Search for Vulnerable Devices Around the World with Shodan [Tutorial]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

showed an is a search engine that indexes nearly every device directly connected to the Internet and can be used to find all sorts of interesting things today we'll learn how to use shoten to find everything from webcams to boats on this episode of cyber weapons lab [Music] [Applause] [Music] in order to understand how shoten works it's useful to think about how search engines work in general websites at Google Yandex or Ask Jeeves will periodically go through all the available websites they can find using a spider and take the results indexing them in a useful way for people who are running searches now Shonen works in a similar fashion however instead of websites it's looking for every available port on the internet meaning it's going around searching every possible IP address and every possible port address trying to identify whether or not it's open and available now what that means is it's able to actually identify all these different devices that are connected directly to the Internet and that doesn't mean that your home computer is going to show up what it means is your router probably will so if you port forwarded anything like a webcam then it means it will probably almost definitely show up on a show dance search now you can find a surprising amount of things on show down and the scary thing is most of these devices do not ever change their default password meaning there's a lot of things you can automate to go after devices share directly on the internet using default passwords which don't really even require you to do a search yourself now part of the beauty of shodhan is that the Python module is scriptable so you can do all sorts of things with it and even use a command line interface that goes a bit beyond the web interface that you might be familiar with today we're going to be taking an initial look at the web interface the command line interface and understand a little bit what we can do when we get into scripting show down into maybe Python script in order to use this you'll just need a web browser but it helps to have Python installed if you want to use the command line interface after that we should be ready to start now today we're gonna get started with showdown but I'm going to assume that you are kind of a beginner or maybe you haven't used us for its ultimate goal which is more actually just scripting attacking vulnerable devices so that you don't have to search for them in the first place manually now the ultimate implementation of this is basically developers being able to identify particular type of vulnerability in a particular type of device and then writing a script that automatically searches for all the ones that are currently connected to the Internet and then going after them so the show dent has been revolutionary for security researchers and that's because it allows you to search for very specific types of devices and find them all over the world so if there's a vulnerability that affects like let's say one type of hardware that could only be a couple of different thousand devices but if you're getting a device a vulnerability that affects maybe an operating system like Windows XP or something then suddenly you can get maybe even hundreds of thousands of vices all over the world that could be vulnerable and accessed in kind of a roundabout fashion by shodhan so how that works is that in order to access all these vulnerable devices we first need to know where they are so we can of course scan ourselves but it's much more convenient to have a third party do all this work for us so using shodhan is a really good way to be able to understand what's out there on the internet without needing to do the searching yourself you can think of it kind of as somebody who's going around constantly knocking on doors then being like hey who lives here who's here what's up with which doors are open and then providing a map so that anybody who's curious can figure out without needing to actually go there themselves what's going on and that can mean that if you're doing port forwarding on something like your webcam or something like that then it can appear on the search engine because you're exposing it directly to the Internet and when shodhan comes knocking you rattle will reply with all the information about what's connected so in order to get started I highly recommend that as you see I'm connected to South Africa you don't do this directly from your own IP address you're going to want to connect a tour or a VPN and make sure that you're only connecting the things that you have authorization to but if you happen to drop into a webcam and you just don't know where it is and there's no password on it then it's probably okay but you probably just to be safe don't want it browning back to your IP address anyway so take precautions and make sure you're not directly accessing this and also check out one of our videos on URL tracking and how you can be tracked with tools like grabbed a fire canary tokens because it's a good education on how you can be tracked no matter kind of what you do in these circumstances when you're making web requests so again before you get started with this please make sure you're hiding yourself at least a little bit because you don't want to leave your presents all over logs all over the world and look like you're some sort of Big Shot so alright let's get started so understanding the way to use this sort of tool comes down to being a good searcher so how are we going to go about and craft a good search query it's kind of the same way that when you're running a Google search if you just type something in Google is going to try to interpret it as best it's can't as it can but it's much more powerful if you know the right commands to use now a little secret