Lets detect the IoT search engines, from Fofa to Shodan

By Amitay Dan  

11.10.2018

Hunting the hunters is fun, but let’s starts from the background

In this article I will show how can we detect Shodan and Fofa user-agents, and who already made a progress. 

What do you know about Shodan Censys ZoomEye and Fofa ?

Those search engines are dedicated to map the Internet Of Things and other sensitive devices.

I like them very much, but I think it come with a price, everything beings exposed at once, with no time to fix vulnerabilities. Legally those scanners activities are against the ruling made by the Supreme Court of Israel, but let’s leave it for now focus on the technical aspect .

---

What can you do in order to prevent IoT search engine from leaking sensitive database, and scanning exploited devices, like smart houses?

As we all know, now days many houses are being connected to the internet.

Just like critical infrastructure and other devices which has connected to the internet for many years.

Now, it's a race to the internet, even connected microwave is being provided by Amazon so you can talk to Alexa everywhere.

Unlike google which is focusing mostly on websites, those search engines are dedicated for cataloging sensitive finding, connected devices, databases and other things which we want to prevent from felling into the wrong hands.

Is there any solution? can we implement something in PLC or RTU to prevent IoT search engine form detecting and cataloging them? 

What smart house vendors should do to protect users from those search engines?

Is that even legal to scan the house?

Today I had an interesting finding.

I were looking at error in IoT search engine called Fofa, and realized something interesting

It was saying: 

 E\x00\x00\x00\xffj\x04Host '*.*.*.*' is not allowed to connect to this MySQL server 

 

It was very interesting because I never saw anyone speaking about how to prevent those engines from entering into houses. I did spoke about the legal aspect of it, but let's forget about the law and keep digging.

After realizing that this is Fofa user-agent, I were using Google to check if anyone mention this string before, none. only Google were mapping Fofa activity in the wild.

So I were thinking, let’s see what Fofa done before? how many times it get blocked while using this string? well numbers were very high, 840696 times.

Query: "E\x00\x00\x00\xffj\x04Host '*.*.*.*'", Total results: 840696，took 4545 ms，mode: normal.
默认只显示一年内的数据，点击 all 链接查看所有。

 

Now I was thinking, what about Shodan, can we look for Shodan in the wild?

Googling this subject were leading me into a results from a website called "Webmaster World" back

to Jun 2016 someone shared information about strange behavior of Shodan.

 

While reading the post, I gain user agents which seems to be used by Shodan

shodanscanprint

shodanscanprint(chr(49).chr(55).chr(73).chr(53).chr(51).chr(48).chr(86).chr(65).chr(117).chr(52))

 

 g3shodanscanprint

 

Now I had dorks to hunt

 

Then came new results

shodanscan'ls -la'

g3shodanscan');ls -la;/* 

g3shodanscan'{${print(chr(49).c

 

 

While analyzing the findings, I was thinking maybe it's a starts. why don't we build a database of IoT search engine, so developer can use it and try to prevent them from adding devices and sensitive data?

However, after some searching, I've realized that some researchers from the academic field, already made a progress and published a research about this subject during the 2017 Ninth International Conference on Ubiquitous and Future Networks (ICUFN 2017).

 The article name is "Abnormal Behavior-Based Detection of Shodan and Censys-Like Scanning"

The researcher are  Seungwoon Lee; Seung-Hun Shin ; Byeong-hee Roh all based on South Korea.

Here is the abstract they wrote:

"Shodan and Censys, also known as IP Device search engines, build searchable databases of internet devices and networks. Even these tools are useful for security, those also can provide the vulnerabilities to malicious users. To prevent the information disclosure of own IP devices on those search engines, a fundamental solution is blocking the access from the scanners of them. Therefore, it is needed to understand and consider their scanning mechanism. Therefore, we propose an abnormal behavior based scan detection of Shodan and Censys. To do this, several traditional scan detection approaches are combined and applied to satisfy their specification. Proposed idea is monitoring packets whether it is abnormal or not and adding on the suspicious list if it is. This is based on traditional threshold approaches. To figure out it is abnormal, stateful TCP stateful packet inspection is used. The response behavior during the connection can be identified with TCP flag and abnormal behavior can be classified with SYN Scan, Banner Grabbing, and Combined SYN and Banner Grabbing. Demonstration is simulated in a Censys-like environment and detected time variation per variance of distributed detectors and Threshold value is analyzed."

Later, I saw two projects in Github focusing on Shodan Only, posts about it and other projects
The most effective and updated service seems to be given by SANS ISC (Internet Storm Center ) InfoSec, it's called DShield API.

Most of the projects are giving solutions based on IPs list, and less user agents, or just looking only on Shodan and censys, without giving attention to the Chinese based competitors.
 
As for Censys, in their website, they have explanation of how to prevent them from scanning, yet, they won't delete results.

"Can I opt-out of Censys scans?

Censys scans help the scientific community accurately study the Internet. The data is sometimes used to detect security problems and to inform operators of vulnerable systems so that they can fixed. If you opt-out of the research, you might not receive these important security notifications. 

However, if you wish to opt-out, you can configure your firewall to drop traffic from the subnets we use for the measurements: 141.212.121.0/24 and 141.212.122.0/24. We do not remove results from Censys, but if you have blocked these subnets, the results will automatically be pruned out."

Conclusion

 

To summarize, I think IoT search engine are something great, they are really helping for security researcher and basically for the safety. Scanning engines activities might be illegal in some countries, yet, it's helping to detect problem and push vendors into solutions.

As from the vendors and the end users’ aspects, they might be unhappy to know that their house or product are now out here, not protected and easy to attack.

I know that tools which detect port scanning are nothing new, but being focused on search engine activity, and banning and blocking them locally from adding sensitive information into the catalog of things, might help in many cases when solution is not coming soon, and fixing won't be done before the attacker will take advantages.

We should balance between the freedom to know everything, the interest of security researcher to get data about exploited devices, and the rights for personal and public safety.

Giving the public abilities to detect user-agents of internet of things devices, it’s something to start with.

Now, let’s hunt the hunters

Let’s hunt Shodan, ZoomEye Fofa and Censys.

Let’s build database of user agents belongs to IoT search engine.