[CRTech] Christian Radio Tech [MSG 79189]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
Re: Shodan, Google, and hacking explained (Was: hacking continued)
To: CRTech <crtech@crtech.org>
Subject: Re: Shodan, Google, and hacking explained (Was: hacking continued)
From: Sherrod Munday <smunday@ieee.org>
Date: Wed, 15 Mar 2017 14:51:50 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=9rgN1+0GUfr+/eRtrBp/qKIatjb3KRP1kQLxnzpdFJU=; b=OKr1u+BebwxvYxg1ByFiObhaAxCUMWHf5C3APdzObp9G2Ga6k+LGc1m/OxtSazYdDN 5fuCPcp2S/YW+qhHtTk5gLmL0rjw98AkdOHzbkOKMK8rysEIor1t52uXJnAcgX56Xy7w qGmYoEs6buCiNh4RDZUYSUphaccq55ljNLYq8qO5jK5v7TeVPhXqQi1b0YYScJSBo5yK UfkpcPiRzLid+F+xx/FFlEsBQ9AZvFv9ZMKexKigVfjTZCb20qC0B94JfEssjBLMFVCK wuKZrlnLqMVqDKh6ITG/pUzkJIpY45Lh5oSwMf2cRCyR5h7ZaNQw7ZE6Usr1omcXOEGa vGrA==
In-reply-to: <01A5D49F-F6D7-40B2-BB88-05E3AA4F1D4E@ieee.org>
References: <812f36bb-e2cc-bf85-ba40-df7d81d2e32b@knlr.com> <CA+0ZtTbaKdN5=+5Az7+QMLY2bJSmn-5ZpVyAHTA5TQ+xg=-uDg@mail.gmail.com> <BN6PR08MB246701D62D41EC66378345DBB5240@BN6PR08MB2467.namprd08.prod.outlook.com> <07dc058b-68e1-ab5c-6449-1d451da55bda@reyware.us> <CAJHfeBtkWNoMDzpxPeGowe1YxqoM6oWwkgFnV62qMjYkCMsKbA@mail.gmail.com> <01A5D49F-F6D7-40B2-BB88-05E3AA4F1D4E@ieee.org>
On Mar 15, 2017, at 14:29, Sherrod Munday <smunday@ieee.org> wrote:
> ...
> So, understand that Shodan sniffing your IP doesn't mean anyone or anything is trying to hack you or your devices; it just means Shodan is attempting to gather information like any other search engine.
> ...

Someone wrote me off-list to inquire about why Shodan doesn't have all the open ports at their site indexed.  That's a great question to explore, so for the common good, here's my edited response:

Shodan (by the description in the Wikipedia article) does not attempt to run a full 65,535-port scan against every IP address out there.  It picks the most commonly-used ports and sniffs those only.  Programs and devices that use a standard port (e.g. Telnet (23), HTTP (80), HTTPS (443), SMTP (25), etc.), have a much higher chance of discovery because they are so common and prevalent.  

If, for example, there's a program set up behind a port-forward through your firewall and the public port is 29456, that's not too likely to be in the Shodan database simply because not too many devices use that as a standard/common port.  Therefore, the chances that Shodan (or any other targeted search) would find a bunch of interesting/open ports at many IP addresses is pretty small, so they're not going to waste their time scanning that port on each pass by various IP addresses.

If you gave me your IP address and asked what's open, I'd go run a full port scan against your IP address to find any port that's got a service running on it.  It's possible to check both TCP and UDP ports, too.  Some web sites offer such port-scan services from their public address, but I could just as easily (faster, actually) run that program from my laptop and use my Internet pipe.  The reason I might not, though, is if I run it directly, your firewall is going to have a record of my public IP address having hit your firewall, and that could be forensic evidence in case of a criminal breach, so I generally don't run too many port scans unless I have a good reason (and a good defense if someone were to ever ask) to do so.  :-)

More of the higher-end firewalls will detect such brute-force port scans and shut down all communications with the source IP address as a defense mechanism.  As a result, port-scanning software allows setting it to run in "stealth mode" that spreads out the scans over an extremely long period of time, thus making aggregated statistics-gathering by the target firewall/router much less likely to flag the traffic as being an attack vector, thus allowing the port scan to complete.  Remember, hackers have all the time in the world -- they operate quietly in the shadows until they are finished with their job, so letting a port scan run over a day, a week, or even longer isn't a problem... they're just off working on another target while your IP is being very slowly and stealthily scanned.

If there is a port of interest to a specific actor, however, it's trivial to set up a scan of just that port against a wide range of IP addresses.  (For example, I scan just for port 80 internally every so often to find out if there are new devices plugged into our network that are running a web page server.)  It doesn't matter if that's port 80 or 29456, or even a range of ports -- they're all just a number to a port scanner.  The responses are logged and analyzed by the port scanner to offer details of the services running behind each port.  It's possible to analyze the protocols used in the responses to determine with a surprising degree of accuracy the Operating System that's running the server... and knowledge of the target OS gives a potential attacker invaluable information to launch a pinpoint-targeted attack.

So, guys, if you don't have a firewall and keep it locked down to deny responses to anything that is not specifically opened up for public access, you're playing with fire.  Be sure that your firewall is secured, and be more sure that the devices that you have port-fowarded through the firewall are also fully secured.  It's a new world out there, and Dangerous Creatures lurk in the shadows.  Protect yourself.

I hope this helps.

Sherrod Munday

Follow-Ups: Re: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday <smunday@ieee.org>, 15 Mar 2017 20:27:03 -0000)
References: hacking continued
(Terry Cowan <tcowan@knlr.com>, 14 Mar 2017 15:43:11 -0000)
Re: hacking continued
(Matthew Chambers <mchambers@showmeham.info>, 14 Mar 2017 15:45:06 -0000)
RE: hacking continued
(Mike Shane <mshane@salemomaha.com>, 14 Mar 2017 23:42:25 -0000)
Re: hacking continued
(dave allen <crtech-mail@reyware.us>, 15 Mar 2017 14:19:11 -0000)
Re: hacking continued
(BIll Moede <bmoedereplay@gmail.com>, 15 Mar 2017 14:37:48 -0000)
Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday <smunday@ieee.org>, 15 Mar 2017 18:29:23 -0000)
Prev by date: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday, 15 Mar 2017 18:29:23 -0000)
Next by date: Time change
(Laverne Siemens, 15 Mar 2017 19:13:17 -0000)
Prev by thread: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday, 15 Mar 2017 18:29:23 -0000)
Next by thread: Re: Shodan, Google, and hacking explained (Was: hacking continued)
(Sherrod Munday, 15 Mar 2017 20:27:03 -0000)