A Brief Analysis of Shodan

What Is Shodan

Shodan (http://shodan.surtri.com) is an engine that searches a database of banners and headers recovered from scans conducted over port 21/TCP, 22/TCP, 23/TCP, and 80/TCP. In many ways utilizing the Shodan engine is much like a more reconnaissance specific Google Hacking engine. On the one hand the Shodan engine does not produce sensitive data that a search engine such as Google might produce (password files, spreadsheets, etc.). On the other hand, conducting reconnaissance activities on Shodan can be far more efficient than similar attempts utilizing other search engines to try to find system information.

The reason for this primarily pertains to the fact that Shodan specifically produces IP addresses/hostnames, header information, and banner grabs. Thus, Shodan is a highly functional tool for finding victims for targeted attacks with less false-positives. Furthermore, Shodan produces information that typically is not published on a site that would be indexed within a search engine like Google.

What Does This Mean?

These capabilities have several significant implications. Most notably this shifts a great deal of system-level reconnaissance to be more passive in nature. In other words, attackers can view the results of reconnaissance such as a banner grab, without actually touching a system to get that information (Shodan already hit the system). This allows attackers to passively:

1. Conduct vulnerability assessments without alerting a potential target in anyway.

2. Determine victims for a specific exploit.

What Is The Impact On Defense?

For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan. This is again due to the fact that it will not touch their systems. Instead security monitors can expect to see attacks utilizing Shodan for reconnaissance to trigger less alarms. This means that there may be no alerts before an attempted exploit against a vulnerable system. Common alerts may have previously included network or vulnerability scans or banner grabbing attempts.

In addition, hack attempts that attempt to find vulnerable systems by trying to exploit a multitude of non-vulnerable targets will also be less prevalent in an attack utilizing Shodan for reconnaissance. To clarify these attacks can be viewed much like an person who has found a key to an apartment. This person may try every single apartment within the complex in order to find the doors where the key works. The result in this type of attack is typically a large number of alerts in an IPS. However, if Shodan is utilized for reconnaissance, the attacks will become more targeted and therefore will trigger less alerts.

Potential Prevention Techniques

Unfortunately, there is not a simple way to prevent an organization from showing up in the Shodan database. Although the Shodan scan engine is likely custom written (based on the developers biographic information), the scans will likely trigger similar events to any other reconnaissance scan. It may be possible to isolate future Shodan scans as they are likely to come out of the San Diego area, possibly from an ISP such as Cox Communications (again based on the developers biographic information). Unfortunately, this would likely require trending and analysis beyond what I currently have access to.

Shodan Usage

Shodan works much like any other search engine, however one can specifically target systems via a number of methods. This syntax even includes a switch that allows a user to specify geographic location by country. (May be good for future Cyberwar)

Syntax Options:

1. + (equivalent to an AND operation)
2. - (equivalent to a NOT operation)
3. * (wildcard)
4. country:
5. hostname:
6. ports: (limited to 21/TCP,22/TCP,23/TCP, and 80/TCP)
7. net: (in CIDR notation)
8. *Note Shodan only produces 100 results for free

A Brief Analysis of Shodan

Shodan (http://shodan.surtri.com) is an engine that searches a database of banners and headers recovered from scans conducted over port 21/TCP, 22/TCP, 23/TCP, and 80/TCP. In many ways utilizing the Shodan engine is much like a more reconnaissance specific Google Hacking engine. On the one hand the Shodan engine does not produce sensitive data that a search engine such as Google might produce (password files, spreadsheets, etc.). On the other hand, conducting reconnaissance activities on Shodan can be far more efficient than similar attempts utilizing other search engines to try to find system information.

The reason for this primarily pertains to the fact that Shodan specifically produces IP addresses/hostnames, header information, and banner grabs. Thus, Shodan is a highly functional tool for finding victims for targeted attacks with less false-positives. Furthermore, Shodan produces information that typically is not published on a site that would be indexed within a search engine like Google.

What Does This Mean?

These capabilities have several significant implications. Most notably this shifts a great deal of system-level reconnaissance to be more passive in nature. In other words, attackers can view the results of reconnaissance such as a banner grab, without actually touching a system to get that information (Shodan already hit the system). This allows attackers to passively:

1. Conduct vulnerability assessments without alerting a potential target in anyway.

2. Determine victims for a specific exploit.

What Is The Impact On Defense?