I want to share is that if you're looking for interesting ways to use Showdown you can simply go ahead and click on Twitter and again I follow the stuff all the time so I'll frequently kind of tweet these so if you want to check them out you can also follow me as well but here you can see that we have different little stubs that are being shared by the community that will allow you to find different devices and these are kind of shared all the time as security researchers find different things that are shared on Showdown so if you want to be able to kind of be on the bleeding edge of what's happening with Showdown you'll find a lot on Twitter when it comes to research or sharing little strings so how does this work let's go ahead and go to a device that I've discovered now this is in a river so initially it's a little suspicious until we see that hey this is actually a satellite device that's connected to a boat so how did how did we get to a boat how did we get here well in order to find devices like a boat we can type something in that allows us to differentiate them from all the other devices on the Internet in this case VSAT will give us a list of satellite systems that have a login page or a configuration that has that word in it allowing us to say hey this is a satellite system so next we can also differentiate things down a little bit further and in my example I also included a port number port 80 which allows us to maybe just look for things that are hosting a webcam or something very straight up and easy to access now I'm going to run the search and this is what you can do as soon as you just kind of log into show 10 which is accomplished by going to showed nao and creating a free account now here you can see there's a bunch of different things that reporting satlink which means this is a satellite system and that's really interesting because it means that we can possibly get into something that satellite connected and moving all over the world which is truly truly interesting so let's take a look at this is just a random VSAT link and we can see here their ports 23 80 and 161 are open so again we just typed in something that we know is connected to satellite networks VSAT and we started getting satellite kind of devices and we ended up here looking at the various ports that are open and a little bit of grab from what the URL header is are from the HTTP header so now if we want to actually check this out of course with our VPN enabled we can just take the IP address that we've scanned and see of course port 80 is open so we don't need to specify that but if this was port 81 we would have to specify that and then we can just try to go to it and see what happens now it's probably gonna ask us for password and in some cases it will not and in this case it doesn't meaning we have direct access to a satellite network of some sort so you can see that this is a problem because this is obviously hosted on a boat and through a little bit of digging around we can see ok Network something homme Dell and then in the configuration we can see more information that probably will lead us to who actually owns this device and in some cases we can even see the longitude we can upload firmware meaning we could make this a zombie and kind of make it follow us around and do what we want we could route traffic through this satellite device and in some cases if there's a vulnerability we can even do things like get into the the navigation system of the boat and Traverse a little deeper so that we eventually not only know where this device is located physically on a map but can even influence that location by getting it to maybe move or or you have the wrong readings now all right we see here that there is a system contact and we see there's a company name and when we go to that company oops that's not what we want there we go we see that this is a company that makes satellite equipment so now we know that we are in some sort of P Rio in fact we are in this VSAT system somewhere because they have not bothered to add a login page now as you can see we're actually logged into the satellite device because they never managed to set a password which is really not good because anybody can basically get into this and upload firmware which could allow it to do all sorts of bad stuff now in order to figure this out let's say that there was a password we could simply go ahead and look at the default password in the setup guide so when you encounter something like this you can usually just look up the error page usually when you fail to log into something it'll give you some sort of you know some sort of a like login page or something else so let's go ahead and take an example in this case we're going to search for webcams so how do you search for a webcam well there's two different ways first you can just type in webcam and you can generally assume that webcams will have maybe something in the string you see I just round webcam that tells you hey this is a webcam so here we can see there's a port 8081 and if we try to go to it let's go ahead and do that like this there's probably gonna be a login portal and usually the login portal will respond to the username admin and either admin again or password we can just type admin password who knows if that will work probably not but if we press cancel then hey boom we get this unauthorized authorization required and then index dot ASP so we have a little bit more information now more useful would be maybe giving us something like the manufacturer now the manufacturer which sometimes we can also find in one of these strings will allow us to find the default password and most of the time if you want to get into something like this you can just attempt to login here we go we have another 8080 we copy this over we paste it and then we attempt to login it doesn't really matter if we succeed or fail