Exploiting Banners for Fun and Profit!

8/7/2019 Exploiting Banners for Fun and Profit!

1/105

Exploiting Bannersfor Fun & Profit!

Michael SchearerTwitter: @theprez98


2/105

Michael Schearer Associate, Booz Allen Hamilton

Founder and Owner, Leverage Consulting &Associates LLC

8+ years in the U.S. Navy as an EA-6B ProwlerElectronic Countermeasures Officer Veteran of aerial combat missions over Afghanistan and

Iraq

Spent 9 months on the ground in Iraq as a counter-IED

specialist Founding member of Church of WiFi and Unallocated

Space, and father of four


3/105

SHODAN for Penetration Testers What is SHODAN?

Basic Operations

Penetration Testing Case Study 1: Cisco Devices

Case Study 2: Default Passwords

Case Study 3: Huawei IP Phones

Case Study 4: Infrastructure Exploitation

Case Study 5: SCADA Devices

Other Examples

Conclusions


4/105

By pen testing, I mean Black/gray/white box testing

Ethical hacking

Security auditing

Vulnerability assessment

Standards compliance Training

All of the above


5/105

WHAT IS SHODAN?

SHODAN for Penetration Testers


6/105

What is SHODAN? (1) SHODAN (http://www.shodanhq.com/) is a

computer search engine designed by web

developer John Matherly(http://twitter.com/achillean)

While SHODAN is a search engine, it ismuch different than content searchengines like Google, Yahoo or Bing


7/105

What is SHODAN? (2) Typical search engines crawl for data on

web pages and then index it for searching

SHODAN interrogates ports and grabs theresulting banners, then indexes thebanners (rather than the web content) forsearching


8/105

What is SHODAN? (3) Rather than to locate specific content on a

particular search term, SHODAN is

designed to help the user find specificnodes (desktops, servers, routers,switches, etc.) with specific content in theirbanners

Optimizing search results requires somebasic knowledge of banners


9/105

BASIC OPERATIONS



10/105


11/105

SHODAN

Helper

Firefox Add-

on

SHODAN Search Provider

Firefox Add-on


12/105

Basic Operations: Search Search terms are entered into a text box

(seen below)

Quotation marks can narrow a search

Boolean operators +, -, | can be used to

include and exclude query terms (+ is

implicit default)


13/105

Basic Operations: Login Create and login using a SHODAN account;

or

Login using one of several other options(Google, Twitter, Yahoo, AOL, Facebook,OpenID

Login is notrequired, but countryand net

filters are not available unless you login Export requires you to be logged in


14/105


15/105

Basic Operations: Filters after/before: limit results by date (day/mo/yr)

country:filters results by two letter country code

hostname:filters results by specified text in the

hostname or domain

net:filter results by a specific IP range or subnet

os:search for specific operating systems port:narrow the search for specific services

SSL available with SSL add-on


16/105

country

port

country, hostname,

net, os, port


17/105

Basic Operations: Country Filter Filtering by country can be accomplished by clicking on

the country map (available from the drop down menu)

Mouse over a country for the number of scanned hostsfor a particular country


18/105

apache country: CH

Find all apache servers in Switzerland


19/105

Top four countries

matching your query

apache 2.2.3

Find apache servers running version 2.2.3


20/105

Basic Operations: Hostname FilterSearch results can be filtered using any portion of

a hostname or domain name

Find apache servers in the .nist.gov domain

Find iis-5.0 servers in the .edu domain


21/105

Basic Operations: Net / OS Filters

The net filter allows you to refine your

searches by IP/CIDR notation

The OS filter allows you to refine searches

by operating system


22/105

Basic Operations: Port Filter SHODAN can filter your search results by

port

Current collection is ports 21 (FTP), 22

(SSH), 23 (Telnet), 80 (HTTP), 161

(SNMP) and 5060 (SIP)

More ports/services coming (sendrequests to the developer via Twitter)


23/105

Basic Operations: SSL Filters SSL filters are available for HTTPS data with SSL

add-on

cert_version

cert_bits

cert_issuer

cert_subject

cipher_name

cipher_bits

cipher_protocol


24/105

Basic Operations: Searches Search history is optional, and disabled by

default

By creating an account and enabling the

search history, users can save and tag

searches for future use

Disabled search history prevents yoursearches from being indexed


25/105


26/105

Basic Operations: Add-ons HTTPS with SSL

Extended Search (view up to 10,000

search results instead of 50)

Telnet survey


27/105


28/105

PENETRATION TESTING



29/105

Pen Testing: Ethics (1) Is it acceptable under any circumstances to view

the configuration of a device that requires no

authentication to view? What about viewing the configuration of a device

using a default username and password?

