Welcome back my aspiring cyber warriors!
In my earlier tutorial, I showed you some of the basics of using Shodan, "the world's most dangerous search engine". In this tutorial, we will expand and extend your knowledge of the capabilities of Shodan to find outdated and vulnerable online systems.
Often times, aspiring cyber warriors assume that every computer system has the latest and greatest operating system and software and has been patched with all the most recent security patches. They believe that EVERYONE is using Windows 10, Server 2016 and the latest software release, because they and all their friends and associates are. I can assure your right now that is NOT the case. We can easily demonstrate this using Shodan.
Keep in mind that Shodan pulls banners only from Internet-connected devices. Therefore, its lists do not include all systems, but only a subset of all systems. There are far more systems in the world for a specific set of parameters than what Shodan lists.
For instance, since Microsoft first introduced in Windows XP 2001 and ceased mainstream support on April 14, 2009 and extended support on April 8 2014, you might assume that NO ONE with any information security consciousness would still be running this operating system, especially on an Internet-connected device. This would make some sense since Windows XP is riddled with security vulnerabilities longer than I can list on this page. Let's test that assumption on Shodan.
Shodan enables us to look for the operating system hosting the IP address by using the following syntax:
os:"operating system name"
Windows XP on the Net
So, if we want to find all the systems running Windows XP connected to the Internet, we could create a filter as such
os: "windows xp"
We can see that Shodan found almost 150,000 systems connected to Internet running Windows XP. Kind of makes you salivate, doesn't it?
Note that the second listing above is running the ancient Microsoft IIS 6.0 web server. Once again, the list of vulnerabilities for this web server is too long to list here (check CVE deatils, SecurityFocus or other vulnerability dayabase) and this company is running both Windows XP with the out-of-date Windows IIS 6.0. Windows IIS 6.0 was introduced with Windows 2003 and you probably assumed no one was still using this buggy out-of-date web server (the current version of IIS is 10.0), but you would be wrong.
Microsoft IIS 6.0 Web Server
Let's see how many systems are still using Microsoft's II 6.0. We can create a filter on Shodan that shows only Windows IIS 6.0 systems as such;
As you can see above, there are almost 600,000 systems running this ancient, 15 year old web server. Is anybody paying attention out there?
Windows XP AND Microsoft IIS 6.0
Furthermore, Shodan enables us to find systems running the both obsolete Windows XP and Microsoft's buggy IIS 6.0 by using a logical AND in our filter. Shodan, like many systems, assumes a logical AND when you place two or more parameters in the filter window. So, we can find those systems running IIS 6.0 on Windows XP by creating a filter as so;
"Microsoft-IIS/6.0" os:"Windows XP"
Shodan found over 27,000 such sites. These companies should thank their lucky stars they have not yet been hacked or maybe they have already been hacked and don't know it. Such systems are vulnerable to almost any script-kiddie.
To further demonstrate the power of Shodan, we can become even more specific in our search and narrow down these systems to a specific country. To find all the IIS 6.0 systems running on Windows XP and located in Hong Kong, we could filter by;
"Microsoft-IIS/6.0" os:"Windows XP" country:"HK"
Finding Obsolete Linux Systems
So as not to seem to be picking on Microsoft (even though everyone loves picking on Microsoft. They are such easy targets), let's see if we can find some Internet-connected systems running an old and vulnerable version of Linux. Linux kernel version 2.6.0 was first released December 2003 and was last released in 2011 as Linux 2.6.38. This means that if we could find any systems running Linux 2.6.x they would be between 7 and 15 years old. Ancient in computer years (computer years are like dog years, 1 year is equal to 7;-)) Would anyone still be running these systems when the current kernel version is 4.19? Let's find out!
We can find these systems by creating a filter as such;
os: "Linux 2.6"
Shodan reveals that over half million systems are running this obsolete version of Linux!
Finding Vulnerable Glassfish Servers
As one last example of old and obsolete software still being used on online systems, let's look for the Java-based JEE server Glassfish. This software, originally developed by Sun Microsystems and now supported by Oracle, has been known to have numerous Java based vulnerabilities. In fact, Oracle announced in November 2013 that they would discontinue commercial support of this product. This product is now in release 5.0. Do you think companies would have upgraded and secured their applications with newer less vulnerable software? Maybe. Most have, but let's see whether anyone is still running Glassfish 3.1.1, first released July 2011 and has many known vulnerabilities
Let's create a filter looking for those negligent companies running this obsolete and vulnerable software as such;
"Glassfish Server 3.1.1"
As you can see above, over 1300 companies are still running this 7 year old software full of security vulnerabilities. This is the equivalent of negligence by the network/software engineers at these companies!
Shodan is an excellent tool for finding systems connected to web of a variety of types. We can use it to find systems running obsolete and vulnerable software, if we know how to look. Given what we have found here, is it surprising that each day we wake up to an announcement of another security breach?