provided we're able to grab oh my god there's no password okay well that's not entirely compute surprising but either way this doesn't even ask to let anyone in so weird so here you can see where we're controlling some sort of some sort of recorder and camera we've got night vision and some other stuff which is great again don't know where the system is connected to I was trying to show you how you could look at the brand but it seems as though we can just go ahead and actually control this device wholesale without entering any password at all which kind of highlights why Shou Tam is something that can be powerful all right so now that we've managed to get into a number of different things that we really didn't oh oh here we go now we can actually see what's going on so here we are in some sort of system we can click on night-vision oh and now now that we want to turn on the night vision it's serious about security so we can type in admin admin man password and between those two we have the majority of different devices will work a lot of people just don't even bother to set this but if it doesn't work then generally what you can do is look up the type of device and then if you can find just the setup or instructional manual it'll just say the default password and you can try that okay so this is pretty cool but what else can we do well another example I found is this webcam and we've got some activity some web this webcam in Germany so in this case we were just looking for this string cgi-bin guest image HTML and if I go to show down I can type this in and this request should be enough to start bringing up webcams all over the world now this particular brand will just have this HTML file served up as a way up for people to log in but it's enough to identify it all over the Internet so if I had a voter ability for this particular type of webcam I could use a search to basically find it everywhere it exists when it's directly connected online so of course the expression that is we end up getting something like this a connected web camera that might allow us to see into an area we're not supposed to or even access a system and then use it to route traffic or do other sorts of bad stuff so let's take another step into showdown and see what we can do with the command line interface well using Shonen is really easy and if you go ahead and type show Dan github you'll see that there's a really easy plugin for Python now python is an amazing language to write shoten to use the showdown library in because it allows us to script very simple things and you can see this QuickStart script as soon as you get an API key you can really start to do a lot in your code now one of the attractive things is if you have Python installed you can go ahead and install the command line version of Showdown by just typing pip install Showdown and it should go ahead install all the necessary libraries and from there you can I've shown em and you're good to go now an example that I did before is if you want to query information about a host in this case I'm going to query 1 8 1 8 9 2 a 1 1 2 8 2 50 we can get information about the host we want to investigate without even needing to use the command line at all sorry without even needing to go to the web interface at all now as soon as this connects I should be able to query this host and we will get most of the information shodhan has about this host so we can make determinations about where it is in this case Mexico the host names and the fact that it has it's vulnerable to the heartbleed vulnerability so because we can also see the ports that are open and some other fingerprints we can generally determine what this device is where it's located and what it might be vulnerable to which is exactly the attention of shodhan when it comes to running searches between the command line interface and then running different searches in the direct in the direct web interface you can find virtually anything you're looking for so if you're looking for various tips I again advise you to take a look on Twitter for various trending vulnerabilities that have been tied to a string where you can find a whole bunch of maybe webcams or something that all have the same may be burned in log and nobody can even change so shoten is an amazing tool for this sort of thing and I definitely recommend you check it out in this case we're just doing a little bit of just the tip of the iceberg when it comes to what you can search and find but once you get more advanced you can integrate this into your scripts and write things that are truly dynamic and integrate search functions into finding devices and automatically exploiting them shodhan is an incredible tool for security researchers and while we've just scratched the surface there's a number of things you can do with a paid account and with python scripting that allow you to take show down even further now although this is super powerful I do recommend you exercise caution when accident when accessing devices that you locate on show down because depending on which device you're accessing and the country that you're in you could get in a lot of trouble for accessing a device without authorization if you want to learn more about show 10 you can check out the null byte article link in the description if you have any thoughts on future episodes send me a message on Twitter because I'd love to hear from you but that's all we have for this episode we'll see you next time you

Info

Channel: Null Byte

Views: 401,002

Rating: undefined out of 5

Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, Shodan, Vulnerable Devices, webcams, spying on webcams, Vulnerable routers, command line, api key, api, shodan api, mr robot, mr. robot, webcam, security camera, camera, IP camera, satellite

Id: oDkg1zz6xlw

Channel Id: undefined

Length: 18min 2sec (1082 seconds)

Published: Wed Aug 07 2019