25 November 2009

Is SHODAN really controversial?

This week saw the release of SHODAN, a computer search engine. From the site:
SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning.

Lets say you want to find servers running the 'Apache' web daemon. A simple attempt would be to use:

apache

How about finding only apache servers running version 2.2.3?

apache 2.2.3

You can also narrow down the results using the following search parameters:

* country:2-letter country code
* hostname:full or partial host name
* net:IP range using CIDR notation (ex: 18.7.7.0/24 )
* port:21, 22, 23 or 80


For example: get all web (port:80) hosts running 'apache' in switzerland (country:CH) that also have '.ch' in any of their domain names:

apache country:CH port:80 hostname:.ch

Those in the security community are immediately interested because of the potential to easily find vulnerable boxes by searching for specific versions of particular software (as advertised in the collected banners). Twitter was alive on Tuesday with a number of interesting searches.

Richard Bejtlich (@taosecurity) makes some interesting comments:
Shodan is a dream for those wanting to spend Thanksgiving looking for vulnerable boxes, and a nightmare for their owners. I would not be surprised if shodan.surtri.com disappears in the next few days after receiving a call or two from TLAs or LEAs or .mil's. I predict a mad scramble by intruders during the next 24-48 hours as they use Shodan to locate, own, and secure boxes before others do...Personally I think Shodan will disappear.

I certainly agree that finding vulnerable boxes will be a main focus of SHODAN's users. But the suggestion that this site may quickly disappear? While I agree with Richard more often then not, I find it difficult to fathom a scenario where this would happen. SHODAN is a search engine for computers, but in an even more basic sense it is a search engine of collected banners; banners that are available to anyone who would search these boxes. This search engine has already done the scanning. In a sense, SHODAN is a rainbow table made up of collected banners.

If I thought it was likely that the site would simply disappear due to pressure from the government or law enforcement, I could understand the "mad scramble." However, I just don't see this collection of data rising to the level where the government, law enforcement, or some TLA, would pressure the site to disappear.

I would be curious if Richard would be willing to pick an "over/under" style date after which he thinks SHODAN will be taken down. A friendly wager, perhaps? ;-)

Matthew Franz asks: "Where's the Controversy about Shodan?" Matt admits that he doesn't really come to any definite conclusions ("I'm not sure what to think"), but he did seem concerned that among his followers there were "absolutely no questions about the site..."

I think perhaps that Matt answers his own question: Other than those posed by Mr. Bejtlich, there really haven't been any questions about the site. Twitter posts about SHODAN revolve around crafting interesting queries, not moral quandaries about the site itself. I'm more inclined to the view of Simple Nomad, who says: "WTF?!? shodan is controversial? Not one of you ever scan and grab banners before? Grow a nutsack, security industry."

I'd be curious to hear your thoughts.

UPDATE: A SHODAN Firefox plugin is already available. I haven't tested it yet.
Post a Comment