Date post: | 08-Apr-2018 |
Category: |
Documents |
Upload: | michael-schearer |
View: | 222 times |
Download: | 0 times |
of 100
8/7/2019 Exploiting Banners for Fun and Profit!
1/105
Exploiting Bannersfor Fun & Profit!
Michael SchearerTwitter: @theprez98
8/7/2019 Exploiting Banners for Fun and Profit!
2/105
Michael Schearer Associate, Booz Allen Hamilton
Founder and Owner, Leverage Consulting &Associates LLC
8+ years in the U.S. Navy as an EA-6B ProwlerElectronic Countermeasures Officer Veteran of aerial combat missions over Afghanistan and
Iraq
Spent 9 months on the ground in Iraq as a counter-IED
specialist Founding member of Church of WiFi and Unallocated
Space, and father of four
8/7/2019 Exploiting Banners for Fun and Profit!
3/105
SHODAN for Penetration Testers What is SHODAN?
Basic Operations
Penetration Testing Case Study 1: Cisco Devices
Case Study 2: Default Passwords
Case Study 3: Huawei IP Phones
Case Study 4: Infrastructure Exploitation
Case Study 5: SCADA Devices
Other Examples
Conclusions
8/7/2019 Exploiting Banners for Fun and Profit!
4/105
By pen testing, I mean Black/gray/white box testing
Ethical hacking
Security auditing
Vulnerability assessment
Standards compliance Training
All of the above
8/7/2019 Exploiting Banners for Fun and Profit!
5/105
WHAT IS SHODAN?
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
6/105
What is SHODAN? (1) SHODAN (http://www.shodanhq.com/) is a
computer search engine designed by web
developer John Matherly(http://twitter.com/achillean)
While SHODAN is a search engine, it ismuch different than content searchengines like Google, Yahoo or Bing
8/7/2019 Exploiting Banners for Fun and Profit!
7/105
What is SHODAN? (2) Typical search engines crawl for data on
web pages and then index it for searching
SHODAN interrogates ports and grabs theresulting banners, then indexes thebanners (rather than the web content) forsearching
8/7/2019 Exploiting Banners for Fun and Profit!
8/105
What is SHODAN? (3) Rather than to locate specific content on a
particular search term, SHODAN is
designed to help the user find specificnodes (desktops, servers, routers,switches, etc.) with specific content in theirbanners
Optimizing search results requires somebasic knowledge of banners
8/7/2019 Exploiting Banners for Fun and Profit!
9/105
BASIC OPERATIONS
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
10/105
8/7/2019 Exploiting Banners for Fun and Profit!
11/105
SHODAN
Helper
Firefox Add-
on
SHODAN Search Provider
Firefox Add-on
8/7/2019 Exploiting Banners for Fun and Profit!
12/105
Basic Operations: Search Search terms are entered into a text box
(seen below)
Quotation marks can narrow a search
Boolean operators +, -, | can be used to
include and exclude query terms (+ is
implicit default)
8/7/2019 Exploiting Banners for Fun and Profit!
13/105
Basic Operations: Login Create and login using a SHODAN account;
or
Login using one of several other options(Google, Twitter, Yahoo, AOL, Facebook,OpenID
Login is notrequired, but countryand net
filters are not available unless you login Export requires you to be logged in
8/7/2019 Exploiting Banners for Fun and Profit!
14/105
8/7/2019 Exploiting Banners for Fun and Profit!
15/105
Basic Operations: Filters after/before: limit results by date (day/mo/yr)
country:filters results by two letter country code
hostname:filters results by specified text in the
hostname or domain
net:filter results by a specific IP range or subnet
os:search for specific operating systems port:narrow the search for specific services
SSL available with SSL add-on
8/7/2019 Exploiting Banners for Fun and Profit!
16/105
country
port
country, hostname,
net, os, port
8/7/2019 Exploiting Banners for Fun and Profit!
17/105
Basic Operations: Country Filter Filtering by country can be accomplished by clicking on
the country map (available from the drop down menu)
Mouse over a country for the number of scanned hostsfor a particular country
8/7/2019 Exploiting Banners for Fun and Profit!
18/105
apache country: CH
Find all apache servers in Switzerland
8/7/2019 Exploiting Banners for Fun and Profit!
19/105
Top four countries
matching your query
apache 2.2.3
Find apache servers running version 2.2.3
8/7/2019 Exploiting Banners for Fun and Profit!
20/105
Basic Operations: Hostname FilterSearch results can be filtered using any portion of
a hostname or domain name
Find apache servers in the .nist.gov domain
Find iis-5.0 servers in the .edu domain
8/7/2019 Exploiting Banners for Fun and Profit!
21/105
Basic Operations: Net / OS Filters
The net filter allows you to refine your
searches by IP/CIDR notation
The OS filter allows you to refine searches
by operating system
8/7/2019 Exploiting Banners for Fun and Profit!
22/105
Basic Operations: Port Filter SHODAN can filter your search results by
port
Current collection is ports 21 (FTP), 22
(SSH), 23 (Telnet), 80 (HTTP), 161
(SNMP) and 5060 (SIP)
More ports/services coming (sendrequests to the developer via Twitter)
8/7/2019 Exploiting Banners for Fun and Profit!
23/105
Basic Operations: SSL Filters SSL filters are available for HTTPS data with SSL
add-on
cert_version
cert_bits
cert_issuer
cert_subject
cipher_name
cipher_bits
cipher_protocol
8/7/2019 Exploiting Banners for Fun and Profit!
24/105
Basic Operations: Searches Search history is optional, and disabled by
default
By creating an account and enabling the
search history, users can save and tag
searches for future use
Disabled search history prevents yoursearches from being indexed
8/7/2019 Exploiting Banners for Fun and Profit!
25/105
8/7/2019 Exploiting Banners for Fun and Profit!
26/105
Basic Operations: Add-ons HTTPS with SSL
Extended Search (view up to 10,000
search results instead of 50)
Telnet survey
8/7/2019 Exploiting Banners for Fun and Profit!
27/105
8/7/2019 Exploiting Banners for Fun and Profit!
28/105
PENETRATION TESTING
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
29/105
Pen Testing: Ethics (1) Is it acceptable under any circumstances to view
the configuration of a device that requires no
authentication to view? What about viewing the configuration of a device
using a default username and password?
What about viewing the configuration of a device
using a unique username and password?
Changing the configuration of any device?
8/7/2019 Exploiting Banners for Fun and Profit!
30/105
8/7/2019 Exploiting Banners for Fun and Profit!
31/105
Pen Testing Applications
Using SHODAN for penetration testing
requires some basic knowledge of
banners including HTTP status codes
Banners advertise service and version
Banners can be spoofed (unlikely?)
8/7/2019 Exploiting Banners for Fun and Profit!
32/105
Pen Testing: HTTP Status Codes
Status Code Description
200 OK Request succeeded
301 Moved
Permanently
Assigned a new permanent
URI
302 Found Resides under a different URI
401 Unauthorized Request requires
authentication
403 Forbidden Request is denied regardless
of authentication
8/7/2019 Exploiting Banners for Fun and Profit!
33/105
Pen Testing: Assumptions (1)
200 OK banner results will load withoutany authentication (at least not initially)
301 Moved Permanently and 302Found typically do not contain any data;filtering them out will help to remove noisefrom the data set
8/7/2019 Exploiting Banners for Fun and Profit!
34/105
Pen Testing: Assumptions (2)
401 Unauthorized banners with Www-authenticate indicate a username and
password pop-up box (authentication ispossible but not yet accomplished, asdistinguished from 403 Forbidden)
Some banners advertise defaults
8/7/2019 Exploiting Banners for Fun and Profit!
35/105
CASE STUDY: CISCO DEVICES
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
36/105
8/7/2019 Exploiting Banners for Fun and Profit!
37/105
Case Study: Cisco Devices
Now consider an example of a 200 OK
banner which does not include the Www-
authenticate line:
8/7/2019 Exploiting Banners for Fun and Profit!
38/105
Case Study: Cisco Devices
A comparison of the two banners finds the second banner
to include the Last-modifiedline which does not appear
when Www-authenticate appears:
In fact, among cisco results these two lines are more than
99% mutually exclusive
8/7/2019 Exploiting Banners for Fun and Profit!
39/105
Case Study: Cisco Results
Search Results
cisco 494,744
cisco-ios 426,479
cisco www-authenticate 373,138
cisco last-modified 8,711
cisco last-modified www-authenticate 35
8/7/2019 Exploiting Banners for Fun and Profit!
40/105
Case Study: Cisco Results
This suggests that Cisco 200 OK
banners that include the Last-modifiedline
do not require any authentication (at leastnot initially)
The results on the previous slide suggest
there are potentially 8,700 indexed Ciscodevices that do not require authentication
8/7/2019 Exploiting Banners for Fun and Profit!
41/105
Surely these HTML links willrequire some additional
authentication
8/7/2019 Exploiting Banners for Fun and Profit!
42/105
Nope. No authentication
required for Level 15! No
authentication required forconfigure commands
8/7/2019 Exploiting Banners for Fun and Profit!
43/105
No authentication required
for Level 15 execcommands
8/7/2019 Exploiting Banners for Fun and Profit!
44/105
show running-config show cdp neighbors
8/7/2019 Exploiting Banners for Fun and Profit!
45/105
8/7/2019 Exploiting Banners for Fun and Profit!
46/105
8/7/2019 Exploiting Banners for Fun and Profit!
47/105
8/7/2019 Exploiting Banners for Fun and Profit!
48/105
8/7/2019 Exploiting Banners for Fun and Profit!
49/105
8/7/2019 Exploiting Banners for Fun and Profit!
50/105
8/7/2019 Exploiting Banners for Fun and Profit!
51/105
8/7/2019 Exploiting Banners for Fun and Profit!
52/105
8/7/2019 Exploiting Banners for Fun and Profit!
53/105
8/7/2019 Exploiting Banners for Fun and Profit!
54/105
8/7/2019 Exploiting Banners for Fun and Profit!
55/105
8/7/2019 Exploiting Banners for Fun and Profit!
