Educause Security Discussion mailing list archives
Top 10 Shodan Searches for .Edus
From: Shawn Merdinger <shawnmer () GMAIL COM>
Date: Tue, 10 Jun 2014 00:13:12 -0400
Hi All, So, as I was reviewing the feedback from my "Shodan for the .Edu" SPC St. Louis 2014 preso, it seems a couple of folks were a bit peeved that I didn't provide more exact Shodan searches. While I much prefer ye olde "give a man a fish...yada, yada" approach, perhaps I was a bit remiss given the varied experience and background in such a diverse community. With that said, we're all here to learn and better secure our .Edus. So below are what I'd consider the "top 10" Shodan searches for .Edu folks to explore on their networks. Each of the searches will require you register first for the free Shodan account. In addition, these are the general searches, and as such, you will need to add to the search parameters the CIDR block of your .Edu (as in net:xxx.xxx.0.0/16 for a class B). I recommend also trying the org: limiter (as in org:"your .edu name here") as well as the hostname: limiter (as in hostname:somecool.edu) and diff out between the three approaches for duplicates, or better yet, grab the best coder on your team and point him/her to this resource: https://developer.shodan.io Also, please refer to the Shodan Help Filters reference for more examples here: http://www.shodanhq.com/help/filters Again, this is no substitute for what should be happening insofar as full-bore external scanning and enumeration of your network as part of regular on-going security awareness and recon activity. But this will get you a general idea. Here are the Top 10 Shodan Searches along with a reference(s) for each. It's quite possible I overlooked something, or there's a better reference, so feel free to respond here or shoot me a email off-list. Any suggestions for other searches are also welcome. I also suggest you see my previous post on ICS/SCADA searches here: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1405&L=SECURITY&T=0&F=&S=&P=15814 as that's the kind of stuff where lights can go off and other reallybadstuff... Finally, as a "learning to fish" exercise, I purposefully left MySQL off the list below since by now everybody has that locked-down, right? ;) Cheers, --scm 1. IPMI UDP/623 http://www.shodanhq.com/search?q=port%3A623 Reference: http://fish2.com/ipmi/ Reference: https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi 2. Windows XP http://www.shodanhq.com/search?q=os%3A"windows+xp" Reference: http://windows.microsoft.com/en-us/windows/end-support-help 3. Telnet TCP/23 http://www.shodanhq.com/search?q=port%3A23 More focused Telnet example of HP Printers with no password set on Telnet: http://www.shodanhq.com/search?q=password+not+HP+port%3A23 Reference: http://www.rapid7.net/db/vulnerabilities/telnet-open-port 4. SNMP UDP161 and TCP161 http://www.shodanhq.com/search?q=port%3A161 Reference: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html 5. ModBus TCP/502 http://www.shodanhq.com/search?q=port%3A502 Reference: http://www.tofinosecurity.com/blog/using-modbus-plcs-heres-how-protect-them 6. Printer Port TCP/9100 http://www.shodanhq.com/search?q=port%3A9100 Reference: http://www.irongeek.com/i.php?page=security/networkprinterhacking 7. Cisco IOS device with no password set on HTTP/S - manual connect via browser (see reference) or SDM (CIsco Security Device Manager) http://www.shodanhq.com/search?q=%22cisco-ios%22+%22last-modified%22 Reference: http://voipsa.org/blog/2010/08/26/revisiting-shodan-computer-search-engine-oh-noes-the-places-youll-go/ 8. Microsoft UDP/137 http://www.shodanhq.com/search?q=port%3A137 Reference: http://nmap.org/nsedoc/scripts/smb-enum-shares.html Reference: http://nmap.org/nsedoc/scripts/smb-enum-users.html Reference: http://www.sans.org/reading-room/whitepapers/testing/scanning-windows-deeper-nmap-scanning-engine-33138 9. Microsoft TCP/445 http://www.shodanhq.com/search?q=port%3A445 Reference: http://nmap.org/nsedoc/scripts/smb-enum-shares.html Reference: http://nmap.org/nsedoc/scripts/smb-enum-users.html Reference: http://www.sans.org/reading-room/whitepapers/testing/scanning-windows-deeper-nmap-scanning-engine-33138 10. Microsoft RDP TCP/3389 http://www.shodanhq.com/search?q=port%3A3389 Reference: http://blog.zeltser.com/post/19243892374/remote-desktop-security-risks
Current thread:
- Top 10 Shodan Searches for .Edus Shawn Merdinger (Jun 09)