique username
No authentication and password
Pen Testing Applications
 Using SHODAN for penetration testing
requires some basic knowledge of
banners including HTTP status codes
 Banners advertise service and version
 Banners can be spoofed (unlikely?)
Pen Testing: HTTP Status Codes
Status Code Description
200 OK Request succeeded
301 Moved Assigned a new permanent
Permanently URI
302 Found Resides under a different URI
401 Unauthorized Request requires
authentication
403 Forbidden Request is denied regardless
of authentication
Pen Testing: Assumptions (1)
 “200 OK” banner results will load without
any authentication (at least not initially)
 “301 Moved Permanently” and “302
Found” typically do not contain any data;
filtering them out will help to remove noise
from the data set
Pen Testing: Assumptions (2)
 “401 Unauthorized” banners with Www-
authenticate indicate a username and
password pop-up box (authentication is
possible but not yet accomplished, as
distinguished from “403 Forbidden”)
 Some banners advertise defaults
CASE STUDY: CISCO DEVICES

Case Study: Cisco Devices
Here is a typical “401 Unauthorized” banner
when using the simple search term “cisco”:
Take note of the Www-authenticate line

which indicates the requirement for a
username and password
Now consider an example of a “200 OK”
banner which does not include the Www-
authenticate line:
A comparison of the two banners finds the second banner
to include the Last-modified line which does not appear
when Www-authenticate appears:
In fact, among “cisco” results these two lines are more than
99% mutually exclusive
Case Study: Cisco Results
Search Results
cisco 494,744
cisco-ios 426,479
cisco www-authenticate 373,138
cisco last-modified 8,711

cisco last-modified www-authenticate 35
Case Study: Cisco Results
 This suggests that Cisco “200 OK”
banners that include the Last-modified line
do not require any authentication (at least
not initially)
 The results on the previous slide suggest
there are potentially 8,700 indexed Cisco
devices that do not require authentication
Surely these HTML links will
require some additional
authentication…
Nope. No authentication
required for Level 15! No
authentication required for
configure commands
No authentication required
for Level 15 exec commands
show running-config show cdp neighbors
CASE STUDY: DEFAULT

PASSWORDS
Case Study: Default Passwords
(1)
 The ‘default password’ search locates
servers that have those words in the
banner
 This doesn’t suggest that these results will
be using the defaults, but since they’re
advertising the defaults they would
potentially be the lowest hanging fruit
Case Study: Default Passwords (2)
An example of a ‘default password’ result:
The server line indicates this is likely to be a

print server; also note the “401” and Www-
authenticate which indicates the likelihood of
a username and password pop-up box
Case Study: Default Passwords (3)
This does not suggest that this device is

using the default password, but it does
mean that it is a possibility
While no username is listed, a null
username or “admin” is always a good
guess
And did it work?
CASE STUDY: HUAWEI IP

PHONES
Excluding certain HTTP
status codes will help to filter
noise from results
CASE STUDY: INFRASTRUCTURE

EXPLOITATION
w t o P WN
H o
ISP
VLANs of Interest…
MGT
OTCNET
BLDG_WIRELESS
LAB_NETWORK
PUBLIC_BACKBONE
Hilton_Conv_Ctr_ME
Courtyard_Marriot_Cocoa
PROTECTED-BB/INSIDE
MPLS-Backbone
…
Case Study: w t o P W N
H o
a n I S P
 Two Cisco 3750 infrastructure switches
with direct access to Cisco 7606 Router
 VLAN IDs for internal ISP network, hotels,
condos, apartments, convention center,
public backbone…
 SNMP server IP address and community
strings
SCADA DEVICES
OTHER EXAMPLES
javascript:SnapshotWin()
client.html
javascript:SnapshotWin()
client.html
setup/config.html
system.html
security.html
network.html
wireless.html
ddns.html
accesslist.html
audiovideo.html
cameracontrol.html
mailftp.html
motion.html
application.html
syslog.html
parafile.html
maintain.html
Some general observations…
CONCLUSIONS
Conclusions
 SHODAN aggregates a significant amount
of information that isn’t already widely
available in an easy to understand format
 Allows for passive vulnerability analysis
Bottom line: SHODAN is a potential game-

changer for pen testers that will help shape
the path for future vulnerability assessments
Authors and add-ons
 John Matherly (http://twitter.com/achillean)
 Gianni Amato (SHODAN Helper)
 sagar38 (SHODAN Search Provider)
QUESTIONS
Exploiting Banners
for Fun & Profit!
Michael Schearer
Twitter: @theprez98

Exploiting Banners For Fun and Profit!

Uploaded by

Copyright:

Available Formats

Exploiting Banners For Fun and Profit!

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exploiting Banners For Fun and Profit!

Uploaded by

Copyright:

Available Formats

Exploiting Banners

for Fun & Profit!

Top four countries

Find ‘apache’ servers in the .nist.gov domain

Find ‘iis-5.0’ servers in the .edu domain

CASE STUDY: CISCO DEVICES

Take note of the Www-authenticate line

cisco last-modified 8,711

CASE STUDY: DEFAULT

An example of a ‘default password’ result:

The server line indicates this is likely to be a

This does not suggest that this device is

CASE STUDY: HUAWEI IP

CASE STUDY: INFRASTRUCTURE

Bottom line: SHODAN is a potential game-

You might also like