Educause Security Discussion mailing list archives

Top 10 Shodan Searches for .Edus

From: Shawn Merdinger <shawnmer () GMAIL COM>
Date: Tue, 10 Jun 2014 00:13:12 -0400

So, as I was reviewing the feedback from my "Shodan for the .Edu" SPC
St. Louis 2014 preso, it seems a couple of folks were a bit peeved
that I didn't provide more exact Shodan searches. While I much prefer
ye olde "give a man a fish...yada, yada" approach, perhaps I was a bit
remiss given the varied experience and background in such a diverse
community.

With that said, we're all here to learn and better secure our .Edus.
So below are what I'd consider the "top 10" Shodan searches for .Edu
folks to explore on their networks. Each of the searches will require
you register first for the free Shodan account. In addition, these
are the general searches, and as such, you will need to add to the
search parameters the CIDR block of your .Edu (as in
net:xxx.xxx.0.0/16 for a class B).

I recommend also trying the org: limiter (as in org:"your .edu name
here") as well as the hostname: limiter (as in hostname:somecool.edu)
and diff out between the three approaches for duplicates, or better
yet, grab the best coder on your team and point him/her to this
resource: https://developer.shodan.io Also, please refer to the
Shodan Help Filters reference for more examples here:
http://www.shodanhq.com/help/filters

Again, this is no substitute for what should be happening insofar as
full-bore external scanning and enumeration of your network as part of
regular on-going security awareness and recon activity. But this will
get you a general idea.

Here are the Top 10 Shodan Searches along with a reference(s) for
each. It's quite possible I overlooked something, or there's a better
reference, so feel free to respond here or shoot me a email off-list.
Any suggestions for other searches are also welcome. I also suggest
you see my previous post on ICS/SCADA searches here:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1405&L=SECURITY&T=0&F=&S=&P=15814
as that's the kind of stuff where lights can go off and other
reallybadstuff...

Finally, as a "learning to fish" exercise, I purposefully left MySQL
off the list below since by now everybody has that locked-down, right?
;)

Cheers,
--scm

1. IPMI UDP/623
http://www.shodanhq.com/search?q=port%3A623

Reference: http://fish2.com/ipmi/
Reference: https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

2. Windows XP
http://www.shodanhq.com/search?q=os%3A"windows+xp";

Reference: http://windows.microsoft.com/en-us/windows/end-support-help

3. Telnet TCP/23
http://www.shodanhq.com/search?q=port%3A23

More focused Telnet example of HP Printers with no password set on
Telnet: http://www.shodanhq.com/search?q=password+not+HP+port%3A23

Reference: http://www.rapid7.net/db/vulnerabilities/telnet-open-port

4. SNMP UDP161 and TCP161
http://www.shodanhq.com/search?q=port%3A161

Reference: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html

5. ModBus TCP/502
http://www.shodanhq.com/search?q=port%3A502

Reference: http://www.tofinosecurity.com/blog/using-modbus-plcs-heres-how-protect-them

6. Printer Port TCP/9100

http://www.shodanhq.com/search?q=port%3A9100

Reference: http://www.irongeek.com/i.php?page=security/networkprinterhacking

7. Cisco IOS device with no password set on HTTP/S - manual connect
via browser (see reference) or SDM (CIsco Security Device Manager)
http://www.shodanhq.com/search?q=%22cisco-ios%22+%22last-modified%22

Reference: http://voipsa.org/blog/2010/08/26/revisiting-shodan-computer-search-engine-oh-noes-the-places-youll-go/

8. Microsoft UDP/137
http://www.shodanhq.com/search?q=port%3A137

Reference: http://nmap.org/nsedoc/scripts/smb-enum-shares.html
Reference: http://nmap.org/nsedoc/scripts/smb-enum-users.html
Reference: http://www.sans.org/reading-room/whitepapers/testing/scanning-windows-deeper-nmap-scanning-engine-33138

9. Microsoft TCP/445
http://www.shodanhq.com/search?q=port%3A445

10. Microsoft RDP TCP/3389

http://www.shodanhq.com/search?q=port%3A3389

Reference: http://blog.zeltser.com/post/19243892374/remote-desktop-security-risks