Finding interesting things with Shodan: the Internet of Things search engine

posted in: Technology | 0

If you’ve been keeping an eye on technology matters in the last few years you’ve more than likely heard the term ‘Internet of Things (IoT)’. It’s widely used to describe embedded ‘smart’ systems, usually running some form of Linux, that are connected to the Internet.

In this article I’ll be talking about systems that are accessible to the Internet or web-facing, what I mean by this is computer systems that are running services (e.g. a web server) that are not sitting behind a firewall (just on some ports, or all ports) – and thus anyone on the wider Internet can visit it.

Also, it goes without saying that everything discussed in this article is for educational purposes only, this is all publicly available information that is good for researching into what people are putting on the Internet and what risks they’re exposing themselves to.

These days everything is moving towards being Internet-connected, CCTV cameras, light bulbs, fridge freezers and even kettles. They’re hooked up to the web to allow for convenient features such as being able to control what lights are on in your home or to stick the kettle on while you’re on the way back to your house.

Behold a ‘smart’ kettle – What a wonderful time to be alive

Problems arise however when these features are implemented poorly, and in a lot of cases the security of that smart device is nothing but an afterthought. A lot of these come with already outdated versions of Linux or BSD as well as out-dated versions of services such as OpenSSH, Samba etc. This exposes these systems to known security vulnerabilities that are fixed in later versions, but in a lot of cases, the device manufacturers won’t issue any updates because afterall, they’ve got your money already.

There are a number of responsible manufacturers out there, mainly large brandnames, but the sheer volume of cheap IOT devices being churned out from places like China is staggering.

Now that’s just for consumer equipment. There’s also a huge amount of enterprise and industrial systems accessible on the Internet. CCTV systems, SCADA systems, power plants, hydro-electric powerplants – you name it, someone’s most likely stuck it on the Internet. Similar to the consumer-grade kit I discussed above, a scary amount of these systems are running outdated versions of Linux and Windows – and the same goes for the services they’re running on them.

What seems to be a more common trend with enterprise and industrial systems however is poor firewall management. Consumer kit is generally plugged into a router, which then routes the device through a firewall and blocks anything you don’t need exposed to the Internet. This isn’t usually the case with industrial and enterprise stuff, I’ve seen a lot of instances where a system has been introduced to the Internet and presumably either routed through a poorly configured firewall or it’s not going through one. The result is you have services that are designed only to be used on a local network exposed to the wider-Internet. Bad news.

Samba/SMB is a good example of this, there’s a horde of systems out there that have no authentication required to access the contents of its drives – and through sheer stupidity the port used by that service, in SMB’s case port 445, is exposed to the Internet and not hidden behind a firewall. That results in anyone who goes looking for it to be able to map that drive to their system, and access anything on it, or even put anything on it.

What is Shodan?

This is where Shodan ties in. Historically finding web-facing systems other than web servers was a time-consuming thing to do, there are tools such as Mass-scan out there that allow you to scan IP ranges or the entire Internet across all ports or just some ports. This takes a long time to do with standard systems and Internet connections. There are some researchers out there that can scan the entire Internet for an entire port in a few minutes, but that’s using tailored systems connected to mammoth Internet connections.

Shodan is a search engine for finding specific devices, and device types, that exist online. It works by scanning the entire Internet and parsing the banners that are returned by various devices. Using that information, Shodan can tell you things like what web server (and version) is most popular, or how many TFTP servers exist in a particular location, and what make and model the device may be.

Although there are APIs and smartphone apps available, Shodan is primarily a website that you can just visit and search for particular devices. It’s not quite as simple as googling for the term ‘webcams’ or something similar, you have to know what you’re looking for.

Shodan does work through Netsurf on RISC OS, asthetically it does look a little off when compared to a browser on another OS – but from a technical perspective, it works just fine.

