If you are not using Shodan? Why not???

Shodan describes itself as, “…the world's first search engine for Internet-connected devices.” Effectively it is a port scanner that continually scans the entire internet for exposed hosts and their services. If you are familiar with NMAP or MASSCAN, it is very similar just on a much grander scale. If you are not aware of those tools, to put it simply, it queries every single port on every single IP address to determine if a host is alive, what ports are open, and enumerates what services are operating on those ports. The result is a plethora of information about the state of the Internet, which is easily searchable and provides near real-time analysis of current trends. Shodan provides free accounts as well as paid and enterprise accounts which vary in functionality and can be found at https://www.shodan.io/.

In an ever more technical world, security is everyone’s responsibility. If your company has any Internet presence (…it does), then you should take the time to look at your digital footprint from the perspective of an attacker. Shodan can be utilized to give a detailed listing of all services that are exposed for a single IP, a domain, a country, or the whole world. Using this information, you can determine the effectiveness of your patch management program as well allowing you to audit the necessity of exposing certain services (do you really need services like SMB or RDP exposed). Furthermore, during security assessments, we routinely find that larger companies tend to have services they are unknowing of, and when a service is not on someone’s radar it is likely not patched. Chances are that the larger of company, the more likely something is exposed that shouldn’t be.

Somewhat… depending on the severity, organizations can be fairly good or rather poor at enforcing patch management. Of course, we can use Shodan to give us a better idea. Do you remember the ShadowBrokers, and their infamous ‘EternalBlue’ exploit? Nearly three years have passed since Microsoft pushed out a patch for that vulnerability, and you would think that by now, it would be a non-issue, especially for externally exposed SMB services. Using the search string ‘vuln:ms17-010’ we can see that there are currently over 14,000 vulnerable services, with just over 1,000 being in the United States.

Figure 1.  EternalBlue Query

So not a lot, but still too many for something so dated. What about something more recent like the BlueKeep vulnerability? Shodan shows that a ridiculous 341,654 services are vulnerable with over 41,000 in the United States alone. 

Figure 2. BlueKeep Query

Both of these queries point to a failure in patch management. While it is true that many of these could be various honeypots for research, it is still likely that many are legitimate findings. For the last example, we will further explore this and look at variants of Windows 2008, which have surpassed their end-of-life date in January of this year. Over a million exposed services are running on the outdated operating system. While currently there is not a known vulnerability on this operating system that is not patched, it is only a matter of time.

Figure 3. Windows Server 2008 Query

Every exposed service provides an additional attack surface for attackers. Keep in mind that just because a service is not immediately exploitable, does not mean you are not providing malicious users with unnecessary information. Shodan not only enumerates open services but also provides the banners of those services, which can provide information about the software used and the underlying hosts that could be used for open-source information gathering. Obviously, some services are customer facing and must be left open for business operations. Other than those, it is at the discretion of the organization to determine the necessity of their external exposure. The goal should be to limit your attack surface as much as possible without interfering with vital functions. For the more sensitive services that do need to communicate outside of your internal network, utilize a VPN that is further secured with multi-factor authentication.

Shodan can be an extremely valuable tool for your organization. It can provide a near real-time snapshot of your network exposure. Using this information, you can audit those services and harden or restrict access as much as possible. When new vulnerabilities are exposed daily, it is imperative that organizations maintain a clear inventory of services that are used, so that rapid patching is possible if critical vulnerabilities are identified. There is no excuse to be a part of the examples shown above, and by incorporating this tool into audit processes along with penetration testing and patch management; you can further ensure that you are maintaining situational awareness of your attack surface.

Published by Michael Becher - Michael Becher is a Penetration Tester with BSI AppSec with 12 years of experience in the Information Technology field. He started as a Cyber Security Analyst with the U.S. Army, then transitioned to incident response and later, security consulting. He holds multiple certifications including the Offensive Security Certified Expert (OSCE), the Offensive Security Certified Professional (OSCP), and the GIAC Web Application Penetration Tester (GWAPT).

Michael graduated from Excelsior College with a Bachelor’s degree in Information Technology and is currently enrolled in SANS’s Master of Science in Information Security Engineering. He has worked with both government and commercial organizations to test and secure their networks. His work experience includes both network and web application penetration testing, social engineering, and wireless hacking.