What about viewing the configuration of a device

using a unique username and password?

Changing the configuration of any device?


30/105


31/105

Pen Testing Applications

Using SHODAN for penetration testing

requires some basic knowledge of

banners including HTTP status codes

Banners advertise service and version

Banners can be spoofed (unlikely?)


32/105

Pen Testing: HTTP Status Codes

Status Code Description

200 OK Request succeeded

301 Moved

Permanently

Assigned a new permanent

URI

302 Found Resides under a different URI

401 Unauthorized Request requires

authentication

403 Forbidden Request is denied regardless

of authentication


33/105

Pen Testing: Assumptions (1)

200 OK banner results will load withoutany authentication (at least not initially)

301 Moved Permanently and 302Found typically do not contain any data;filtering them out will help to remove noisefrom the data set


34/105

Pen Testing: Assumptions (2)

401 Unauthorized banners with Www-authenticate indicate a username and

password pop-up box (authentication ispossible but not yet accomplished, asdistinguished from 403 Forbidden)

Some banners advertise defaults


35/105

CASE STUDY: CISCO DEVICES



36/105


37/105

Case Study: Cisco Devices

Now consider an example of a 200 OK

banner which does not include the Www-

authenticate line:


38/105

Case Study: Cisco Devices

A comparison of the two banners finds the second banner

to include the Last-modifiedline which does not appear

when Www-authenticate appears:

In fact, among cisco results these two lines are more than

99% mutually exclusive


39/105

Case Study: Cisco Results

Search Results

cisco 494,744

cisco-ios 426,479

cisco www-authenticate 373,138

cisco last-modified 8,711

cisco last-modified www-authenticate 35


40/105

Case Study: Cisco Results

This suggests that Cisco 200 OK

banners that include the Last-modifiedline

do not require any authentication (at leastnot initially)

The results on the previous slide suggest

there are potentially 8,700 indexed Ciscodevices that do not require authentication


41/105

Surely these HTML links willrequire some additional

authentication


42/105

Nope. No authentication

required for Level 15! No

authentication required forconfigure commands


43/105

No authentication required

for Level 15 execcommands


44/105

show running-config show cdp neighbors


45/105


46/105


47/105


48/105


49/105


50/105


51/105


52/105


53/105


54/105


55/105


56/105


57/105


58/105


59/105


60/105


61/105

CASE STUDY: DEFAULTPASSWORDS



62/105

Case Study: Default Passwords (1)

The default password search locates

servers that have those words in the

banner This doesnt suggest that these results will

be using the defaults, but since theyre

advertising the defaults they wouldpotentially be the lowest hanging fruit


63/105


An example of a default password result:

The server line indicates this is likely to be a

print server; also note the 401 and Www-

authenticate which indicates the likelihood ofa username and password pop-up box


64/105


This does not suggest that this device is

using the default password, but it does

mean that it is a possibilityWhile no username is listed, a null

username or admin is always a good

guessAnd did it work?


65/105


66/105


67/105

CASE STUDY: HUAWEI IPPHONES



68/105

Excluding certain HTTP

status codes will help to filter

noise from results


69/105


70/105


71/105


72/105


73/105


74/105


75/105


76/105

CASE STUDY:

INFRASTRUCTURE

EXPLOITATION



77/105


78/105


79/105

VLANs of Interest

MGT

OTCNET

BLDG_WIRELESS

LAB_NETWORK

PUBLIC_BACKBONE

Hilton_Conv_Ctr_ME

Courtyard_Marriot_Cocoa

PROTECTED-BB/INSIDE

MPLS-Backbone


80/105


81/105


82/105


83/105


84/105


85/105


86/105


87/105


88/105


89/105


90/105


91/105


92/105


93/105


94/105


95/105


96/105

OTHER EXAMPLES



97/105

javascript:SnapshotWin()client.html


98/105

javascript:SnapshotWin()

client.html

setup/config.html


99/105

system.html

security.htmlnetwork.html

wireless.html

ddns.html

accesslist.htmlaudiovideo.html

cameracontrol.html

mailftp.html

motion.htmlapplication.html

syslog.html

parafile.html

maintain.html


100/105

Some general observations


101/105

CONCLUSIONS



102/105


103/105

Authors and add-ons

John Matherly (http://twitter.com/achillean)

Gianni Amato (SHODAN Helper)

sagar38 (SHODAN Search Provider)


104/105

QUESTIONS



105/105

Exploiting Banners

for Fun & Profit!

Michael Schearer

Twitter: @theprez98

Date post:	08-Apr-2018
Category:	Documents
Upload:	michael-schearer
View:	222 times
Download:	0 times

Exploiting Banners for Fun and Profit!

Documents