Search result for the RISCOSBlog server IP address

Know what you’re searching for

You can use Shodan to search for what particular ports are open on a specific IP address. In the screenshot above I’ve taken the IP address of the RISCOSBlog’s web server and entered it into Shodan’s search bar. It’s then given me information on where the server is located, who hosts the server and what widely used ports are open. Shodan doesn’t scan the entire Internet for every port, as that would a herculean task, instead it focuses on the most widely used ports used by web-facing servers.

The interesting searches on Shodan come from looking for interesting things you can find rather than just searching for open ports on an IP address. As Shodan works on the header output a system will chuck out when you query it, you’ll need to have an idea of what the headers for the systems you want to find contain.

An example being, if I use the ‘netcat’ tool on a FreeBSD box I use, I can query my file-server on port 22 (the SSH port) to see what version SSH I’m running, it’ll also tell me what operating system I have to. In the below example my file-server is running on local IP address 192.168.0.2

nc 192.168.0.2 22

Output:

SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

The SSH service on that box has been kind enough to tell me that it’s running version 7.2 of the OpenSSH server software and it’s running on the FreeBSD operating system.

I can then take that output and query Shodan for ‘OpenSSH_7.2’. It then gives me a long list of IP addresses that have that version of OpenSSH public to the Internet as well as statistics on what it’s found.

In in this instance, it’s found 88,560 public-facing systems with that version of OpenSSH. The majority are in the United States, and the most popular OS running that version is FreeBSD.

This is all very interesting if you’re curious, but this is where keeping all your systems up to date really comes in, because if I can identify a version of a particular service, say SSH, which has an exploitable-vulnerability in it, then I can search for that vulnerable version of SSH on Shodan and it’ll output a list of potential victims should I want to do something nasty.

Customised queries

As with any search engine, Shodan works well with basic, single-term searches, but the real power comes with customised queries.

Here are the basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on operating system
  • port: find particular ports that are open
  • org: specify a particular ISP or organisation name
  • before/after: find results within a timeframe

An example of filtering search queries to find what you want is: I know that the HTTP headers for systems that are running the Emby media server software will come back with ’emby’ in the name of it. So by using the below search term I can query for all Emby servers in the UK that have BT as their Internet Service Provider (ISP).

emby country: “GB” org: “BT”

Again, from a research perspective this is all pretty interesting, you can see there’s 12 systems running on BT Internet connections that have Emby running a port that Shodan scans (most likely 80 or 443). Emby defaults to port 8096 which isn’t scanned by Shodan so the vast majority won’t be visible.

If you were a bad guy however, then by researching the server software you’re querying for in Shodan, you’ll be able to pick up vulnerabilities you can exploit quite easily.

Emby for example, comes with authentication disabled by default. So there’s a good chance that at least some of the IP addresses in the list are probably running Emby instances that you can just log into without being asked for a password. A lot of users will set up a service and once it’s seen to be working, they’ll leave it rather than think about if it can be accessed by anyone else.

That’s reasonably harmless when you’re talking about a media server like Emby, but if you apply this logic to Telnet servers, MongoDB servers etc. then you’re starting to look at systems that have serious vulnerabilities in them. It would be trivial to search for MongoDB databases (again another service that defaults to no authentication) and then do whatever you want with the data it stores.

Other useful aspects of Shodan

You can use the “Explore” button on the main Shodan site to look at common searches and results, which are interesting and also pretty scary at times. You’ll find things like:

  • Webcams
  • SCADA systems
  • Traffic lights
  • Power plants
  • Routers
  • Point of sale systems
  • Industrial control systems
  • Systems with default passwords

Here are a few other cool things you can do:

  • Data Export: You can export your results in various formats using the top menu after you’ve performed a search.
  • Browser Search: You can configure your browser to search Shodan when you search from the URL bar. Not compatible with any RISC OS browser.
  • Shodan Free Account: You should create and log in to your free account when you search, as the interface is pretty nerfed if you don’t, e.g. not being able to see host information, etc. Search results are limited to a few pages for free accounts.
  • Premium Accounts: A premium account is a one-time payment and it gives you increased access to the API and allows you to pull much more information than the free account will allow.

