What is WannaCry?

In March 2017, Microsoft issued the MS17-010 bulletin (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) patching (and warning) of a broad set of vulnerabilities in many of its operating systems from Windows XP to Windows 10 and 2016. This vulnerability could be exploited via the DOUBLEPULSAR attack released by ShadowBrokers and supposedly attributed to the NSA.

For more information on WannaCry, please consider visiting these blogs:

• https://www.trustwave.com/Resources/SpiderLabs-Blog/WannaCry–We-Want-to-Cry/
• http://blog.talosintelligence.com/2017/05/wannacry.html

In essence, WannaCry exploits Microsoft Windows systems that communicat over TCP port 445 and use the older SMB version 1 protocol (see the above blogs for more details). As OSINT people, we naturally want to know:

“How many systems attached to the Internet could be vulnerable?”

That brings us to Shodan. It is “the world’s first search engine for Internet-connected devices.” (https://www.shodan.io/, May 19, 2017).

What is Shodan?

 

Shodan has servers that scan the internet, catalog the results of the scans and then allow people to search and visualize those results. For its users, Shodan is passive, meaning that the systems scanned by Shodan know that Shodan scanned them but not the user. When I ask Shodan to show me all the Microsoft IIS version 8 servers that are running on TCP port 8080 in China, it shows me the 669 systems that it knows about and yet none of those systems know that I looked up this information (Shodan knows of my searches and has a privacy policy you can read – https://account.shodan.io/privacy).

The above query and URL are:

• Query String: port:8080 product:”Microsoft-IIS” country:”CN” version:”8.0″
• URL: https://www.shodan.io/search?query=port%3A8080+product%3A%22Microsoft-IIS%22+country%3A%22CN%22+version%3A%228.0%22

Logged In

If you have a free login (register at https://account.shodan.io/register) to Shodan or a membership, you can use filters to refine the data you get back. This is extremely helpful when we see the huge number of responses to some of our queries. Please consider supporting Shodan. A matrix of their different account levels is at https://enterprise.shodan.io/product-comparison.

Understanding that the DOUBLEPULSAR exploit uses TCP port 445, SMB version 1 and infects Windows systems (not ones using the software product Samba), we can craft a search string to look for those systems. It looks like:

port:445 "SMB Version: 1" os:Windows !product:Samba

When run, we see that there are about 415,323 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.

 

No Shodan Account?

If you do not have a Shodan account, you can perform rudimentary searches to get some data (such as searching for “SMB Version: 1”) but you will be overwhelmed with false positive results.

Shodan Filter Reference

This section is mostly to have a quick reference to the place where you can select what Shodan query filters you want. I’ve done my fair share of Googling and DuckDuckGoing and it took me a while to find the help area that listed all the search modifiers so I post them here.

If you wish to jump there, https://developer.shodan.io/api is the link. Go to the “GET /shodan/host/search” section (see below) and click it to be shown the entire set of filters.

I’ve posted the relevant section of the page below for easy reference. Keep in mind that the Shodan folks are doing excellent work and actively adding content and features to Shodan so the content below may not be 100% accurate after a bit.

Search Shodan

Search Shodan using the same query syntax as the website and use facets to get summary information for different properties.

Requirements

This method may use API query credits depending on usage. If any of the following criteria are met, your account will be deducated 1 query credit:

1. The search query contains a filter.
2. Accessing results past the 1st page using the “page”. For every 100 results past the 1st page 1 query credit is deducted.

Request URL

https://api.shodan.io/shodan/host/search?key={YOUR_API_KEY}&query={query}&facets={facets}

Parameters

• query: [String] Shodan search query. The provided string is used to search the database of banners in Shodan, with the additional option to provide filters inside the search query using a “filter:value” format. For example, the following search query would find Apache webservers located in Germany: “apache country:DE”. The following filters are currently supported:

  after

  Only show results that were collected after the given date (dd/mm/yyyy).

  asn

  The Autonomous System Number that identifies the network the device is on.

  before

  Only show results that were collected before the given date (dd/mm/yyyy.

  city

  Show results that are located in the given city.

  country

  Show results that are located within the given country.

  geo

  There are 2 modes to the geo filter: radius and bounding box. To limit results based on a radius around a pair of latitude/ longitude, provide 3 parameters; ex: geo:50,50,100. If you want to find all results within a bounding box, supply the top left and bottom right coordinates for the region; ex: geo:10,10,50,50.

  hash

  Hash of the “data” property

  has_ipv6

  If “true” only show results that were discovered on IPv6.

  has_screenshot

  If “true” only show results that have a screenshot available.

  hostname

  Search for hosts that contain the given value in their hostname.

  isp

  Find devices based on the upstream owner of the IP netblock.

  link

  Find devices depending on their connection to the Internet.

  net

  Search by netblock using CIDR notation; ex: net:69.84.207.0/24

  org

  Find devices based on the owner of the IP netblock.

  os

  Filter results based on the operating system of the device.

  port

  Find devices based on the services/ ports that are publicly exposed on the Internet.

  postal

  Search by postal code.

  product

  Filter using the name of the software/ product; ex: product:Apache

  state

  Search for devices based on the state/ region they are located in.

  version

  Filter the results to include only products of the given version; ex: product:apache version:1.3.37

  bitcoin.ip

  Find Bitcoin servers that had the given IP in their list of peers.

  bitcoin.ip_count

  Find Bitcoin servers that return the given number of IPs in the list of peers.

  bitcoin.port

  Find Bitcoin servers that had IPs with the given port in their list of peers.

  bitcoin.version

  Filter results based on the Bitcoin protocol version.

  http.component

  Name of web technology used on the website

  http.component_category

  Category of web components used on the website

  http.html

  Search the HTML of the website for the given value.

  http.html_hash

  Hash of the website HTML

  http.status

  Response status code

  http.title

  Search the title of the website

  ntp.ip

  Find NTP servers that had the given IP in their monlist.

  ntp.ip_count

  Find NTP servers that return the given number of IPs in the initial monlist response.

  ntp.more

  Whether or not more IPs were available for the given NTP server.

  ntp.port

  Find NTP servers that had IPs with the given port in their monlist.

  ssl

  Search all SSL data

  ssl.alpn

  Application layer protocols such as HTTP/2 (“h2”)

  ssl.chain_count

  Number of certificates in the chain

  ssl.version

  Possible values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

  ssl.cert.alg

  Certificate algorithm

  ssl.cert.expired

  Whether the SSL certificate is expired or not; True/ False

  ssl.cert.extension

  Names of extensions in the certificate

  ssl.cert.serial

  Serial number as an integer or hexadecimal string

  ssl.cert.pubkey.bits

  Number of bits in the public key

  ssl.cert.pubkey.type

  Public key type

  ssl.cipher.version

  SSL version of the preferred cipher

  ssl.cipher.bits

  Number of bits in the preferred cipher

  ssl.cipher.name

  Name of the preferred cipher

   

  telnet.option

  Search all the options

  telnet.do

  The server requests the client to support these options

  telnet.dont

  The server requests the client to not support these options

  telnet.will

  The server supports these options

  telnet.wont

  The server doesnt support these options