Publicly available information serves as a launching pad for attackers initial efforts to research potential areas of exploitation.
While your organization may be exercising efforts to reduce vulnerabilities, many times attackers are looking for weaknesses in your defenses and personnel that when combined with other methodologies, can serve as an initial vector of entry or further exploit.
In this video, Trenton Ivey, Secureworks Offensive Researcher, Counter Threat Unit and Adversarial Security Testing, gives a demonstration of how an attacker would utilize Shodan to find publicly accessible services during passive recon.
In the following examples, we'll perform some basic reconnaissance activity against Dell. We'll start by finding an IP address associated with a website we know belongs to Dell and this example we use dell.com. You can see that when resolve IP addresses for this domain name, we get back several results.
We'll copy the first example and perform whois: query to get additional information. We can see that this IP address is assigned to a network range and this network range has been assigned to Dell Inc. We'll copy this network range and we'll use a tool called shodan.io.
Shodan regularly scans the internet for publicly accessible services and archives all of the results, along with fingerprinting on those services, in a searchable format. We will limit our search to addresses and network range belonging to Dell.
We can see that there's a total of 817 services that Shodan is currently aware of. Shodan gives us a list of the most common services in this range including http, https, ssh, and vp unrelated services. We can also see operating systems that are available on these ranges and products that might be accessible.
If we are interested in systems with ssh, we can go ahead and click on ssh and it will add a filter to limit our results to services in the Dell range that have ssh available. We can click on any of the IP addresses and it will bring up additional information including host name, when it was last scanned, geographic information if it's available, as well as accessible ports on the system.
So, in this case we can see there is port 22, or ssh, and port 443 and if we look at these services we see Shodan has kept fingerprinting information about these services which can be useful. In this case, we were able to gain a list of services that are accessible in a target network without having to send a single packet to that target network.
The old approaches to cybersecurity are no longer adequate. It’s time for something new. Layered defenses can create almost as many problems as they solve, and security teams struggle to keep up with the threat. What you need is context across all your layers of defense with the right people, processes, and technology working together in concert. That’s how Secureworks can help. Using 20+ years of industry knowledge, advanced analytics, industry-leading threat intelligence, and the network effect of more than 4,000 customer environments, we provide world-class cybersecurity solutions to customers around the globe. This unmatched experience empowers our customers to be Collectively Smarter. Exponentially Safer.™
Our Managed Detection and Response (MDR) solution is comprehensive, powered by our cloud-native software Red Cloak™ Threat Detection and Response that uses AI and machine learning to deliver better outcomes for your security operations. MDR unifies telemetry from your existing security technology to maximize visibility, reduce complexity, and enable you to move at the speed of the threat. Learn more about how Managed Detection and Response uses contextualized visibility to improve your organization’s security posture.