What have people found on Shodan?

A touch-screen admin panel for some kind of water treatment facility

If you start targetting specific services like known webcam makes or the VNC port 5900, you will start coming across systems that people have unknowingly left publicly accessible due to poor firewall management or by forgetting to setup authentication.

It’s worth noting that although these systems are, just like a HTTP website, openly accessible, it means that viewing only does not constitute unauthorised access – but intentionally messing with systems to cause damage or anything like that could end you up in legal hot water.

A number of security researchers are constantly finding interesting things on the Internet, a lot of them are things that definitely should not be exposed to the public, and some even allow you to mess with them.

Well-known security researcher Dan Tentler, who talks about the things he’s found on Shodan in this video, has found systems from hydro-electric plants to Internet-connect crematorium panels that allows you to control the furnesess.

Under the Microscope: Cyborg

posted in: Games, News | 0

Launched at the 2017 Wakefield RISC OS Show, Cyborg from Amcog Games is an arcade action game that has taken inspiration from games like the 1983 BBC Micro classc Cybertron.

It’s presented in 16 millions colours and is written using Amcog’s very own AMCOG Development Kit – which is also available for purchase.

The game itself involves you, a Cyborg treasure hunter, attempting to penetrate Castle CyberDroid on your quest to thieve ancient treasures from under the noses of hordes of security robots that are teleported into nearby rooms with a view to spoiling your fun.

To make things worse, if you spend longer than 30 seconds in any given room then a holgrammatic energy field aptly named ‘Buzz’ will activate and give you a nasty shock.

The overall aim of the game is to collect all of the treasures on each level before heading to the teleport – and then presumably selling your ill-gotten gains on eBay.

Cyborg comes with 7 level maps consisting of 112 screens and 5 especially made music tracks to go with it. As with all of Amcog’s games, the game’s audio has received a lot work – all sound effects are provided by the RDSP virtual sound chip that generates synthesised sounds in real time.

Since it’s release, a free update has been issued to all Cyborg users with improved graphics and animation, as well as improvements to the sound effects and a few additional levels to play. For more details on what the v2.20 brings to the table, have a read of Amcog’s press release.

As you’d expect from a game influenced on the original Cybertron, the game has a definite retro feel to it – and the music definitely ties in with this. At times I found myself being reminded of a cross between the Botkiller series from Artex Software and Moonquake.

Cyborg incorporates multiple types of enemy robots that come along throughout the various levels to spoil your fun, there’s also several power ups that you stumble across from time to time, these include smart bombs, freeze, local transporters and bonus lives.

The game’s controlled through the standard WSAD keys on the keyboard for moving up, down, left, right etc. The arrow keys can also be used as well as an alternate configuration of z & x for left and right, with @ & ? for up and down. The game’s response to your keyboard input is sharp and responsive, which turns out is pretty key for a game of this nature considering that I spent a good chunk of time dancing out of the way of charging enemies and other nasties.

Playability-wise, the game’s levels are not particularly long in length, but the game’s difficulty definitely makes up for that. There’s a definitive learning curve to begin with, but once you’ve become used to the mechanics of the game and when to time your runs past enemies then the game begins to flow nicely.

The game is a digital purchase via the Pling Store. The process is quite easy, if you haven’t used the Pling Store before, you just need to download the application itself, unzip it and place it wherever you want on your computer. Once run, you’ll need to register or login to the Pling Store, the registration process took me a few minutes when I signed up a few months back and as far as I’m aware all information including card information is kept locally on your computer rather than in a data center somewhere.

The game should play fine on a vast majority of RISC OS machines, be it legacy 26-bit computers or 32-bit machines. It was designed for use on Raspberry Pi and similar modern machines but it should work fine with older systems.