For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan. This is again due to the fact that it will not touch their systems. Instead security monitors can expect to see attacks utilizing Shodan for reconnaissance to trigger less alarms. This means that there may be no alerts before an attempted exploit against a vulnerable system. Common alerts may have previously included network or vulnerability scans or banner grabbing attempts.

In addition, hack attempts that attempt to find vulnerable systems by trying to exploit a multitude of non-vulnerable targets will also be less prevalent in an attack utilizing Shodan for reconnaissance. To clarify these attacks can be viewed much like an person who has found a key to an apartment. This person may try every single apartment within the complex in order to find the doors where the key works. The result in this type of attack is typically a large number of alerts in an IPS. However, if Shodan is utilized for reconnaissance, the attacks will become more targeted and therefore will trigger less alerts.

Potential Prevention Techniques

Unfortunately, there is not a simple way to prevent an organization from showing up in the Shodan database. Although the Shodan scan engine is likely custom written (based on the developers biographic information), the scans will likely trigger similar events to any other reconnaissance scan. It may be possible to isolate future Shodan scans as they are likely to come out of the San Diego area, possibly from an ISP such as Cox Communications (again based on the developers biographic information). Unfortunately, this would likely require trending and analysis beyond what I currently have access to.

Shodan Usage

Shodan works much like any other search engine, however one can specifically target systems via a number of methods. This syntax even includes a switch that allows a user to specify geographic location by country. (May be good for future Cyberwar)

Syntax Options:

1. + (equivalent to an AND operation)
2. - (equivalent to a NOT operation)
3. * (wildcard)
4. country:
5. hostname:
6. ports: (limited to 21/TCP,22/TCP,23/TCP, and 80/TCP)
7. net: (in CIDR notation)
8. *Note Shodan only produces 100 results for free

Interesting Shodan Searches

Here are a few searches that I tried that produced interesting results. For some ideas on devices, vendors, and models please see the phenolit default password list.

WebServer Detection

1. IIS+2.0

2. IIS+3.0

3. IIS+4.0

4. IIS+5.0

5. IIS+6.0

6. Websphere+4.0

7. Websphere+5.0

8. Websphere+6.0

9. ?Oracle HTTP Server?

10. Jrun

11. RaidenHTTPd

12. ?IBM HTTP?

13. Tru64

14. iCern

15. Lotus-Domino + 1.0

16. Apache (tons of versions with this, too many to list)

17. Windweb

CMS Detection

1. Joomla

2. Drupal

3. WordPress

4. Typo3

Network Device Detection

1. Linksys

1. Linksys+wrt54g

2. Linksys+wap54g

3. Linksys+BEFDSR41w

4. Linksys+BEFSX41

5. Linksys+wap200

6. Linksys+CIT400 (This is a telephony kit…interesting)

7. Linksys+RVS4000

8. Linksys+WET54G

9. Linksys+WAG54GX2

10. Linksys+WAG54GS

2. Netgear

1. Netgear+DG834

2. Netgear+PS121v2

3. Netgear+WGR614v9

4. Netgear+WAG302v2

5. Netgear+DG834PN

3. Cisco

3. Cisco+RVo82

4. Cisco+CSS

5. Cisco+PIX

6. Cisco+VPN

7. Cisco+Server

4. Fuji+Xerox

5. JetDirect

Other

1. Xerver

2. port:23+ list+of+built-in+commands

3. port:80+iisstart.html

4. Server: SQ-WEBCAM

5. ?Anonymous+access+allowed?

6. Golden+FTP+Server

7. ?Server:+iWeb?+HTTP

8. passwd

9. passwd+user+vname

10. deleted

Five Security Vendors to Keep an Eye On 2010

There are always the obvious leaders in the information security market place that interested observers should keep an eye out for, this is especially true of larger IT vendors that at any moment could drastically change the market by, hmmm I don’t know, buying ISS for example. Of course large vendors like RSA, IBM, McAfee, Symantec, and Cisco aside, there are some very interesting companies to keep an eye out for. Here are five of those companies.

5. Breach Security

Let’s be honest, Breach Security is not the Web Application Firewall (WAF) market leader. Nor will Breach approach that level within the near future. What makes Breach Security a company to watch is the fact that the company largely seems ripe for acquisition. While the company is not the market leader, it is in fact a market contender from a technology perspective. As such if a larger company with a more rounded product suite and better sales channels were to acquire Breach, Breach Security’s technology could rapidly become the market leading solution.

