The Internet has made virtually any information accessible to someone who is determined to find it. This is great when you need to quickly look something up, but it can be decidedly uncomfortable when you are the target of the search. The Internet not only has tons of information, it also possesses a very long memory, meaning that any information that we expose can live on for a long time. As individuals, this is something that we almost take for granted. We know that when we apply for a job, someone in HR is going to scour the Internet and mine social media to see what can be found out about us (I’m regularly thankful that I attended college before the age of smart-phones and omnipresent cameras).
However, from a security practitioner’s point of view, this same sort of investigation can enable very sophisticated social engineering by an attacker targeting our end-users. It’s relatively trivial for an attacker to identify individuals inside of a target organization, and then proceed to find their interests, hobbies, and a variety of contact options that the attacker can use. This, of course, has led to lots of end-user training designed to teach employees to have a healthy degree of skepticism when on the Internet or in their email accounts and the dangers of over-sharing when online. This makes intuitive sense to most of us when it concerns exposing information about people. This is equally true of our networks, servers and technical infrastructure that define our presence on the Internet. Yet many organizations seem to be relatively oblivious to the technical information that is readily available to anyone willing to search.
When Searching Goes Grey Hat
Search engines have become one of the most powerful reconnaissance tools in an attacker’s arsenal. “Google-hacking” refers to the use of specialized Google search queries to find all sorts of information that could be useful to an attacker. Queries that look for specific patterns in a URL can reveal the type of web-server being used and give the attacker important leads when looking for vulnerabilities. File searches can uncover configuration files or system logs that can reveal all sorts of details about the internal workings of an organizations networks and applications. These sorts of things represent just the tip of the iceberg for someone with good Google-hacking skills.
However, the fun doesn’t end with Google. Increasingly, more specialized search engines and web-crawlers have been developed specifically with information security in mind. Enter Shodan.
Shodan is a specialized search engine that searches for devices as opposed to searches for webpages. It does this by automating the process of banner-grabbing, which will often reveal basic information about the server, including what kind of server it is, version of software it is running, and in some cases, the options that are supported. This information becomes incredibly powerful when it is aggregated for the Internet as a whole.
Take, for example, one of the most popular searches on Shodan. A search for “cisco-ios” and “last-modified” produces a massive list of IOS-based devices, but more importantly it shows a list of IOS devices that may not require authentication (a server that requires authentication will typically not include last-updated information in its banner). Similar searches have been done recently that were able to identify vulnerable SCADA and industrial control systems that were directly accessible to the Internet. You can read about this research in the ICS-CERT Monitor here. This sort of search obviously has incredible value to anyone involved in information security, whether one is a black hat, white hat or somewhere in between.
Bringing it Home
This sort of search capability is also incredibly valuable when protecting our own networks. For example, a Shodan search of hostname:ACME will find machines with ACME in the hostname or domain. This makes it very easy to search for our own organization to see exactly what Shodan can see (and therefore what any hacker could see). Similarly, a search that uses the net: filter can search for all devices on a certain IP range or subnet, again giving us the ability to see what information can be gleaned from our own devices.
Secondly, spending a little time on Shodan will put a fine point on just how much information can be leaked through banners, and why its valuable to take the time to hide some of that information. For example, another popular Shodan search is simply searching for the term “SCADA”. This search returns plenty of results, most of which only hit because the string SCADA is used as part of the hostname for the device. A search for the word ‘hospital’ or ‘clinic’ can quickly point someone to devices related to health care. This is a good reminder to be fastidious about naming and how we identify our Internet-facing devices.
This applies to virtually any industry.
What I’ve shared here is really just scratching the surface in terms of what is possible, whether via Google, Shodan or any number of other search engines. But it’s important to realize what sorts of tools are available, how these tools are potentially being used and that we know just how much we are exposing to the outside world. Developing our own search skills will not only expose us to lots of interesting information, but can also significantly improve our own security posture.