In the beginning there were Google Dorks, by using specific Google search queries it is still possible to find thousands of unsecured remotely accessible security cameras and printers. Now with search engines such as Shodan.io and Censys.io finding open devices on the Internet has gone to the next level.
Google dorks work because Google happened to index the admin login screen of the device. Since the majority of devices still had the default credentials it was then possible to view security cameras in offices around the world, print random junk to unknown printers and much more. While pranks and much laughing may follow, Google dorks highlight the importance of security awareness. That is understanding what services are listening on your perimeter and changing default credentials.
The folowing techniques for finding insecure devices connected to the Internet are much more accurate, comprehensive and accessible.
Shodan the Google of network services
Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services, and has made numerous appearances in mainstream media such as CNN and Forbes.
Internet Census 2012
2012 saw the release of the Internet Census, an unknown researcher created a botnet that scanned the entire IPv4 address space - he or she then published the results online. Note that this project was audacious and very much illegal due to the fact that it utilized exploited routers in order to perform the port scanning.
Zmap and Masscan
Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You will need a big fat uplink and a fast network card but that is pretty damn quick. Yet another extremely fast port scanner was released soon after known as Masscan.
Project Sonar was the next big project in the timeline launched by HDMoore of Metasploit fame. At Scans.io the results of Internet scanning from HDMoore's critical.io scanning project, and datasets from the Zmap project have been made available on line for researchers to explore.
Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap. A very fast port scanner capable of Internet-wide scanning. The team has been scanning the Internet and making the results available through the portal. They have recently launched commercial access to the API.
Most recently a security researcher has scanned a specific TCP port across the IPv4 address space and taken a screenshot of VNC (remote control software) services that have no password. In 16 minutes he found 30000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.
Now go Port Scan your Internet facing networks
As seen from the projects, data and articles linked above, all too often networks go untested for services that should not be there or at least not be accessible from anywhere in the world over the Internet.
Here are three steps that will help you stay secure and it might even just make the world a safer place:
- Port Scan your Internet facing IP addresses with Nmap
- Nmap is simply the best tool for performing a port scan. You can download Nmap and install it on your operating system of choice.
- Keep in mind that you want to perform the testing from an external IP address to the network you are testing.
- Know your network ranges, keep a list of all IP ranges and systems you manage. Ensure all networks and systems are tested.
- Firewall, block or restrict access to services that should not be accessible from the Internet
- Make the necessary changes and get it fixed.
- Implement a change control process for firewall changes and systems on the perimeter.
- Schedule the port scan to be performed on a regular basis
- Select a schedule based on your risk model, perhaps weekly, daily or monthly.
- Changes to the network occur all the time; when new devices are added; changes are made to existing devices; firewall rules are modified; when a change occurs mistakes will happen.
- Nmap has a tool called ndiff that allows you to compare two port scans, this is handy tool for scripting regular port scans from a VPS or off site location.
Regular port scans are simple to implement and can be incorporated with other regular security tasks. Start now before someone on the other side of the world starts abusing your printer or turns up the heat in your building.