What Google Is To Most Internet Users, Shodan Is To Hackers

What Google is to most internet users, Shodan (http://www.shodan.io) is to hackers. It is a search engine for hackers to look for open or vulnerable digital assets. Shodan scans the entire internet and stores the open ports along with services running on all accessible ip addresses. It also provides a lot of information about such exposed ip addresses, devices and ports. Such devices can be computers, laptops, webcams, traffic signals, and various IOT devices. This can help security analysts to identify the target and test it for various vulnerabilities, default settings or passwords, available ports, banners, and services etc. Similar to Google dorks, we will present here a few Shodan dorks which can help security analysts uncover digital assets which should ideally not be exposed to the external world. 

Disclaimer:

Open Databases

1>Older relational databases like MySQL, PostgreSQL are usually fairly secure by default. They listen on the local interface only and provide some form of authorization by default. However, the same is not true for some of the newer NoSQL databases like MongoDB. 

2>A quick search for MongoDB done on shodan shows more than 48000 such servers. 

Search term: product:MongoDB

3>To search specifically for open MongoDB instances, use the following search query:

Search term: product:MongoDB -authentication

The number of such exposed MongoDB databases is very alarming as it is trivial to copy or delete the data on such databases.

4> To search for Mongo express the web GUI for MongoDB, use the following query:

Search term: “Set-Cookie: mongo-express=” “200 OK”

5> Similar queries can be used to find other databases like CouchDBRethinkDBCassandra and others.

Open ELK Stack

Elasticsearch and kibana also do not come with some sort of authorization by default. Hence we find a lot of such exposed servers with the following query for Elasticsearch:

Search term: product:elastic

And the following query for Kibana:

Search term: kbn-name

Open CI/CD systems

Jenkins is a tool for CI/CD which are used by many development teams. Earlier versions of Jenkins came without default authentication. In such cases, hackers may a lot of information about the SDLC life-cycle of the organisation including source codes, secrets and keys, etc. by going through the Jenkins build logs and other exposed data. To search for such exposed Jenkins instances, use the following query: 

Search Term: “X-Jenkins” “Set-Cookie: JSESSIONID” http.title:”Dashboard”

Similarly you may find SonarQubeDocker containers, and so on.

Unprotected Remote Desktop

VNC is protocol to access remote desktops. To search for open VNC servers, use the following query: “authentication disabled” “RFB 003.008”

To search for Windows RDP use the following search query:

 “\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00”

Open Caching systems

Memcached is a distributed memory object caching system. A search for open memcached servers can be done using the following:

Search term: product:Memcached

While we wouldn’t expect to see a lot of data stored in such instances as Memcached is a caching layer, however, they may still hold a lot of sensitive information that is temporarily stored on these instances. 

Similar search can be done for RedisRabbitMQ, etc.

Bonus

If you like the job of hunting for such issues as part of security teams for securing the same, search for: “X-Recruiting:” or reach out to us at careers@firecompass.com

For more such Shodan queries, look at https://github.com/jakejarvis/awesome-shodan-queries

Know some more interesting Shodan queries? Get in touch at contact@firecompass.com

Views: 564

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */