TryHackMe Shodan Official Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back to another video here on darksec i am dark and today we're going to be taking a look at the shodan room on try hackme uh shodan is a great tool if you're not familiar with it it's certainly something that if you are looking at uh venturing into the realm of consultant or consultant pen testing or rather bug bounty as well it's something that you'll find yourself using pretty frequently that being said let's go ahead and dive right into task 1 introduction so it looks like this room was created by b sex and uh the b is uh one of the mods on the discord as well as the lead mod for the uh try hackney subreddit definitely recommend go and check both of those out if you are not in uh one or both of them and you can follow them here for more content and it looks like b also has a blog post on showdown so showdanio is a search engine for the internet of things uh ever wondered how you find publicly accessible cctv cameras what about finding out how many pie holes are publicly accessible or whether your coffee or your office coffee maker or machine is on the internet rather showdown io is the answer showdan scans the whole internet and indexes the services run on each ip address note if you are following along you'll need a showdown premium account i do have one and i will log in here in a moment so we can just use my premium and you guys can see what it would look like so a couple quick notes showdan it is a standalone scanning service that will scan the entire internet that is great if you don't want to actually scan a target or can't this is passive because shodan's doing the scanning not you um and you're not interacting with the target in that way just viewing what shodan has already collected a couple words of warning um showdan if you have something connected the internet uh like a just a random website that you're hosting off of a raspberry pi uh that is accessible on the internet it will show up on showdan so just something to be aware of um it's one of the main reasons why you don't want to put stuff out on the internet that is either vulnerable or isn't fully up to date uh just something to be aware of because it will pop up on here the other thing to be aware of is you won't necessarily know what you're going to run into on showdown you're going to see a lot of um whatever is showing on the screen or whatever's up uh sometimes that's up on an rdp instance uh just be aware sometimes you don't get the most pg-13 content if you're following along with that it's pretty rare to have something happen like that but again this is scanning the entire internet so just be aware of it finding services let's say we're performing a pen test on a company we want to find out what services run on uh or one of their servers run we need to grab their ip address we can do that using ping so for example if we were to ping try hackme.com this is going to answer with one of uh since um tryhackme has cloudflare in front of it it's going to enter with the cloudflare ip address um and it's going to come back with that once we do this we can put the ip address into showden and we can get this um and let me go ahead i'm going to pause right here real quick i'm going to log into my showdown account and we can take a look as well and we're back all right i've gone ahead and log in to showdan i have a premium account from shodan does a sale almost every year that you can get a premium account for a dollar uh that's usually around black friday so just keep an eye out for that it usually pops up in the yearly uh black friday deals threads that you'll find on so we're on the uh on reddit especially within the it services this is great even if you're not a pen tester if you work for a company and you don't know necessarily everything that's out on the internet but you do know what your ip space is you can take a look through showdown and just see what showden has seen that being said let's go ahead and take that address and we'll type it in over here 10 or 104 26 10 not what i wanted uh 22 9 okay and here we can see that sure enough this is exactly what we expected this is uh try hack me but again it's going through cloudflare uh which is what we expect to hit uh so we're seeing that cloudflare is accepting connections on 80 and 443 that's what we would expect from a web server 80 is going to be a redirect link that is typically if you try to connect to a website on http it's going to say you can connect but i'm going to move you over to 443 and it'll secure your connection and that's what we can see in this specific case and sure enough on 443 we can see that we get a 200 response rather than forbidden with this and that means that we're accepting connections on the secure port not the insecure port and again what we expect and everything else down here is just going to be different um certificate information i'm not really sure what's going on with these uh high ports um it looks like it's a bunch of garbage and even that that's something that it looks like they're all blocked just forbidden anyway so nothing really of interest but we can see that cloudflare again has their ssl certificates on this so it means that we're passing through cloudflare all right uh ourselves a little bit different from that we have a lot more technologies that show up so we can see that tryhackme runs on cloudflare in the united states and they have many ports open and it looks like our port selection we have a few more than this about the same cloudflare x is a proxy between try hackney and their real servers if we were pen testing a large company this isn't very helpful we need a way to get their ip address and we can do this