Friday, December 04, 2009

Shodan scares me

One of the problems of being white-hat hacker is that we scare ourselves. Such is the case of the "Shodan" engine that was released last month. It's a simple idea, one that has been discussed before. It simply scans the Internet for likely web server ports and indexes the HTTP headers that come back. Now that somebody has actually done it, and we can play with it, we find it's a lot scarier than we had imagined.

What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it.

Every white-hat/hacker has some specialized skills. For example, Errata Security does a lot of pentests into IBM AS/400 System i Series mainframes. These systems are easily hacked precisely for the reason that few people have experience hacking them. We have a 100% success rate of breaking into them using the simplest means, and we have some more advanced exploits for getting into hardened ones.

With Shodan, we can find an AS/400 in seconds that is vulnerable to being hacked. For example, let’s say that I want to find a system in China to hack. I type in “IBM-HTTP-Server Country:CN” (“IBM-HTTP-Server“ is the string for the AS/400 web server). I get a list of systems in response, shown in the picture below:

If I telnet to the fifth IP address in that list, I get the following window:


At this point, I can *probably* hack into the system. I don’t know for certain it’s vulnerable, because I’m not going to try (unless the cyberwar with China heats up), but I’d bet money I could do it.

As I mentioned at the start of this post, this scares me. As with the absurdly simple way of finding systems vulnerable to SQL injection, it’s absurdly simple finding AS/400s that I can hack. I can dust off an old Apache or IIS exploit, and within seconds get a list of system that are vulnerable to that exploit. If I can find systems to hack this easily, thousands of hackers can do likewise.

Shodan is just one example of cloud pentesting. At some point, somebody will nmap and snmpcan the entire Internet and put the results in a database, making it even easier to match exploits to targets.

Right now at Errata Security, we have the policy that the moment it looks like we’ll get a company as a client, we go into “hands off” mode. We cannot port scan them, we cannot let our fingers “accidentally” slip to enter a quote ‘ in a web form, we cannot even traceroute to their servers. We know of too many cases where bad things have happened during sales negotiations where consults have jumped the gun and started their scans early. The basic reason is that pentests feel like hacking, so the client wants to be 100% in control and know everything the pentester is doing. Finding out the pentester was off doing stuff outside of their control usually gets the pentester fired.

However, with cloud pentesting, we don’t have to scan the potential client. We can instead simply ask the cloud system “what do you know about that client already?”. This brings me to the ethical question of “can we ask Shodan about a potential client while negotiating to do a pentest for them?”. I’m not sure what would happen when we are talking to the potential customer and they say “we don’t use Microsoft for web services” and you respond with “actually, you have four older IIS/4.0 servers on your DMZ”. I suspect that I will have to add this to our ethical guidelines.

8 comments:

mokum von Amsterdam said...

5 root shells in one query without touching a thing. IT makes for some proper fun, in the right hands.

AppSec said...

Why would this be "unethical" for a consultant to analyze the results from? Are you going to have them stop reading security sites to? What if someone were to disclose the vulnerability of a potential client on their site? Would that be off limits?

As long as you are not actively hitting their servers, I don't know if I see a problem with this. Just don't say anything.

Nope said...

Very nice on the IBM enumeration. We looked at the tool a little last week:

http://praetorianprefect.com/archives/2009/12/shodan-cracking-ip-surveillance-dvr/

http://praetorianprefect.com/archives/2009/11/youve-been-shodand/

Ian said...

This project looks a bit like ERIPP (the Every Routable IP Project) except ERIPP is only checking port 80 (for now). You can find it here:

http://eripp.com

H. Ax said...

How do you know your queries and their results aren't being recorded in a database already?

Unknown said...

"I type in “IBM-HTTP-Server Country:CN” (“IBM-HTTP-Server“ is the string for the AS/400 web server"

That's not exactly true because AIX systems return the same server type as AS/400

Loic said...

" “IBM-HTTP-Server“ is the string for the AS/400 web server " -> This is not entirely true, as an IBM HTTP Server (which is based on Apache by the way) can be executed on any type of machine, not only AS/400.
However, you have good chance of finding one using this method.

Elizabeth Martin said...

Sorry I just ran across this, but I think it is good idea to add some ethical guidelines to testing clients to ensure they feel comfortable with you, and it is something I feel strongly about. On the other hand I get frustrated with Shodan being THE problem. The engine is not the problem, it is the availability of the information that is the problem and I think we need to politely inform clients of this. IMHO. -@elizmmartin