Publicly available information serves as a launching pad for attackers initial efforts to research potential areas of exploitation.
While your organization may be exercising efforts to reduce vulnerabilities, many times attackers are looking for weaknesses in your defenses and personnel that when combined with other methodologies, can serve as an initial vector of entry or further exploit.
In this video, Trenton Ivey, Secureworks Offensive Researcher, Counter Threat Unit and Adversarial Security Testing, gives a demonstration of how an attacker would utilize Shodan to find publicly accessible services during passive recon.
In the following examples, we'll perform some basic reconnaissance activity against Dell. We'll start by finding an IP address associated with a website we know belongs to Dell and this example we use dell.com. You can see that when resolve IP addresses for this domain name, we get back several results.
We'll copy the first example and perform whois: query to get additional information. We can see that this IP address is assigned to a network range and this network range has been assigned to Dell Inc. We'll copy this network range and we'll use a tool called shodan.io.
Shodan regularly scans the internet for publicly accessible services and archives all of the results, along with fingerprinting on those services, in a searchable format. We will limit our search to addresses and network range belonging to Dell.
We can see that there's a total of 817 services that Shodan is currently aware of. Shodan gives us a list of the most common services in this range including http, https, ssh, and vp unrelated services. We can also see operating systems that are available on these ranges and products that might be accessible.
If we are interested in systems with ssh, we can go ahead and click on ssh and it will add a filter to limit our results to services in the Dell range that have ssh available. We can click on any of the IP addresses and it will bring up additional information including host name, when it was last scanned, geographic information if it's available, as well as accessible ports on the system.
So, in this case we can see there is port 22, or ssh, and port 443 and if we look at these services we see Shodan has kept fingerprinting information about these services which can be useful. In this case, we were able to gain a list of services that are accessible in a target network without having to send a single packet to that target network.