29 November 2009

Taking SHODAN for a spin

I talked about SHODAN in my previous post. After playing around with it a little more, I figured it might be a good idea to post some of my findings.

First a quick update: I tried the SHODAN Firefox plugin and it works like a champ--it simply opens up a sidebar with SHODAN search options, and submitting a search opens up a new tab with the search results. It also includes a few links to some common password lists which could undoubtedly be useful with your findings.

Now, moving on. I think it is useful to recognize right off the bat that as a search engine, SHODAN's results are banners. So knowing what to look for in specific banners is the key to optimizing search results. Let's start with a very basic search for "cisco-ios". The resulting banners look something like this:
HTTP/1.0 401 Unauthorized
Date: Fri, 20 Nov 2009 01:42:13 GMT
Www-authenticate: Basic realm="level_15 or view_access"
Connection: close
Accept-ranges: none
Server: cisco-IOS

Note that the search parameter is picking up on the Server: line. Also important to note is the Www-authenticate: line which is indicating the requirement for a username and password (in my experience, these are typically pop-up boxes).

As of today, there are 67,533 such results. Further filtering indicates that virtually all (67,526) are port 80 and just a handful are port 23. So by in large these are all web-based interfaces to Cisco devices. An even more interesting addition to our filter is the search for "Www-authenticate" which results in 65,675 results. By common sense we can deduce that there are nearly 2,000 such Cisco devices that do not include "Www-authenticate" in their banner.

Here is an example of one such device that does not include the authentication line:
HTTP/1.0 200 OK
Transfer-encoding: chunked
Accept-ranges: none
Expires: Fri, 20 Nov 2009 00:49:00 GMT
Server: cisco-IOS
Last-modified: Fri, 20 Nov 2009 00:49:00 GMT
Connection: close
Cache-control: no-store, no-cache, must-revalidate
Date: Fri, 20 Nov 2009 00:49:00 GMT
Content-type: text/html

The unique feature between the two banners shown here is that "Last-modified" shows up here but not in any of the 65,675 "Www-authenticate" banners. In fact, there are 1,201 such results for "Last-modified".

Following such results indicates a variety of Cisco devices in various states, none of which appear to have any authentication enabled. One such result was http://69.74.xxx.xxx/xhome.htm which was the Cisco Device Manager for a Catalyst 3560 series Switch. The web interface gave me full access to the device with no username or password required (in fact, none was even set). In fact, the switch name and port descriptions were useful in identifying the company and even the exact building where the switch was located, and even some of the businesses that were using the switch.

Many results led to Cisco HTML interfaces:
Cisco Systems
Accessing Cisco 1841 "device name here"
Show diagnostic log - display the diagnostic log.
Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
Connectivity test - ping the nameserver.

Show tech-support - display information commonly needed by tech support.
Extended Ping - Send extended ping commands.

QoS Device Manager - Configure and monitor QoS through the web interface.

And yes, the levels are linked to further HTML pages with all the Cisco IOS commands literally spelled out for you:
Building configuration...

Current configuration : 2344 bytes
! Last configuration change at 12:50:30 UTC Thu Nov 26 2009
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname (hostname here)

I won't list the rest of the config, but I think you get the picture. ;-)

Other results led to "Cisco Router Web Setup" pages and other devices in various states of configuration. Again, none required any authentication.

I suspect this is just scratching the surface, so I'm looking forward to see what others come up with!
Post a Comment