• Subscribe to the low volume list for updates.

Brief History of Internet Wide Scanning

In the beginning there were Google Dorks; as far back as 2002 security researches discovered that specific Google queries could reveal Internet connected devices. Seventeen years later it is still possible to find thousands of unsecured remotely accessible security cameras and printers via simple Google searches.

Now using search engines such as Shodan.io and Censys.io it has become common place to passively discover open services (and devices) on the Internet.

Overview of Internet Wide Scanning

The following is a brief history of Internet Wide Discovery and Scanning.

Google Dorks

Google dorks work because Google search index crawlers happened to index the admin login screen of the device. Since the many devices have default credentials or no authentication at all it is possible to view security cameras in offices around the world, print random junk to unknown printers and much more. While pranks and much laughing may follow, Google dorks highlight the importance of security awareness. That is understanding what services are listening on your perimeter and changing default credentials.

Shadowserver

In 2004 the Shadowserver was started by a group of volunteers. Working from the principle that sharing Internet Attack Data can only enhance the overall security of the Internet they quickly became a primary source for security researchers. Over the years they have been publishing reports, sharing cyber crime data and scanning the Internet. With a focus on cyber crime they share reports of C2 services, DDOS botnet services and other attack based infrastructure.

Shodan the Google of network services

Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services, and has made numerous appearances in mainstream media such as CNN and Forbes.

Internet Census 2012

2012 saw the release of the Internet Census, an unknown researcher created a botnet that scanned the entire IPv4 address space - he or she then published the results online. Note that this project was audacious and very much illegal due to the fact that it utilized exploited routers in order to perform the port scanning.

Zmap and Masscan

Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You will need a big fat uplink and a fast network card but that is amazingly fast. Masscan was another extremely fast port scanner that was released only a few months after Zmap.

Project Sonar

Project Sonar was the next big project in the timeline launched by HDMoore of Metasploit fame. At Scans.io the results of Internet scanning from HDMoore's critical.io scanning project, and data sets from the Zmap project have been made available on line for researchers to explore.

Censys

Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap. A very fast port scanner capable of Internet-wide scanning. The team has been scanning the Internet and making the results available through the portal. They have recently launched commercial access to the API.

VNC pwnage

In 2013 a security researcher has scanned a specific TCP port across the IPv4 address space and captured a screenshot of VNC (remote control software) services that responded with no password. In 16 minutes he found 30000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.

ZoomEye

Launched back in 2013 is another online search engine for Internet connected systems. Similar to Shodan and Censys this Chinese based service provides the ability to search by IP address or string for connected hosts that match the query. There appears to be a commercial offering also for enterprise access to scan data.

fofa.so

Another Chinese based serviced started in 2013 is fofa.so allowing searches for services, open ports and strings across Internet Wide Scan data. Similar to other services there is an API and the ability to perform straight string queries.

GreyNoise

A new project was launched in 2017 that comes at Internet Wide Scanning from a different direction. GreyNoise attempts to classify incoming Internet scan traffic. Offering this classification of traffic as a service to organisations who might find this useful. The classification can highlight some of the above projects as benign, or not malicious as opposed to botnet traffic searching for more endpoints or other attack focused scanning.

Now may be a good time to Scan your Internet facing Networks

As is clear from the projects, data and articles linked above, security by obscurity was never a good strategy. If you have open services listening on the Internet they will be found. If they can be found, they can be attacked.

Here are 3 simple steps that will help you stay secure:

Port Scan your Internet facing IP addresses with Nmap

  • Nmap is the best tool for performing a port scan. You can download Nmap and install it on your operating system of choice.
  • Keep in mind that you want to perform the testing from an external IP address to the network you are testing.
  • Know your network ranges, keep a list of all IP ranges and systems you manage. Ensure all networks and systems are tested.
Firewall or restrict access to services that should not be Internet accessible

  • Make the necessary changes to firewall, block or restrict access to Internet facing devices and services.
  • Implement a change control process for firewall changes and systems on the perimeter.
Schedule the port scan to be performed on a regular basis

  • Select a schedule based on your risk model, perhaps weekly, daily or monthly.
  • Changes to the network occur all the time; when new devices are added; changes are made to existing devices; firewall rules are modified; when a change occurs mistakes will happen.
  • Nmap has a tool called ndiff that allows you to compare two port scans, this is handy tool for scripting regular port scans from a VPS or off site location.

Regular port scans are simple to implement and can be incorporated with other regular security tasks. Start now before someone on the other side of the world starts abusing your printer or turns up the heat in your building.

Know Your Attack Surface
From OSINT to Vulnerability Identification