3 scary tools that use Shodan search engine.

Shodan is a search engine very different from the classic search engines that we are used to. Indeed, when Google or Yahoo! crawl only for ports 80 (http) and 443 (https) open and accessible on the world wide web, Shodan, crawl all the open ports from 1 to 65535. This means that Shodan, unlike any normal search engine, does not focus on searching for web pages but on collecting banners of services (server response to a request). These services include HTTP, HTTPS, FTP, SSH, Telnet, SNMP and SIP protocols.

What can I find on Shodan?

Well, almost everything that requires an internet connection! This is one of the reasons why most people call Shodan "the most dangerous search engine in the world". With Shodan you can find IoT devices such as mobile phones, a connected fridge, security camera systems, crypto bot servers, any kind of servers located in North Korea, maritime satellites or even traffic lights... In short, Shodan will crawl and list anything that is connected to the internet with an open port.

Today I'm going to introduce you three scary tools that take advantage of Shodan to get sensitive information, access to unprotected Raspberry Pi servers and even access to security surveillance cameras anywhere in the world.

Scary, Right? Let's start!

SHODAN QUEST

If Shodan can be seen as a huge cave containing an infinite number of things that can be explored, then Shodan Quest is the tool that will make you the explorer.

Shodan Quest is an open source tool coded in Python that can be used to search for sensitive devices/services on Shodan. The implemented collection of Shodan dorks can reveal sensitive personal and/or organizational information’s such as vulnerable internet routers or servers, access to some services like security cameras, maritime satellites, traffic light systems, prison pay phones, etc... This list is supposed to be useful for assessing security and performing pen-testing of systems.

For example, let’s say I want to get a list of android devices?

No problem! The implemented associated dork is "Android Debug Bridge" "Device" port:5555. With this dork, Shodan will find in his database all devices that have open Android Debug Bridge port.

Better than words this video tutorial shows how to access an Android device in less than 1 minute using Shodan Quest.

Scary, isn't it? And this is just a small example of the wealth of information that can be found using Shodan dorks.

Shodan Quest tool and the complete list of dorks (more than 100 in total) is available on the following GitLab repository: 

https://gitlab.com/0xSamy/shodan-quest

One dork one quest, what will be yours?

RaspberryPi Falconer

Raspberry Pi, Raspberry Pi… They're small, they're green, they're cheap, but above all they're very useful, especially when you consider how many unlimited projects you can do with. Whether you're a novice or experienced, we've all tried at least once. The problem is that when we usually follow a tutorial online to do something with our Raspberry Pi, we are not often faced with the security aspect. And this how we end up with our raspberry Pi and the SSH port open using the default credentials to the world without knowing it... And this is where another of our scary tools comes in, RaspberryPi Falconner.

If we compare a raspberry pi to little green worms, then RaspberryPi Falconer is the eagle that will eat them.

Indeed, RaspberryPi Falconer is a useful tool that can be used to find unprotected Raspberry Pi's with open SSH port all over the world. To find them, the tool uses the Shodan search engine with its API, and with the help of Shodan dorks to target only Raspberry Pi devices. But not only that, once a target is detected, RaspberryPi Falconer will try to initialize a connection with the Raspberry using the famous default credentials "pi" for the username and "raspberry" for the password and trying to get access into it.

This video tutorial shows how to use RaspberryPi Falconer.

It can take sometimes to find vulnerable Raspberry Pi but you don’t need to do anything else except waiting to get positive results since everything is done automatically. Easy, isn't it?

This tool is open source and can be found on the following GitLab repository:

https://gitlab.com/0xSamy/RaspberryPi-Falconer

How many worms would you eat?

BiG Brother

Nowadays surveillance cameras are everywhere, in the street, in restaurants and cafes, in the offices, in the hotels, schools... It becomes difficult to find a place on this Earth without being filmed. And who ever thought if someone was watching us behind this camera at this T time, then we probably think nobody. Maybe to reassure us a bit...

A major problem that often happens when we want to secure a place, is that we don't really know what type of surveillance camera will be best suited to our needs. So, we will tend to turn to professionals of the market that will advise us and offer custom packages. They take care of everything (installation, configuration ...) and you save times, it's a good deal, right?

Well, not so sure. At the time of writing this article one cameras out of 5 is using default credentials. Why? Difficult to find a proper reason, but it's maybe due to a lack of qualifications from the camera companies, or perhaps a certain pressure on the employees to push them to quickly install cameras in order to move on to the next client for more and more profits, or what do I know!

And this is where our 3rd scary tool comes in games, his name, BiG Brother.

BiG Brother is another powerful python tool that can be used to find video surveillance cameras with open ports worldwide. To find this, the tool also uses Shodan API. And with the help of the Shodan dorks, target only specific video surveillance camera brands of our choice. Once a camera detected, BiG Brother will attempt to initialize a connection to it using associate default credentials. In addition, it is also possible to target cameras in a specific country. 

Proof of concept:

For the moment, 3 models of camera are supported, Canon, Panasonic and Sony but other models are planned to be added.

But as we can see, it took less than a few seconds to find available cameras in the country of our choice.

This tool is also open source and can be found on the following GitLab repository: 

https://gitlab.com/0xSamy/big-brother

Another problem that I won't talk about in this article is that, generally, the web interfaces of security surveillance cameras contain vulnerabilities and it is sometimes possible to bypass the authentication, or even in some cases take control of the server by remote code execution.

Through these three examples, we have seen an overview of what can be done with Shodan and where the nickname of the "scariest search engine" comes from. Good things or bad things, the responsibility is ours. But what we can be sure of is that security is not yet perfected in our world. How long will it take? Good question...

Thank you for reading this article! Which of these 3 tools scared you the most?

Thanks for reading this article! I hope you could learn something through my research! If you liked what you read, please share and follow my twitter at @0xSamy_