Shodan and DOUBLEPULSAR / WannaCry

What is WannaCry?

In March 2017, Microsoft issued the MS17-010 bulletin (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) patching (and warning) of a broad set of vulnerabilities in many of its operating systems from Windows XP to Windows 10 and 2016. This vulnerability could be exploited via the DOUBLEPULSAR attack released by ShadowBrokers and supposedly attributed to the NSA.

For more information on WannaCry, please consider visiting these blogs:

In essence, WannaCry exploits Microsoft Windows systems that communicat over TCP port 445 and use the older SMB version 1 protocol (see the above blogs for more details). As OSINT people, we naturally want to know:

“How many systems attached to the Internet could be vulnerable?”

That brings us to Shodan. It is “the world’s first search engine for Internet-connected devices.” (https://www.shodan.io/, May 19, 2017).

What is Shodan?

 

Shodan has servers that scan the internet, catalog the results of the scans and then allow people to search and visualize those results. For its users, Shodan is passive, meaning that the systems scanned by Shodan know that Shodan scanned them but not the user. When I ask Shodan to show me all the Microsoft IIS version 8 servers that are running on TCP port 8080 in China, it shows me the 669 systems that it knows about and yet none of those systems know that I looked up this information (Shodan knows of my searches and has a privacy policy you can read – https://account.shodan.io/privacy).

The above query and URL are:

Capture2
Shodan Results: port 8080, IIS version 8 in China

Logged In

If you have a free login (register at https://account.shodan.io/register) to Shodan or a membership, you can use filters to refine the data you get back. This is extremely helpful when we see the huge number of responses to some of our queries. Please consider supporting Shodan. A matrix of their different account levels is at https://enterprise.shodan.io/product-comparison.

Understanding that the DOUBLEPULSAR exploit uses TCP port 445, SMB version 1 and infects Windows systems (not ones using the software product Samba), we can craft a search string to look for those systems. It looks like:

port:445 "SMB Version: 1" os:Windows !product:Samba

When run, we see that there are about 415,323 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.

Shodan Results
Shodan results

 

No Shodan Account?

If you do not have a Shodan account, you can perform rudimentary searches to get some data (such as searching for “SMB Version: 1”) but you will be overwhelmed with false positive results.

Shodan Filter Reference

This section is mostly to have a quick reference to the place where you can select what Shodan query filters you want. I’ve done my fair share of Googling and DuckDuckGoing and it took me a while to find the help area that listed all the search modifiers so I post them here.

If you wish to jump there, https://developer.shodan.io/api is the link. Go to the “GET /shodan/host/search” section (see below) and click it to be shown the entire set of filters.

Capture1

I’ve posted the relevant section of the page below for easy reference. Keep in mind that the Shodan folks are doing excellent work and actively adding content and features to Shodan so the content below may not be 100% accurate after a bit.

Search Shodan

Search Shodan using the same query syntax as the website and use facets to get summary information for different properties.

Requirements

This method may use API query credits depending on usage. If any of the following criteria are met, your account will be deducated 1 query credit:

  1. The search query contains a filter.
  2. Accessing results past the 1st page using the “page”. For every 100 results past the 1st page 1 query credit is deducted.

Request URL

https://api.shodan.io/shodan/host/search?key={YOUR_API_KEY}&query={query}&facets={facets}

Parameters

  • query: [String] Shodan search query. The provided string is used to search the database of banners in Shodan, with the additional option to provide filters inside the search query using a “filter:value” format. For example, the following search query would find Apache webservers located in Germany: “apache country:DE”. The following filters are currently supported:
    after

    Only show results that were collected after the given date (dd/mm/yyyy).

    asn

    The Autonomous System Number that identifies the network the device is on.

    before

    Only show results that were collected before the given date (dd/mm/yyyy.

    city

    Show results that are located in the given city.

    country

    Show results that are located within the given country.

    geo

    There are 2 modes to the geo filter: radius and bounding box. To limit results based on a radius around a pair of latitude/ longitude, provide 3 parameters; ex: geo:50,50,100. If you want to find all results within a bounding box, supply the top left and bottom right coordinates for the region; ex: geo:10,10,50,50.

    hash

    Hash of the “data” property

    has_ipv6

    If “true” only show results that were discovered on IPv6.

    has_screenshot

    If “true” only show results that have a screenshot available.

    hostname

    Search for hosts that contain the given value in their hostname.

    isp

    Find devices based on the upstream owner of the IP netblock.

    link

    Find devices depending on their connection to the Internet.

    net

    Search by netblock using CIDR notation; ex: net:69.84.207.0/24

    org

    Find devices based on the owner of the IP netblock.

    os

    Filter results based on the operating system of the device.

    port

    Find devices based on the services/ ports that are publicly exposed on the Internet.

    postal

    Search by postal code.

    product

    Filter using the name of the software/ product; ex: product:Apache

    state

    Search for devices based on the state/ region they are located in.

    version

    Filter the results to include only products of the given version; ex: product:apache version:1.3.37

    bitcoin.ip

    Find Bitcoin servers that had the given IP in their list of peers.

    bitcoin.ip_count

    Find Bitcoin servers that return the given number of IPs in the list of peers.

    bitcoin.port

    Find Bitcoin servers that had IPs with the given port in their list of peers.

    bitcoin.version

    Filter results based on the Bitcoin protocol version.

    http.component

    Name of web technology used on the website

    http.component_category

    Category of web components used on the website

    http.html

    Search the HTML of the website for the given value.

    http.html_hash

    Hash of the website HTML

    http.status

    Response status code

    http.title

    Search the title of the website

    ntp.ip

    Find NTP servers that had the given IP in their monlist.

    ntp.ip_count

    Find NTP servers that return the given number of IPs in the initial monlist response.

    ntp.more

    Whether or not more IPs were available for the given NTP server.

    ntp.port

    Find NTP servers that had IPs with the given port in their monlist.

    ssl

    Search all SSL data

    ssl.alpn

    Application layer protocols such as HTTP/2 (“h2”)

    ssl.chain_count

    Number of certificates in the chain

    ssl.version

    Possible values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

    ssl.cert.alg

    Certificate algorithm

    ssl.cert.expired

    Whether the SSL certificate is expired or not; True/ False

    ssl.cert.extension

    Names of extensions in the certificate

    ssl.cert.serial

    Serial number as an integer or hexadecimal string

    ssl.cert.pubkey.bits

    Number of bits in the public key

    ssl.cert.pubkey.type

    Public key type

    ssl.cipher.version

    SSL version of the preferred cipher

    ssl.cipher.bits

    Number of bits in the preferred cipher

    ssl.cipher.name

    Name of the preferred cipher

     

    telnet.option

    Search all the options

    telnet.do

    The server requests the client to support these options

    telnet.dont

    The server requests the client to not support these options

    telnet.will

    The server supports these options

    telnet.wont

    The server doesnt support these options

 

Comments are closed.

A WordPress.com Website.

Up ↑

%d bloggers like this: