What is WannaCry?
In March 2017, Microsoft issued the MS17-010 bulletin (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) patching (and warning) of a broad set of vulnerabilities in many of its operating systems from Windows XP to Windows 10 and 2016. This vulnerability could be exploited via the DOUBLEPULSAR attack released by ShadowBrokers and supposedly attributed to the NSA.
For more information on WannaCry, please consider visiting these blogs:
In essence, WannaCry exploits Microsoft Windows systems that communicat over TCP port 445 and use the older SMB version 1 protocol (see the above blogs for more details). As OSINT people, we naturally want to know:
“How many systems attached to the Internet could be vulnerable?”
That brings us to Shodan. It is “the world’s first search engine for Internet-connected devices.” (https://www.shodan.io/, May 19, 2017).
What is Shodan?
The above query and URL are:
- Query String: port:8080 product:”Microsoft-IIS” country:”CN” version:”8.0″
- URL: https://www.shodan.io/search?query=port%3A8080+product%3A%22Microsoft-IIS%22+country%3A%22CN%22+version%3A%228.0%22
If you have a free login (register at https://account.shodan.io/register) to Shodan or a membership, you can use filters to refine the data you get back. This is extremely helpful when we see the huge number of responses to some of our queries. Please consider supporting Shodan. A matrix of their different account levels is at https://enterprise.shodan.io/product-comparison.
Understanding that the DOUBLEPULSAR exploit uses TCP port 445, SMB version 1 and infects Windows systems (not ones using the software product Samba), we can craft a search string to look for those systems. It looks like:
port:445 "SMB Version: 1" os:Windows !product:Samba
When run, we see that there are about 415,323 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.
No Shodan Account?
If you do not have a Shodan account, you can perform rudimentary searches to get some data (such as searching for “SMB Version: 1”) but you will be overwhelmed with false positive results.
Shodan Filter Reference
This section is mostly to have a quick reference to the place where you can select what Shodan query filters you want. I’ve done my fair share of Googling and DuckDuckGoing and it took me a while to find the help area that listed all the search modifiers so I post them here.
If you wish to jump there, https://developer.shodan.io/api is the link. Go to the “GET /shodan/host/search” section (see below) and click it to be shown the entire set of filters.
I’ve posted the relevant section of the page below for easy reference. Keep in mind that the Shodan folks are doing excellent work and actively adding content and features to Shodan so the content below may not be 100% accurate after a bit.
Search Shodan using the same query syntax as the website and use facets to get summary information for different properties.
This method may use API query credits depending on usage. If any of the following criteria are met, your account will be deducated 1 query credit:
- The search query contains a filter.
- Accessing results past the 1st page using the “page”. For every 100 results past the 1st page 1 query credit is deducted.
- query: [String] Shodan search query. The provided string is used to search the database of banners in Shodan, with the additional option to provide filters inside the search query using a “filter:value” format. For example, the following search query would find Apache webservers located in Germany: “apache country:DE”. The following filters are currently supported:
- Only show results that were collected after the given date (dd/mm/yyyy).
- The Autonomous System Number that identifies the network the device is on.
- Only show results that were collected before the given date (dd/mm/yyyy.
- Show results that are located in the given city.
- Show results that are located within the given country.
- There are 2 modes to the geo filter: radius and bounding box. To limit results based on a radius around a pair of latitude/ longitude, provide 3 parameters; ex: geo:50,50,100. If you want to find all results within a bounding box, supply the top left and bottom right coordinates for the region; ex: geo:10,10,50,50.
- Hash of the “data” property
- If “true” only show results that were discovered on IPv6.
- If “true” only show results that have a screenshot available.
- Search for hosts that contain the given value in their hostname.
- Find devices based on the upstream owner of the IP netblock.
- Find devices depending on their connection to the Internet.
- Search by netblock using CIDR notation; ex: net:188.8.131.52/24
- Find devices based on the owner of the IP netblock.
- Filter results based on the operating system of the device.
- Find devices based on the services/ ports that are publicly exposed on the Internet.
- Search by postal code.
- Filter using the name of the software/ product; ex: product:Apache
- Search for devices based on the state/ region they are located in.
- Filter the results to include only products of the given version; ex: product:apache version:1.3.37
- Find Bitcoin servers that had the given IP in their list of peers.
- Find Bitcoin servers that return the given number of IPs in the list of peers.
- Find Bitcoin servers that had IPs with the given port in their list of peers.
- Filter results based on the Bitcoin protocol version.
- Name of web technology used on the website
- Category of web components used on the website
- Search the HTML of the website for the given value.
- Hash of the website HTML
- Response status code
- Search the title of the website
- Find NTP servers that had the given IP in their monlist.
- Find NTP servers that return the given number of IPs in the initial monlist response.
- Whether or not more IPs were available for the given NTP server.
- Find NTP servers that had IPs with the given port in their monlist.
- Search all SSL data
- Application layer protocols such as HTTP/2 (“h2”)
- Number of certificates in the chain
- Possible values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
- Certificate algorithm
- Whether the SSL certificate is expired or not; True/ False
- Names of extensions in the certificate
- Serial number as an integer or hexadecimal string
- Number of bits in the public key
- Public key type
- SSL version of the preferred cipher
- Number of bits in the preferred cipher
- Name of the preferred cipher
- Search all the options
- The server requests the client to support these options
- The server requests the client to not support these options
- The server supports these options
- The server doesnt support these options