The web application security market is still relatively small, as such the WAF market is really not a five vendor market (Imperva, F5, Citrix, Breach, and Cisco). However, the market has a lot of potential to grow, should larger vendors evangelize the technology as web application attacks continues to grow. This has not gone unnoticed by some of the larger vendors making acquisitions. Of course in terms of Breach, any moves will be dependent on an acquiring companies preference between acquiring a market or creating one. Regardless, expect a big move within the space within a year or two and don’t be surprised if the move involves Breach.

4. Bit9

It is hard to deny that the endpoint application whitelisting story is becoming more than a little bit boring. The technology is sound, the security and compliance benefit is resounding, and the reality is that the technology is not resonating well within the market. Evangelizing whitelist technology is easy, selling whitelist technology is a bit more difficult. As a result Bit9 is still not the endpoint security giant that in many respects it rightly should be. Of course this difficulty is also confounded by market competitors, such as CoreTrace and McAfee through the acquisition of Solidcore, who are also taking a portion of the overall endpoint application whitelisting market.

What separates Bit9 and makes it an extremely interesting company to watch however, is Bit9′s large repository of known application hashes. In order to reduce the amount of leg work necessary to deploy Bit9 technology, Bit9 created a large hash repository of non-malicious applications. This repository and the delivery mechanism for the repository to endpoints is extremely valuable considering the growing market for a list based approach to threat. The combination of the two makes Bit9′s technology highly sought after by larger security vendors, market competitors and a lot of security purist customers. Bit9 currently offers access to that database through portal access that allows users to compare files against the database, while this is useful for investigative purposes it is merely a glimpse and does not allow vendors to leverage the database to it’s fullest extent.

Expect Bit9 to continue to trickle through the security market through partnerships that leverage Bit9 technology. In addition, expect Bit9 or Bit9 like technology to be sought after as by McAfee competitors as McAfee attempts to stake out a market with their Solidcore solution.

3. Qualys

While this list was meant to point out the less obvious companies to watch, it is difficult to ignore a company like Qualys. Qualys has historically leveraged non-security related technology, namely SaaS, to deliver high quality capabilities without a ton of headache. In addition, Qualys makes intelligent business decisions, such as the early integration with Payment Card Industries Data Security Standards (PCI-DSS) to dominate their respective markets.

Philippe Courtot (Chairman and CEO) runs Qualys with a frank no BS approach to business that is quickly becoming the stuff of legend. Regardless, it is difficult to argue that the man is not a visionary and it is clear that Qualys is a tightly run ship with an excellent executive team whose ability to execute is quickly becoming the example for privately owned security vendors.

Qualys will be an interesting company to watch because the company is reaching a size where it makes sense for another firm to either acquire the company or for Qualys to do an Initial Public Offering (IPO) and go public. It many ways this movement is long overdue. In addition, Qualys has largely staked it’s ground in the increasingly commoditized vulnerability management market. Thus, in order to grow, Qualys will be forced to venture into new arenas. Evidence of this can be seen in some of their newer offerings which focus on website malware and GRC.

Expect Qualys to continue to expand their range with a more full product portfolio and partnerships.

2. Mandiant

There is currently a great void when it comes to the realm of a single source for security leadership. While Mandiant may not be able to fully fill that void with their current products and capabilities, it has allowed them to stake out a key role in the market place as leaders in incident response. Mandiant has gained visibility as being a leader in investigative services in extremely difficult to investigate incidents. Their ability to work arm-in-arm with other larger vendors has allowed them to play the middle ground and assert themselves as thought leaders in the incident response realm. These services in tandem with their current product portfolio has allowed Mandiant to play in a realm where other incident response vendors such as Guidance Software and Access Data have struggled, the realm of enterprise IT security.

As of currently the Mandiant product portfolio does not necessarily resonate well within many larger vendors 2010 market strategy, however, as Mandiant continues to assert itself as a leader, the company becomes more of attractive to vendors who have a large product portfolio but lack thought leadership notoriety. In addition, as incidents continue to be inevitable, the market will likely shift more towards Mandiant’s product approach of assisting enterprises in handling incidents. This of course will increase Mandiant’s profitability and make it a target for acquisition. In 2010 however, expect Mandiant to continue to stake out security leadership through incident response, and highly interesting partnerships such as the already existing partnership with Bit9.

