WEBVTT

0
00:01.000 --> 00:10.590
In this lecture we'll discuss Shodan. In 2020 there are more than 20 billion IoT devices

1
00:10.680 --> 00:12.700
connected to the Internet 

2
00:12.900 --> 00:17.610
and you as a security expert cannot ignore them.

3
00:17.650 --> 00:25.510
We all know that Google is a search engine that finds only websites and it only scratches the surface

4
00:25.660 --> 00:28.560
of what can be found on the Internet.

5
00:28.600 --> 00:37.760
There are tens of billions of other devices and services that cannot be found on Google. Shodan

6
00:37.770 --> 00:45.520
on the other hand is a search engine specially designed to find Internet of Things devices.

7
00:45.720 --> 00:53.700
It scours the invisible parts of the Internet that most people won't ever see. On shodan

8
00:53.700 --> 01:02.500
we'll find connected devices like ip or security cameras, traffic lights, video projectors, routers, 

9
01:02.760 --> 01:10.350
home heating systems or even SCADA systems that, for instance, control nuclear power plants and electrical 

10
01:10.350 --> 01:18.980
grids. Shoden is the world's first search engine for internet connected devices.

11
01:19.190 --> 01:26.450
Some have described Shodan as a search engine for hackers, and have even called it "the world's

12
01:26.510 --> 01:34.400
most dangerous search engine". While Shodan can potentially be used by black hat hackers, 

13
01:34.410 --> 01:41.580
it can also be used for good  purposes like to help protect critical infrastructure, energy utilities

14
01:41.580 --> 01:48.120
included. In this course we’ll take a look at shodan from an ethical hacker’s perspective. 

15
01:49.030 --> 01:56.200
Before continuing I want to tell you something really important: never connect to a device if you don't

16
01:56.200 --> 01:57.320
have permission.

17
01:57.470 --> 02:03.970
Not even if it uses a default password or if the password is written in clear text.

18
02:03.970 --> 02:07.680
This is the line where you will mostly likely break the law.

19
02:08.870 --> 02:15.500
Before diving deeper into Shodan I want to show you a few very interesting things that can be found

20
02:15.590 --> 02:19.190
on Shodan. If you want to follow my examples

21
02:19.190 --> 02:25.460
you have to create a free account on shodan.io. And to create a free account

22
02:25.460 --> 02:30.530
you click on Create a free account. Although you can use it without logging in

23
02:30.650 --> 02:37.610
Shodan restricts some of its capabilities, like using filters, to only logged in users.

24
02:37.610 --> 02:43.640
However you only need an e-mail address and two minutes of your time to create a free account.

25
02:43.640 --> 02:50.630
Note that there is also a paid account if you want to get full access to Shoden, though for most of

26
02:50.630 --> 02:53.020
the searches a free account is enough.

27
02:54.090 --> 02:56.190
On shodan.io 

28
02:56.350 --> 02:58.670
I’m searching for: axis 

29
02:59.070 --> 03:02.790
212 ptz network camera

30
03:09.120 --> 03:14.890
and Shodan found 83 such network cameras. On the left side 

31
03:14.910 --> 03:19.980
we see a map that indicates where the found devices are located, 

32
03:20.010 --> 03:29.800
top countries and top services. If I click on an IP address I'll find more information about the device

33
03:29.850 --> 03:32.050
that's running on that IP address.

34
03:37.310 --> 03:43.120
We can see a map with the device location, the city, the country,

35
03:43.140 --> 03:48.210
when was the device last discovered, the open ports,

36
03:48.210 --> 03:58.250
in this case there are five open ports and the banners each service sent in response.

37
03:58.280 --> 04:06.610
And If I want to access port 80 and click on this button I will connect to device on port 80.

38
04:06.610 --> 04:13.100
My advice is not to use your real static IP address when connecting to such a device.

39
04:13.120 --> 04:18.640
Use Tor or a VPN and I am presented with this log in screen.

40
04:18.640 --> 04:23.790
Of course I won't go further and I strongly recommend you to do the same.

41
04:27.450 --> 04:37.210
However many of these services and sites use default passwords! There are lots of resources on the Internet

42
04:37.320 --> 04:41.830
that lists default username and passwords for different vendors

43
04:50.780 --> 04:57.910
As long as many consumers and system administrators are careless and don't change the default passwords

44
04:57.920 --> 05:05.720
hackers can easily gain access to these devices simply by using these lists to find the default admin

45
05:05.790 --> 05:08.110
username and password.

46
05:08.280 --> 05:15.740
You, as the owner of a device connected to the internet, have a responsibility to change the default passport

47
05:15.980 --> 05:24.430
to a strong one and use the latest version of firmware. Let's try other awesome Shodan queries.

48
05:24.470 --> 05:34.600
One of my favorites is webcamxp. It will search for network camera software designed for older Windows 

49
05:34.660 --> 05:35.530
systems.

50
05:36.490 --> 05:41.540
And Shodan found 506 such cameras all over the world.

51
05:47.060 --> 05:48.650
Let's try this one!

52
05:54.400 --> 05:54.950
Wow.

53
05:54.980 --> 06:00.430
It required no password and there is a little bird in a nest.

54
06:00.520 --> 06:02.880
You can watch that bird if you like.

55
06:04.520 --> 06:08.900
And this one, this requires a username and password.

56
06:09.530 --> 06:10.430
And this one!

57
06:13.130 --> 06:20.970
And it seems to be a surveillance camera somewhere in the Czech Republic.

58
06:21.010 --> 06:23.160
It didn't require any password.

59
06:25.220 --> 06:31.390
Shodan will not only find webcams but any other IoT devices.

60
06:31.430 --> 06:41.140
Let's find some automatic license plate readers; and I'm searching for P372 "ANPR enabled"

61
06:44.150 --> 06:49.160
these are automatic license plate readers in the United States

62
06:52.580 --> 06:55.540
In order to be able to perform such a search

63
06:55.550 --> 07:02.630
you should know in advance what banners a device sends back when someone connects to a specific port. 

64
07:03.390 --> 07:06.630
We’ll see in a short while how shodan works! 

65
07:06.800 --> 07:09.500
Now let’s find Prison Pay phones

66
07:17.160 --> 07:20.200
or devices already logged in as root

67
07:20.200 --> 07:21.120
via Telnet.

68
07:28.810 --> 07:41.670
I am taking this IP address and try to connect to it using Telnet cmd.txe telnet the IP address

69
07:43.530 --> 07:50.850
and port 23, the default telnet port. If I'm hitting enter I'll be connected to the device as root using

70
07:50.880 --> 07:52.920
telnet.

71
07:53.060 --> 08:00.590
I want to find a medical X-ray machines that use the dicomp standard for medical images and related

72
08:00.650 --> 08:08.280
information; dicom server response and port:104

73
08:14.630 --> 08:15.860
Very interesting!

74
08:17.350 --> 08:24.880
I'm sure you realized that these 1316 machines shouldn't be on the Internet

75
08:24.880 --> 08:25.240
at all.

76
08:29.830 --> 08:34.350
Maybe you wonder how did I know to search for this string.

77
08:34.510 --> 08:39.730
There are a lot of forums and websites that list awesome Shodan queries.

78
08:39.730 --> 08:41.410
Just try a Google search!