EXECUTIVE SUMMARY

  • Shodan (https://www.shodan.io/) is a search engine that uses a variety of filters to find devices, such as computers, routers, and servers, which are connected to the Internet.
  • Shodan collects data mostly on web servers (HTTP port 80), but there is also data about FTP (21), SSH (22), Telnet (23), SNMP (161) and SIP (5060) services.
  • Shodan is often dubbed as “Google for hackers”, as it exposes vulnerable devices.

DESCRIPTION

  • Shodan is a scanner which can find systems connected to the Internet, including traffic lights, security cameras, home heating systems and baby monitors, as well as SCADA system such as gas stations, water plants, power grids and nuclear power plants. Many of these systems have a number of vulnerabilities and very little security in place.
  • Shodan can identify the physical location of any Internet-connected equipment, as well as its IP address, and often even what type of software it’s running.. This provides sufficient information for hackers to carry out targeted attacks.
  • A massive data hack in the UK, attributed to Shodan scans, exposed sensitive data including family photographs, medical records and bank statements. This was due to security flaws in Iomega hard drives which were used to back up personal and business data.

 

CHECK POINT IPS PROTECTIONS

  • Shodan “crawls” the Internet for publicly accessible devices, looking for specific IP addresses and hosts (see Appendix).
  • Blocking these IP addresses is not enough, as similar scanners are used by hackers seeking other IPs.
  • To fill these gaps, Check Point provides the following IPS protections:
    • Shodan.io Internet Of Things Portal
    • Shodan Scanner ISAKMP Request
    • Shodan Scanner SIP Request
      Shodan Scanner BACNET Request
    • Shodan Scanner GTP Request
    • Shodan Scanner ENIP Request

These protections search for specific patterns in the SYN request that characterize Shodan and similar scanners.

 

REFERENCES

  • Shodan: https://en.wikipedia.org/wiki/Shodan_(website)
  • Shodan in the news:
    • http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html
    • http://www.computerworld.com/article/3016072/security/13-million-mackeeper-users-exposed-by-shodan-search-no-password-or-hacking-required.html

APPENDIX – SHODAN HOST NAMES AND IP ADDRESSES
IP Host Name
93.120.27.62 m247.ro.shodan.io
85.25.43.94 rim.census.shodan.io
85.25.103.50 pacific.census.shodan.io
82.221.105.7 census11.shodan.io
82.221.105.6 census10.shodan.io
71.6.167.142 census9.shodan.io
71.6.165.200 census12.shodan.io
71.6.135.131 census7.shodan.io
66.240.236.119 census6.shodan.io
66.240.192.138 census8.shodan.io
198.20.99.130 census4.shodan.io
198.20.70.114 census3.shodan.io
198.20.69.98 census2.shodan.io
198.20.69.74 census1.shodan.io
188.138.9.50 atlantic.census.shodan.io

You may also like