56/105
8/7/2019 Exploiting Banners for Fun and Profit!
57/105
8/7/2019 Exploiting Banners for Fun and Profit!
58/105
8/7/2019 Exploiting Banners for Fun and Profit!
59/105
8/7/2019 Exploiting Banners for Fun and Profit!
60/105
8/7/2019 Exploiting Banners for Fun and Profit!
61/105
CASE STUDY: DEFAULTPASSWORDS
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
62/105
Case Study: Default Passwords (1)
The default password search locates
servers that have those words in the
banner This doesnt suggest that these results will
be using the defaults, but since theyre
advertising the defaults they wouldpotentially be the lowest hanging fruit
8/7/2019 Exploiting Banners for Fun and Profit!
63/105
Case Study: Default Passwords (2)
An example of a default password result:
The server line indicates this is likely to be a
print server; also note the 401 and Www-
authenticate which indicates the likelihood ofa username and password pop-up box
8/7/2019 Exploiting Banners for Fun and Profit!
64/105
Case Study: Default Passwords (3)
This does not suggest that this device is
using the default password, but it does
mean that it is a possibilityWhile no username is listed, a null
username or admin is always a good
guessAnd did it work?
8/7/2019 Exploiting Banners for Fun and Profit!
65/105
8/7/2019 Exploiting Banners for Fun and Profit!
66/105
8/7/2019 Exploiting Banners for Fun and Profit!
67/105
CASE STUDY: HUAWEI IPPHONES
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
68/105
Excluding certain HTTP
status codes will help to filter
noise from results
8/7/2019 Exploiting Banners for Fun and Profit!
69/105
8/7/2019 Exploiting Banners for Fun and Profit!
70/105
8/7/2019 Exploiting Banners for Fun and Profit!
71/105
8/7/2019 Exploiting Banners for Fun and Profit!
72/105
8/7/2019 Exploiting Banners for Fun and Profit!
73/105
8/7/2019 Exploiting Banners for Fun and Profit!
74/105
8/7/2019 Exploiting Banners for Fun and Profit!
75/105
8/7/2019 Exploiting Banners for Fun and Profit!
76/105
CASE STUDY:
INFRASTRUCTURE
EXPLOITATION
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
77/105
8/7/2019 Exploiting Banners for Fun and Profit!
78/105
8/7/2019 Exploiting Banners for Fun and Profit!
79/105
VLANs of Interest
MGT
OTCNET
BLDG_WIRELESS
LAB_NETWORK
PUBLIC_BACKBONE
Hilton_Conv_Ctr_ME
Courtyard_Marriot_Cocoa
PROTECTED-BB/INSIDE
MPLS-Backbone
8/7/2019 Exploiting Banners for Fun and Profit!
80/105
8/7/2019 Exploiting Banners for Fun and Profit!
81/105
8/7/2019 Exploiting Banners for Fun and Profit!
82/105
8/7/2019 Exploiting Banners for Fun and Profit!
83/105
8/7/2019 Exploiting Banners for Fun and Profit!
84/105
8/7/2019 Exploiting Banners for Fun and Profit!
85/105
8/7/2019 Exploiting Banners for Fun and Profit!
86/105
8/7/2019 Exploiting Banners for Fun and Profit!
87/105
8/7/2019 Exploiting Banners for Fun and Profit!
88/105
8/7/2019 Exploiting Banners for Fun and Profit!
89/105
8/7/2019 Exploiting Banners for Fun and Profit!
90/105
8/7/2019 Exploiting Banners for Fun and Profit!
91/105
8/7/2019 Exploiting Banners for Fun and Profit!
92/105
8/7/2019 Exploiting Banners for Fun and Profit!
93/105
8/7/2019 Exploiting Banners for Fun and Profit!
94/105
8/7/2019 Exploiting Banners for Fun and Profit!
95/105
8/7/2019 Exploiting Banners for Fun and Profit!
96/105
OTHER EXAMPLES
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
97/105
javascript:SnapshotWin()client.html
8/7/2019 Exploiting Banners for Fun and Profit!
98/105
javascript:SnapshotWin()
client.html
setup/config.html
8/7/2019 Exploiting Banners for Fun and Profit!
99/105
system.html
security.htmlnetwork.html
wireless.html
ddns.html
accesslist.htmlaudiovideo.html
cameracontrol.html
mailftp.html
motion.htmlapplication.html
syslog.html
parafile.html
maintain.html
8/7/2019 Exploiting Banners for Fun and Profit!
100/105
Some general observations
8/7/2019 Exploiting Banners for Fun and Profit!
101/105
CONCLUSIONS
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
102/105
8/7/2019 Exploiting Banners for Fun and Profit!
103/105
Authors and add-ons
John Matherly (http://twitter.com/achillean)
Gianni Amato (SHODAN Helper)
sagar38 (SHODAN Search Provider)
8/7/2019 Exploiting Banners for Fun and Profit!
104/105
QUESTIONS
SHODAN for Penetration Testers
8/7/2019 Exploiting Banners for Fun and Profit!
105/105
Exploiting Banners
for Fun & Profit!
Michael Schearer
Twitter: @theprez98