Developing any sort of security infrastructure program it is crucial to know what’s in the environment. Knowing what you have internally and externally can assist in tracking what attack vectors are and get a better picture of where you stand in the process. The inventory that monitors and maintains things of value to an entity or group is called asset management. Having a manageable process for this can help build programs such as vulnerability management, identifying public and local attack vectors, and just generally know what you have in your environment. We’ll be using Shodan and Censys to identify attack vectors within our external facing assets. Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. Google does the same thing to index it to its search engine but Shodan spits out specific and greater amounts of data. It grabs banners services available using a home-grown, distributed port scanner. No available resources that show what ports are scanned by Shodan. While Censys collects data on hosts and websites through daily ZMap and ZGrab scans of the IPv4 address space, in turn maintaining a database of how hosts and websites are configured. The ports that Censys scan are located here. Ports Censys scan for - HTTP - 80, 8080, and 8000 HTTPS - TCP/443 and TCP/4443 POP3, IMAP, SMTP, SMTPS SSH - TCP/22 Telnet - TCP/23 and TCP/2323 DNS - UDP/53 Modbus, S7, BACNET, DNP3, Tridium Fox FTP - TCP/21 CWMP - CPE WAN Management Protocol aka TR-069 UPnP - UDP/9100 Use different methods to gather the same data assists in correlating accuracy. The active method of scanning for attack method is using nmap with tcp connect option.
Let’s go ahead and do the recon.
Imagine that our subnet is 220.127.116.11/24. Using the Shodan search engine the option to search for a whole subnet is net:. So using the net option to search for our subnet 18.104.22.168/24 it should look like this, net:22.214.171.124/24.
Both hosts the 126.96.36.199 and 188.8.131.52 we can see that both hosts have certain services available to anyone. From here, we can see if these services can be abused by external actors, which at one point it had - NorthKoreaDNSLeak Using the Censys search engine the option to search for a whole subnet is ip:. So using the net option to search for our subnet 184.108.40.206/24 it should look like this, ip:220.127.116.11/24. Censys found a couple more hosts/services than Shodan and from here we can manually check if the service is available publicly. This method of searching for external attack vectors can be manually done using NMAP which can be time-consuming if you are doing whole subnets with TCP CONNECT option to be certain that service is available. At future date, I’ll write a blog post on doing this using an external server.