The use of the
shodan searchengine It can be used for protection as you will read below, but also abused by stately actors in order to compromise.
We may read:
https://us-cert.cisa.gov/ncas/alerts/aa20-258a (report of the 14th of September 2020 late)
From that CISA report I quote:
Pre-attack analysis:
Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.
The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.
Random example:
https://www.shodan.io/host/173.249.31.85 - We will be able to get a server nginx https page: via -http://173.249.31.85/ that means via an unencrypted connection - nginx version = 1.10.3 - (
attackers have other ways of establishing that this is indeed the version number in use there).
NGINX has a weird versioning system where even numbered releases (.i.e. 1.10, 1.8, 1.6) are stable, and odd numbered releases (i.e. 1.11, 1.9, 1.7) are the mainline. Security fixes normally get patched into the stable branches pretty quickly.
We will not go into all such particulars as this is not the scope of this thread.
The security researcher is known to work in a reversed way as how the attacker and stately actor use to operate.
Same non-configured server page results are received from -http%3A%2F%2Fvmi213334.contaboserver.net
All we will get here is a status alert (as the site is non-configured):
Success. Failed to load resource: the server responded with a status of 404 (Not Found)
From the https page we will get
Script
isChrome: true
throttled: (fn, timeout) => {…}
v_browser: {loadTimes: ƒ, csi: ƒ, …}
Window
Global
and
console.log('[VULNERS] Init');
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
console.log('[VULNERS] Rules', rules);
let html = document.documentElement.innerHTML;
let matches = [];
for (let rule of rules) {
try {
let match = html.match(new RegExp(rule.regex));
if (match) {
console.warn('[VULNERS] Match', rule.alias, match[0], match[1]);
matches.push({url: document.location.host, rule, version: match[1]});
}
} catch(e) {
console.warn('[VULNERS]', e)
}
}
matches.length && v_browser.runtime.sendMessage({ action: 'match', matches: matches});
});
var origOpen = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function() {
console.log('request started!');
this.addEventListener('load', function() {
console.log('request completed!');
console.log(this.readyState); //will always be 4 (ajax is completed successfully)
console.log(this.responseText); //whatever the response was
});
origOpen.apply(this, arguments);
};
And then we stumble upon the fact that nginx.org but also that nginx dot com is available as a link on that page ->
A DOM-XSS downgraded http scan, results in one http result and several wp-include https files...
Results from scanning URL: -http://nginx.com
Number of sources found: 10
Number of sinks found: 236
Results from scanning URL: -https://www.nginx.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 0
Number of sinks found: 3
Results from scanning URL: -https://www.nginx.com/wp-includes/js/underscore.min.js?ver=1.8.3
Number of sources found: 3
Number of sinks found: 1
Results from scanning URL: -https://www.nginx.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 35
Number of sinks found: 29
Results from scanning URL: -https://www.nginx.com/wp-content/themes/nginx-new/js/popper.min.js?ver=1.0
Number of sources found: 41
Number of sinks found: 17
Results from scanning URL: -https://www.nginx.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 162
Number of sinks found: 34 (with all sort of mail domains)
Retirable and vulnerable code:
https://retire.insecurity.today/#!/scan/fb3f45383d54a145eb02ed341cb0cf282502c84c6679c277c4c7a372181e180bGoing round the full circle, as we started with a shodan IP scan, we now perform a Rebex SSH scan for that same Ip,
delivering also interesting information about the host:
https://sshcheck.com/server/173.249.31.85 together with some weak algorithms.
One should give security intelligence attention to keep the website and (web)server-infrastructure (behind it) as secure as possible. Let us all live up to what the avast mission is all about: keeping us all as secure as can be.
polonus (volunteer 3rd party cold reconnaissance website security analyst & website error-hunter)