using asn's or autonomous system numbers so autonomous system numbers an asn is a global identifier of a range of ip addresses if you're an enormous company like google you likely have your own asn for all of the ip addresses you own i think of this as a bucket that all of your ip addresses live in uh it's a way that we can label blocks of the internet and who owns them uh amazon has several asn's from what i'm aware they just have a ton of infrastructure google does as well i know facebook has a lot of asn's um as you're doing research specifically for uh bug bounty uh you'll see a lot of demos like jason haddix has in his uh methodology talk he will show how to get asn usually for twitch or for tesla and you'll see that most of these companies own at minimum one usually a couple asns if not more so asn we can take put the we can put the ip address into an asm lookup tool uh such as and we'll take a look at that in a moment which tells us they have asn 1 4 0 6 1 and we can go ahead we'll take the ip address from here we'll just take it from the end of our url maybe copy and then we'll paste this in here i'm going to make this a little bit bigger for you guys and we can see that uh again it's owned by cloudflare nothing really interesting there i'm not seeing specifically where we're getting our asn number uh however we're seeing that uh it again is owned by cloudflare not really useful to us so let's see try hackme is in a mega large corporation so we uh yeah we don't have our own asn um that is because all if most of our infrastructure is burnable and it sits on aws anyways which it's constantly changing as you've seen from well everything's private anyways it's just on internal networks when we google as14061 we can see it is a digitalocean asn number we did have some stuff on digitalocean for a little while and that's why that's popping up on show data io we can search using the asn filter this is asn colon and then the number where number is the number we got earlier which is as14061 so we can go ahead and take that and we'll take a look over here and asn paste that in and let's see oh no space that'll do it there we go so we can see everything that's owned by the asn and there is a lot of results this is what we expect cloudflare is massive they have a lot of ip addresses because they have to route everything through and they do um ballot or load balancing specifically when attacks are happening doing this we can see a whole range of 6.2 million websites uh in fact that are on one single asn and in this specific case we can see that it was a little bit lower 5.7 but i mean even then that's still an absolute ton we can see the example feedback here uh interesting things that i'm seeing right away this next cloud voting or floating on digitalocean that's interesting um and that's something that nextcloud is a private cloud that you can host yourself and that's something that if i were pen testing a large company this would stick out immediately knowing the asm is helpful because we can search showed in for things such as coffee makers or vulnerable computers within our asn which we know if we are a large company is on our network uh sometimes when you plug a coffee maker into the wall uh if you're working for a really big company if the internet's not configured up correctly that coffee maker will beacon itself out to the internet and have a public ip that's a little bit more rare but it happens getting started time to dig in if you're stuck look at the previous task for some help so banners to get the most out of showdown it is important to understand the search query syntax uh that that's just what we're typing in the search bar in this specific case devices run services and showdan stores information about them the information is stored in a banner uh this is also what nmap does when it does banner grabbing and that's how we get the base information about what service is running it's the most fundamental part of showdown so an example banner looks like this and this is just a json bunch of data it looks like we have moxa import device authentication disabled that's interesting from the get go we have the name this is something that we would look up to see if there's a specific die or device uh from this company the star hub mobile that if that's a naming convention if we can find out what generation that is we can usually find quite a bit more this has our ip address the mac address and then the port as well as it looks like a country code so we're looking at the output of a single port which includes information about the ip and authentication details you don't really see this outside of the api so we won't delve into this uh and again we didn't see that on showdown when we were looking it's just good to know what this is looking for or looked like rather so we'll go ahead and mark this as complete and dive into task two getting started time to dig in if you get stuck look at the previous task for some help what is google's asn number um we can look up google.com and i'm sure we're going to find it here uh just a nice 1 million results let me go ahead i will search for this in just a second and i'll be right back with our answer all right we're back we're going to go ahead and try this so going back to our asn look up tool i noticed that it takes company name and if we go to google it looks like google owns a number of uh asn's oh there's our asn number so this is likely the asn that we are looking for if we take that we can put that back in and let me go ahead looks like they own a couple so we'll see which one it might actually be oh here we go there's our bottom one that is probably correct there we go when was it allocated give the year only uh that is going to be 2 000. it's been around for 20 uh 21 years now at the time of the recording so i think it's 20 20. uh where are most of the machines on this asm number physically in the world um i'm going to guess this is united states because that is a us asn number on it specifically said google us right there uh what is google's top service across all of the devices on this asn that is going to be www more than likely um let's go ahead and try this um actually let's see we'll take a look at this uh we're gonna take that asn and we'll see what we get just for fun and we'll see what we have oh ssh no surprise there and for those of you that missed it i caught that over here on the side under top services and it's that by a decent margin over https this is what i expected what ssh product does google use um i'm gonna guess this is open ssh but we'll find out yep open ssh so we'll grab this copy that and then put that in here what is google's most used google product according to the search ignore the word google in front of it um this is going to be an interesting one open ssh when we do ssh uh okay let's go back see what we have for devices top products okay uh i'm gonna guess google cloud here it looks like and that looks like it fits and there we go let's go into task three filters filters on the showdown i o homepage we can click on explorer to view the most upvoted search queries the most popular one is webcams now this is where things get interesting um this was one that i'm going to avoid just because you never know what you're going to get um and i do not recommend going through and crawling through webcams uh that's something that again try to restrict your testing to what you're authorized to do uh note this is a gray area it is legal to view a publicly accessible webcam uh you never know what you're going to see on it though uh it is a illegal though to try to break into a password protected one use your brain and research the laws of your country again just for safety i recommend this is something that i would avoid again don't break into things you don't own or don't have permission to test one of the other most upvoted searches is for my sql databases and we'll go and pull that up and you can see that we just have a ton of sql databases that are sitting out on the internet uh 3.9 million for that matter if we look at the search we can see it's another filter and we can see that up here where it's a product and by sql knowing this we can actually combine two searches into one on try hackmaze asn let's see if we can find some mysql servers we can use this search query and we'll go ahead and copy that in put that right there and it looks like we have uh 87 000 my sql products on this asn which makes sense because it's a virtual hosting company and tada we have my sql servers on the try hack me asn which is really the digital ocean asn um and you can view the results of that search just right there showdown has many powerful filters my favorite one is the von filter let's search for ip addresses vulnerable to an exploit let's say we want to find an ip address vulnerable to eternal blue so we'll go and copy this and we'll put this in here and see what we get uh okay well it looks like i can't do that in my account uh that kind of makes sense because this is something that i don't i think that noble users should necessarily be able to do just because the api can get you a lot of dangerous things very quickly um that's fine however this is only available for academic or business users to prevent actors from using this whoops i guess i was a bad actor today uh city uh country geo coordinates hostname net based on api siders uh os operating systems uh before and after time frames it looks like we have several other things that we can do with this uh so the api the showdan.io uh has an api requires an account so i won't talk about it here if you want to short the showdown api i've written a blog post about finding pi holes with it here uh and this is something that i would definitely recommend checking out this is a really interesting read i've taken a little bit of look through this article but it's definitely worthwhile checking out especially if you want to make sure that you don't have anything that's sitting on the internet that you know you shouldn't have sitting on the internet so definitely worth checking that out i will put this in the video description as well for those that are just watching the video the api lets us programmatically search showdown and receive a list of ip addresses in return if we are a company we can write a script to check over our ip addresses and see if any of them are vulnerable uh ps you can automatically filter on showdown by clicking things in the left hand sidebar which we did before with clicking into different stuff like uh i don't know things uh like the open ssh and things like that uh how do we find eternal blue exploits on showdan we can go ahead and grab this maybe this is something that again you would also be interested in as a bug bounty hunter because if you have a company's asn um and you know that the entire asn belongs to that company going through and scanning for things like this automating this automating uh changes in websites that's one of the ways that a lot of bug bounty hunters get ahead and note those changes as they happen to see if there's anything new or if a bug just hasn't been fixed all right let's hop into task 4 google and filtering learning to filter with google hint or helpful hint like or pay close attention to what the question is asking you what is the top operating system for mysql servers in google's asn so if we take this we can go ahead and go back here and we will click on that um