Overall, Cyborg is a solid and well-authored game. It successfully delivers that retro platformer feel Anthony at Amcog has worked to achieve. If you’ve got a tenner ear-marked for procrastionation material then spending it on a copy of Cyborg isn’t a bad shout.

A look at RISC OS on the Raspberry Pi 3

posted in: Hardware, Reviews | 1

raspberry-pi-3Released back in February 2016, the Raspberry Pi 3 marked the Pi’s fourth year in existence. The latest board from the Raspberry Pi foundation brings in a number of interesting features, including built-in wireless connectivity and a more powerful processor.

A while ago we took a hands-on look at the Raspberry Pi 2, the board’s hardware specs and the way it handles RISC OS. For the most part it passed the test with flying colours. Considering the amount of cash required to purchase it, you get an awful lot of bang for your buck – and it runs RISC OS 5 very well.

So it’s not a surprise that the Pi 3 follows the same path as its predecessor. Let’s take a look at the board, and what you can expect from it if you’re planning on running RISC OS on it.

The board itself

The Pi 3 has quite a powerful processor, powered by a BCM2837 SoC (System on a Chip) and featuring a 64-bit ARM Cortex A53 quad core processor running at 1.2GHz.

There’s no RAM upgrade when compared to the Pi 2, the board is loaded with 1GB of RAM, which is not horrific for most use cases using a Unix/Linux operating system and it’s certainly more than enough if it’s going to be predominantly a RISC OS machine.

An interesting upgrade with this board is the VideoCore IV which handles video and graphics now clocking in at 400MHz compared to earlier models at 250Mhz.

Physically the Raspberry Pi 3 looks very similar to the Pi 2; there’s a new Wi-fi and Bluetooth chip (BCM43438) on the underside of the board and the location of the status LEDs has changed slightly. What’s cool is the antenna used for wireless communications is located on the outer edge of the board, this is so add-on boards shouldn’t interfere with wireless connectivity.

Specs:

  • Architecture: ARMv8 Cortex-A53
  • Processor: Broadcom BCM2837 1.2GHz
  • RAM: 1GB
  • SD Micro: SDUSB4
  • Ethernet:10/100
  • Wireless: B/G/N, Bluetooth

Setting up RISC OS

Getting RISC OS 5 up and running on the Pi 3 is exactly the same as you’d do it on its predecessors. Just download RISC OS from ROOL’s website and stick it on an SD card with at least 2GB of space on it.

There’s a very useful guide available here that covers everything you need to do to get your Pi up and running with RISC OS as well as how to use the OS, where to get more software etc.

How it handles RISC OS

Generally, the Pi 3 handles RISC OS very well. The only down-sides I’ve come across are down to compatibility issues between RISC OS and the hardware, this doesn’t cause any huge problems but it just means you don’t get the most out of the board.

One of these issue is RISC OS does not support the Pi 3’s 4 cores, it can only utilise one. Also, there’s no wi-fi support built into RISC OS as it stands so networking has to be hard-wired.

Apart from that, it’ll run whatever 32-bit software you throw at it including 26-bit apps running under Aemulor.

Everything I’ve chucked at it has run flawlessly, I even went to the extent of spinning up a web server using WebJames and then hammering it from a few external computers – not a hitch.

Overall

The Raspberry Pi 3 is a great piece of kit, if you already know how RISC OS performs on the Pi 2 (Shameless plug: which you should do if you read this blog!) handled RISC OS then you wouldn’t be surprised to know that I’ve not come across any kind of bottle-neck with the Pi 3.

A question you might have is, is it worth opting for the Pi 3 compared to the Pi 2? If you’re only going to be running RISC OS on it then I’d argue no, I found the experience across both boards to be pretty much identical. If you’re going to be using the board for other operating systems then I’d definitely opt for the Pi 3 purely because of its extra compute capabilities and it’s built-in wi-fi support.

The Raspberry Pi 3 Model B is currently priced around the £32.50 mark depending where you look – Amazon has the best price from the searching I’ve done so far.

1 2 3 4 25