What is WannaCry?

In March 2017, Microsoft issued the MS17-010 bulletin (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) patching (and warning) of a broad set of vulnerabilities in many of its operating systems from Windows XP to Windows 10 and 2016. This vulnerability could be exploited via the DOUBLEPULSAR attack released by ShadowBrokers and supposedly attributed to the NSA.

For more information on WannaCry, please consider visiting these blogs:

In essence, WannaCry exploits Microsoft Windows systems that communicat over TCP port 445 and use the older SMB version 1 protocol (see the above blogs for more details). As OSINT people, we naturally want to know:

“How many systems attached to the Internet could be vulnerable?”

That brings us to Shodan. It is “the world’s first search engine for Internet-connected devices.” (https://www.shodan.io/, May 19, 2017).

What is Shodan?

Shodan has servers that scan the internet, catalog the results of the scans and then allow people to search and visualize those results. For its users, Shodan is passive, meaning that the systems scanned by Shodan know that Shodan scanned them but not the user. When I ask Shodan to show me all the Microsoft IIS version 8 servers that are running on TCP port 8080 in China, it shows me the 669 systems that it knows about and yet none of those systems know that I looked up this information (Shodan knows of my searches and has a privacy policy you can read – https://account.shodan.io/privacy).

The above query and URL are:

Query String: port:8080 product:”Microsoft-IIS” country:”CN” version:”8.0″
URL: https://www.shodan.io/search?query=port%3A8080+product%3A%22Microsoft-IIS%22+country%3A%22CN%22+version%3A%228.0%22

Capture2 — Shodan Results: port 8080, IIS version 8 in China

Logged In

If you have a free login (register at https://account.shodan.io/register) to Shodan or a membership, you can use filters to refine the data you get back. This is extremely helpful when we see the huge number of responses to some of our queries. Please consider supporting Shodan. A matrix of their different account levels is at https://enterprise.shodan.io/product-comparison.

Understanding that the DOUBLEPULSAR exploit uses TCP port 445, SMB version 1 and infects Windows systems (not ones using the software product Samba), we can craft a search string to look for those systems. It looks like:

port:445 "SMB Version: 1" os:Windows !product:Samba

When run, we see that there are about 415,323 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.

No Shodan Account?

If you do not have a Shodan account, you can perform rudimentary searches to get some data (such as searching for “SMB Version: 1”) but you will be overwhelmed with false positive results.

Shodan Filter Reference

This section is mostly to have a quick reference to the place where you can select what Shodan query filters you want. I’ve done my fair share of Googling and DuckDuckGoing and it took me a while to find the help area that listed all the search modifiers so I post them here.

If you wish to jump there, https://developer.shodan.io/api is the link. Go to the “GET /shodan/host/search” section (see below) and click it to be shown the entire set of filters.

I’ve posted the relevant section of the page below for easy reference. Keep in mind that the Shodan folks are doing excellent work and actively adding content and features to Shodan so the content below may not be 100% accurate after a bit.

Search Shodan

Search Shodan using the same query syntax as the website and use facets to get summary information for different properties.

Requirements

This method may use API query credits depending on usage. If any of the following criteria are met, your account will be deducated 1 query credit:

The search query contains a filter.

Accessing results past the 1st page using the “page”. For every 100 results past the 1st page 1 query credit is deducted.

Request URL

https://api.shodan.io/shodan/host/search?key={YOUR_API_KEY}&query={query}&facets={facets}

Parameters

query: [String] Shodan search query. The provided string is used to search the database of banners in Shodan, with the additional option to provide filters inside the search query using a “filter:value” format. For example, the following search query would find Apache webservers located in Germany: “apache country:DE”. The following filters are currently supported:

after

Only show results that were collected after the given date (dd/mm/yyyy).

asn

The Autonomous System Number that identifies the network the device is on.

before

Only show results that were collected before the given date (dd/mm/yyyy.

city

Show results that are located in the given city.

country

Show results that are located within the given country.

geo

There are 2 modes to the geo filter: radius and bounding box. To limit results based on a radius around a pair of latitude/ longitude, provide 3 parameters; ex: geo:50,50,100. If you want to find all results within a bounding box, supply the top left and bottom right coordinates for the region; ex: geo:10,10,50,50.

hash

Hash of the “data” property

has_ipv6

If “true” only show results that were discovered on IPv6.

has_screenshot

If “true” only show results that have a screenshot available.

hostname

Search for hosts that contain the given value in their hostname.

isp

Find devices based on the upstream owner of the IP netblock.

link

Find devices depending on their connection to the Internet.

net

Search by netblock using CIDR notation; ex: net:69.84.207.0/24

org

Find devices based on the owner of the IP netblock.

os

Filter results based on the operating system of the device.

port

Find devices based on the services/ ports that are publicly exposed on the Internet.

postal

Search by postal code.

product

Filter using the name of the software/ product; ex: product:Apache

state

Search for devices based on the state/ region they are located in.

version

Filter the results to include only products of the given version; ex: product:apache version:1.3.37

bitcoin.ip

Find Bitcoin servers that had the given IP in their list of peers.

bitcoin.ip_count

Find Bitcoin servers that return the given number of IPs in the list of peers.

bitcoin.port

Find Bitcoin servers that had IPs with the given port in their list of peers.

bitcoin.version

Filter results based on the Bitcoin protocol version.

http.component

Name of web technology used on the website

http.component_category

Category of web components used on the website

http.html

Search the HTML of the website for the given value.

http.html_hash

Hash of the website HTML

http.status

Response status code

http.title

Search the title of the website

ntp.ip

Find NTP servers that had the given IP in their monlist.

ntp.ip_count

Find NTP servers that return the given number of IPs in the initial monlist response.

ntp.more

Whether or not more IPs were available for the given NTP server.

ntp.port

Find NTP servers that had IPs with the given port in their monlist.

ssl

Search all SSL data

ssl.alpn

Application layer protocols such as HTTP/2 (“h2”)

ssl.chain_count

Number of certificates in the chain

ssl.version

Possible values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

ssl.cert.alg

Certificate algorithm

ssl.cert.expired

Whether the SSL certificate is expired or not; True/ False

ssl.cert.extension

Names of extensions in the certificate

ssl.cert.serial

Serial number as an integer or hexadecimal string

ssl.cert.pubkey.bits

Number of bits in the public key

ssl.cert.pubkey.type

Public key type

ssl.cipher.version

SSL version of the preferred cipher

ssl.cipher.bits

Number of bits in the preferred cipher

ssl.cipher.name

Name of the preferred cipher

telnet.option

Search all the options

telnet.do

The server requests the client to support these options

telnet.dont

The server requests the client to not support these options

telnet.will

The server supports these options

telnet.wont

The server doesnt support these options