product let's see my sequel and we'll see what we get and it looks like top version there's some interesting things let's see what else we've got uh top operating system for my sql servers in google's asn uh top versions i would imagine it's going to be that so let's click into there and let's see if this fits maybe i'll give it a moment let's copy that over there we go what is the second most popular country for my sql servers in google's asn i'm gonna guess this is probably china nope it's another lens that's an interesting one a lot of infrastructure is either hosted in the united states or in china it just depends on where you're at a lot of that is specifically because china has its own copy of a lot of the internet because of the great firewall of china just something to be aware of you're gonna see this happen a lot where there is a chinese copy of the site um and then there's an american uh or the rest of the world copy of the site uh something to be aware of um and you'll see that come up a lot actually in bug bounties where you will see that there are duplicate sites that aren't necessarily always duplicates so be aware that worthwhile testing but you'll see that pop up where there's a cn address as well under google's asn which is more popular for nginx uh hyper text transfer protocol or hypertrax uh transfer protocol without ssl or with ssl um judging by this it looks like it's gonna be the first one let's go ahead and take this though and let's see under google's asn so we do still care about that um and we want a product of nginx let's see what we get uh it looks like it's going to be http so that'll be hypertext transfer protocol we can copy that in under google's asn what is the most popular city um this will be an interesting one top organizations let's see if we can drill down into the united states and see what we've got top cities kansas city i know there are a lot of data centers in kansas city so that's not terribly surprising did i spell kansas wrong hold on we're gonna pause for a second while i figure out what's going on with this all right we're back it wanted the [Music] uh last one on there uh which doesn't make sense because it looks like it's kansas city to me um and as i mentioned i know that there are a lot of data hosting facilities in kansas city and council bluffs uh this is not terribly far from me so i know that they've put in a lot of i think facebook actually just put in a data center not that long ago there uh under google's asn in los or los angeles uh what is the top operating system according to showdown uh that looks like windows but we're gonna check uh let's see so we'll click into this and i'm gonna change this to la let's see if i spell that correctly and let's see top operating system pan os i have no idea what that is okay i'm gonna pause the video because i want to figure out what this is and i will let you guys know okay that was far less exciting than i thought uh it is palo alto's uh firewall operating system oh well now we know uh using the top webcam search from the explore page does google's asn have any webcams uh we'll go ahead and grab this i'm going to pause the video just because i don't know what'll come up from the webcam search and i will be back and report on it once that is done all right uh looks like google does not have any exposed webcams good for them that's definitely something that is great that they're taking out or keep an eye out for that all right let's jump into task five showdown monitor showdam monitor is an application for monitoring your devices in your own network in their words keep track of the devices that you have exposed to the internet set up notifications launch scans and gain complete visibility into what you have connected very cool previously we had to do this using their api but now we have this fancy application you can access the dashboard via this link and we'll take a look at that in a moment and you'll see it asking for an ip range and it looks like we have it there um and if i wanted to i could get that all set up once we add a network we can see it in our dashboard and you can see that looks like this has been added as the name of nmap and then we have it in our dashboard here if we click on the settings cog over here we can see that we have a range of scans showdown performs against our network so we have trigger rules um it looks like we have industrial control uh industrial control system definitely something you want to keep an eye out on and make sure that it's not exposed on the internet internet scanner iot malware so a lot of malware will beacon out on a very specific port and it is something that showdown will track new service open database ssl expired another common problem that organizations have is a lot of times someone forgets to pay the bill and the ssl certificate expires uncommon and then vulnerable so triggers real quick triggers are rules that when they're met cause showdown to send you a notification so it looks like these are the different scans we're running and then if we hit one of these criteria it is going to send us an email uh so for example if the malware trigger will send you an email if your service looks like it has been compromised or it's running malware software i might actually set this up on my home network that is very cool uh anytime showdown detects a security vulnerability in one of these categories it will email us if we go to the dashboard again we can see that it lays some things out for us and you can see that it looks like we have the services notable ports if there were anything interesting here any vulnerabilities that we saw exposed the internet um potential vulnerabilities these are things that are not concerned but it thinks that might be there and are worth the researching and then go to yp addresses which in this case we've only added one to this dashboard so we aren't really going to see anything um and this is stuff that we i just talked about the interesting part is that you can actually monitor other people's networks using this for bug bounties you can save a list of ips and showdown will email you if it finds any problems very cool definitely something that is worthwhile to look into um and you can say you can see that this is a premium product but again keep an eye out for black friday deals having a showdam premium account is definitely something that you want as a pen tester and will save you a lot of headaches what url takes you to the showdown monitor we're going to go ahead and grab that right here plop that in there and there we go let's jump into task six showdown dorking showdown has some lovely web pages with dorks that allow us to find things so this is very similar to google door king but we can dig through this and just find interesting things on the internet using these uh combination of search terms their search example web pages uh feature some so some other ones uh include hash screenshot true encrypted attention uh which uses optical character recognition and remote desktop to find machines compromised by ransomware on the internet so very cool this is actually looking to see if it has a screenshot that's available so we can actually see the desktop if the machine looks like it's encrypted and it looks like it warrants attention i'm guessing or this is looking for these i'm guessing this is looking for these two words actually on the screen so encrypted shows up which is something that malware is going to show up on your rdp screen anyways and then attention will be the warning thing that pops up as well that says attention you need to pay so and so amount of bitcoin to unlock your data and you can see that there's one specific thing that came out here uh from that scan so screenshot.label ics uh that is going to be industrial control systems and it looks like it's cut off a little bit for me but you can see that there's a screenshot hit there of an industrial control system website uh vaughn cve 2014 0160 internet connected machines vulnerable to heartbleed uh note cve search is only allowed to academic or business subscribers so we can't actually do that one slower win supply chain attack by using favicons so one thing that not a lot of people realize uh you can take the hash of a favicon and see what other sites have the same favicon usually those sites are going to be uh owned by the same owner this is really useful in the reconnaissance stage of bug bounty i believe jason haddocks also talks about this in his methodology talk what dirk lets us find pcs infected by ransomware we can scroll up uh this is really interesting one and definitely something that is worthwhile playing around with just to see what's out there and there we go let's jump into task 7 showdam extension showdown also has an extension uh and this is something that i will be checking out here in a little bit because i think i forgot to install this on chrome or my version of chrome uh when installed you can click on it it'll tell you the ip address of the web server running what ports are open where it's based and if it has any security issues really really cool this is definitely something that i recommend running in uh alongside wapalizer or built with because it'll give you a pretty uh from the surface or from a glance a comprehensive view of what you are working with uh so there we can see the extension i would imagine this probably has a firefox equivalent so definitely worth checking out um i imagine this is a good extension for any people interested in bug bounties yep absolutely being quickly able to tell if a system looks vulnerable or not based on the showdown output uh yeah definitely worthwhile checking out and this is actually something that i'm going to install right after this video because i forgot to do that so ps that's the official image for the extension that's a little blurry either way worthwhile checking out definitely something you want to dive into when work that is complete and dive into task 8 exploring the api and conclusion showed in io has an api it requires an account so i won't talk about it here and we mentioned this a little bit earlier if you want to explore the showed an api definitely check out this blog post that was mentioned earlier again i will have this in video or in the video description below um and i'll link jason haddock's talk his latest one at the time of recording so that you can view a little bit more of what goes into the reconnaissance phase of uh bug bounty hunting the api lets us program programmatically search showed in and receive a list of ip addresses in return if we're a company we can write a script to check over our ip addresses and see if any of them are vulnerable ps you can automatically filter on showdown by clicking things in the loft bar that was over here um and then read the blog post above definitely worthwhile checking out and we're gonna go ahead and mark that as complete and that'll do it for the showdown room uh thank you all for watching if you enjoyed this content please subscribe to me on youtube and follow me on twitter otherwise i will see you guys next time and happy hacking
Info
Channel: DarkSec
Views: 15,150
Rating: undefined out of 5
Keywords: infosec, tryhackme, box, hacking, learn, darkstar, darksec, educational, darkstar7471, try, hack, me
Id: 5Ko6GUqY2m0
Channel Id: undefined
Length: 30min 41sec (1841 seconds)
Published: Fri Jan 22 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.