Sunday, 28 May 2017

SHODAN: Hacker's Search Engine (World's Most Dangerous Search Engine)

What is SHODAN?

SHODAN: Hacker's Search Engine (World's Most Dangerous Search Engine)
SHODAN (https://www.shodan.io) is a search engine that lets users (mostly hackers, researchers and security professionals) to search specific type of devices (refrigerators, traffic light, buildings, control systems for nuclear power plants, gas station, water plants, power grids, routers, servers, web cam and many other IOT devices) connected to the internet. It was developed by John Matherly in 2009. It shows the results by filtering the service banners. SHODAN search engine crawls for publicly accessible devices on the internet and currently without an account SHODAN returns 10 results to the users, and with account 50 results. But, by paying a fee you can remove the restriction.

How SHODAN works?

Just like any other search engines (i.e. Google, Yahoo, Bing) by navigating to the SHODAN home page, and entering text or search query into the search bar users can get results. By entering specific search queries users may get specific and useful results about the configuration and weakness of the device unlike other content search engines.

Using SHODAN:

Basic Operations: Search


·         Quotation marks can narrow a search
·         Boolean operators + and – can be used to include and exclude query terms (+ is implicit default)

Basic Operations: Login



·         Create a SHODAN account and login
·         Or, we can Login using other available options (Google, Twitter, Yahoo, AOL and Facebook accounts
·         Login is not compulsory but if we want to use filters like “country” and “net” etc. are only available after login
·         And if we want Export results the also requires us to be logged in

Basic Operations: Filters

country: filters results by two letter country code


net: The net filter allows us to refine our searches by IP/CIDR notations

os: The OS filter allows us to refine searches by operating system

port: SHODAN can filter our search results by port but Current in the database SHODAN has majority of HTTP collection and limited collection for other ports 21, 22, 23, and 80 (HTTP). In times to come they will have more ports/services

hostname: filters results by specified text in the hostname or domain


Example Output of IIS Server Banner:


·         This suggests that IIS “200 OK” banners that include the Last-modified line do not require any authentication (at least not initially).
·         ETag (entity tag) is part of HTTP and one of the mechanisms provides for web cache validation that allows client to make conditional requests to the server. Use of ETag is not mandatory and in some cases, it can be used by remote attackers to obtain sensitive information via the ETag header.

Example Output of Default Password in Banner:


·         This indicates the likelihood of a username and password pop-up box.


·         This does not suggest that this device is using the default password, but it does mean that it is a possibility, while no username is listed, a null username or “admin” is always a good guess.

Conclusions:


·         SHODAN aggregates large amount of information in an easy to understand format that is not already widely available and allows for passive vulnerability analysis.

·         SHODAN is a potential gamechanger for security professionals, researchers and hackers. This will help shape the path for future vulnerability assessments and penetration testing.

10 Linux Malware Threats - 2017

1. Jellyfish Graphics Card Malware - 2015:


This threat tops the list of 10 Linux Malware Threats - 2017. A team of anonymous developers have made a Malware program capable of infecting new graphics card originally, they done it for Linux now it can also hide in windows PCs and soon it will be available on OS X. They made this thing to just raise awareness to the fact because nobody has even considered this as a possibility. This new graphics card Malware called Jellyfish and it acts like a Trojan to gain access to the entire computer.

2. "HEUR" Backdoor Java App - 2014:


HEUR:Backdoor.Java.Agent.a is a malicious Java application it infects systems for the purpose of building a DDos botnet. This Trojan takes advantages of the loopholes in your system to invade it without your knowledge and permission. Creators of this Trojan also inject the malicious scripts of this HEUR:Backdoor.Java.Agent.a into junk emails, on-line games, unprotected websites, unreliable links etc. Once this Trojan virus enters any system it will bring great damage to the compromised system. Without your knowledge it will randomly edit registry entries and system settings, and it copies itself into auto-start directories. It then establishes a back-door connection to the attackers and generates a unique identifier for each machine it compromises. Then it connects to IRC server and joins a predefined channel in the bot. The botnet communicates over IRC and can carry out distributed denial of service (DDos) attacks using either UDP or HTTP flood attacks.

3. Linux "Mayhem" (ShellShock) Botnet - 2014:


Mayhem was discovered in the year of 2014 and was analysed by researchers from Russian Internet firm Yandex. It infects systems through a PHP script, attackers upload it on servers via website vulnerabilities, compromised site administration credentials and FTP passwords. Malicious ELF (Executable and Linkable Format) library file is the main component of Mayhem, after installation it downloads other malicious plug-ins and stores them in a encrypted and hidden file system. The PHP script has the malicious Mayhem ELF binary files for 32-bit and 64-bit CPU architectures embedded into it as hexadecimal data and uses the LD_PRELOAD function to extract and run them on the system. Previous year the researchers estimated that the botnet consisted of around 1,400 servers that connected to two separate CnC servers.

4. Spike Toolkit - 2014:


5. IPtables Botnet – 2014

6. Linux Chapro - 2012

7. Windigo Platform - 2011

8. Wirenet Trojan - 2012

9. Hand of Thief Trojan - 2013

10. Anonymous OS Hoax - 2012


Conclusions:

·         As we all know that Linux implements a multi-user environment where some form of access control implemented. To compromise any system, malware needs to gain root access so that it can execute all the admin level operations.

·         Threats mentioned in this article 10 Linux Malware Threats – 2017 is a partial list of known Linux Malware. 

Basics of Blockchain, Bitcoin, Cryptocurrency, Mining. Security in Blockchain and possible attacks against Blockchain? Use of Blockchain in Real life?

·        Blockchain What is Blockchain? Definition à   Blockchain is a consensus based secure Decentralized Public Database ...