1. NetWitness

To be frank about it, NetWitness currently has the holy grail of security solutions. Ok wait, before anyone goes tearing apart this website in anger at that statement please continue reading. NetWitness does not possess the end all for security technology, however, consider the innovations in security technology over the past five years, despite all innovations 99% of information technology defense is dependent on firewalls, IPS, gateway antivirus, and endpoint security technology. In some more advanced cases there is likely an intermixing of web content filtering, ADS, and DLP solutions as well. Now consider what Netwitness offers in the context of these environments, NetWitness offers the technology that serves as the mortar between all of these technologies.

Netwitness’ unique technology allows organizations to review their network traffic with full packet captures. NetWitness then combines that basic capability with geolocation integrations, threat feed integrations with organizations such as SANS, SRI, and Shadowserver in order to deliver a product that upon discovery four years ago, my counterpart on my government incident response team described only as, “nasty.” This of course is not to mention that NetWitness integrates with industry leading technology such as the IBM SiteProtector IPS management system to make searching all of this data easier for security professionals. All that said, the underlying reason NetWitness is such an interesting company is because they have taken all of the capabili ties that security professionals have been wishing they had and scaled it to large enterprises.

In addition, NetWitness is a magnet for talented security professionals, especially those with US Government security experience, having hired such notable characters as Amit Yoran and Shawn Carpenter. Given the overall diaspora that has occurred within the security marketplace the collection of highly visible talent such as this is nothing less than eye opening. There is little doubt that this has lent itself to the consistent growth numbers posted by NetWitness.

Given these characteristics one can expect NetWitness to continue growing rapidly and/or be acquired for a large sum over the next three to five years (if not sooner).

(Honorable Mention)

Rapid7

Rapid7 is competing in a Qualys world, which most certainly is not easy. The company, which is currently focused almost entirely on vulnerability management, is staking out new ground in an increasingly commoditized market. This is a hard fought battle to stake out competitive differentiation against existent market leaders Qualys and nCircle as well as other market competitors such as eEye, McAfee, and Tenable who all have relatively large market shares.

Rapid7 was able to generate some market momentum with the recent acquisition of the Metasploit project. The commercial offering of Metasploit has allowed Rapid7 to explor some new venues for profit, however, what really makes Rapid7 interesting is their approach to the market. As of currently Rapid7 plays host to vulnerability assessment products, penetration testing products, and professional services, these basic lines of solutions are the foundation for other successful models that attracted highly talented security professionals in the past. With names like H.D. Moore, Rapid7 is poised to gain further market momentum and offer a somewhat attractive hub for more talent. Of course this road is not without several speed bumps.

Expect Rapid7 to continue a highly visible marketing agenda that within a year has already included the release of a freeware vulnerability scanner and the acquisition of Metasploit. In addition expect Rapid7 to carve out a better foothold in the vulnerability management market as other competitors continue to slide.

More Needs To Be Done To Protect CMS

The security industry is not doing enough to secure web Content Management Systems (CMS). With the recent attack on WordPress enabled sites hosted on GoDaddy and over 125 exploits released in the month of April for Joomla! vulnerabilities alone, this message is important enough to state plainly. Unfortunately, due to a wide variety of circumstances, this issue is largely not understood by the security community.

This is no small part due t the fact that CMS attacks are often extremely difficult to detect. It is an unfortunate reality that the vast majority of protection products are not capable of honing in on CMS attacks. Rather, most protection products either focus in on the generic web application attack aspects of CMS attacks (or they simply detect nothing). For example, the following published exploit against Lisk CMS (OSVDB-64778) would most likely trigger a broad detection of “SQL Injection” in IPS products and web application firewalls. However, would not, without deeper investigation, allow a security professional to know that the attack was actually aimed at LiSK CMS.

Example (From htbridge.ch)

http://URL/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+1,2,3,4,5,6,7,8,9+–+

While the broad generalization of this type attack string is certainly understandable the question is, is it helpful? On one hand, a generic alert allows a security professional to take immediate action to possibly prevent issues from within their network infrastructure and also allows them to broadly categorize the attack. On the other hand, the alert does not inform the security professional of the underlying issue. Thus, never allowing them to get to the root cause without time consuming analysis. This makes the the collection of metrics on these types of attacks even more difficult. As a result, statistics backed reports rarely, if ever, cite CMS as a growing vector for attack.

Unfortunately, whether strong statistics exist or not, the fact of the matter is CMS is under attack. While most of the major CMS vendors provide some-level of security through research and response processes, frankly the level necessary to secure freeware open-source CMS applications is too daunting of a task for these organizations to tackle alone. It is therefore imperative that the security community, especially the vendor community, better supports CMS security efforts. Until that support is available. Please be ready to receive more E-mails like the one below…