On connecting stuff to the internets..

So  my last blogpost was nearly a year ago.

That’s … kinda bad. I should probably post more often.
Originally I had thought that posting ranty, angry posts was bad form and that instead of just yelling and flinging my arms about on a blog, I should find other ways of getting messages across.

Boy was I wrong :D

Since my last post, I’ve been interviewed by the BBC, the ABC, CNN Money, F5’s DevCentral, asked to write articles for several small publications, and asked to speak at half a dozen conferences because of my findings on shodan. Seriously – after giving essentially the same talk something like 3 times (but adding more meat every time) I had figured that people would get bored of me and shodan. Oops. I was wrong there too. Also, I keep finding shit. Last bit of laugh-then-cry hilarity was finding a pack of GE_CENTRICITY hits. It was an eyebrow raiser for me too.

What’s GE Centricity? its THIS, found like THIS (also, I think this tarnishes the character of agent smith – he was a pretty epic bad guy, and now he’s doing “commercials for good”? Sad.)

I don’t mention this because I think it makes me special or whatnot – I mention it because it’s all a MASSIVE SURPRISE TO ME. Personally I don’t think these findings should be getting this kind of media attention – and I’ve openly scolded two reporters who used my findings to write ‘you should be scared’ articles.

Journalists: If you’re telling your audience that they should be afraid, it makes you a shitty journalist. You should be helping me(read: us, as in the security community) make it a big deal to the people that make these devices that what they’re doing is hurting the safety and privacy of people who buy their stuff – not telling the victims that they should be afraid. Shame on you.

I am not performing crazy reverse engineering, I’m not inventing epic hacks, I haven’t circumvented any impressive security controls (I found some fairly-bonehead level vulns on a bunch of cameras, but that’s about it).. all I’m doing is literally pointing out things that are connected to the internet. Albeit, I did write a bunch of scripts to automate this discovery process..

 

Inception-Squint

 

 

 

 

 

 

 

 

What? Are you saying there’s stuff online that people don’t know about.. .that’s hugely vulnerable? Or that orgs are allowing these massive security failures to go on unchecked?

Yes, actually, that’s exactly what I’m saying. People don’t care unless you hurt their image. They seemingly don’t care even if you hurt their pocketbook substantially. So long as their reputation goes unharmed, literally no fucks are given.

 

Step one is admitting you have a problem – and as a security community if we allow businesses and colleagues to keep doing this stuff, it means what we do is just a dog and pony show – and it makes us all look bad.

That’s all for now – let’s just focus on step one for a while – we have to find a way to make these vendors give fucks.

Finding out how is going to be the challenge.

 

 

BsidesLA Slides/Code

So I whipped a talk recently to give at BSidesLA about how to stack tools voltron-style together and get some pretty gnarly successes. Here are some light talking points to give you an idea of what the subject matter was, but I should let the slides do most of the talking for me (though they may be slightly vague without the video, which isn’t up at the time of this writing.)

  • Use shodan to find things online (ec2, one-off sites, etc) not brought to the attention of IT or InfoSec before going live
  • Enumerate attack surface without actually performing active scans (many shops forbid infosec guys to scan their own environment. Crazy, right? I know!)
  • Use shodan for red teaming (enumerating attack surface quietly, finding “hidden stuff”, all without actually actively scanning)
  • Bolt on the python api, pipe out results, do crazy things
    • Screenshot 50,000 webpages using a threaded script
    • Check for HTTP 200 OK return codes for direct object access vulns
    • Pipe output of Shodan directly into metasploit via an RC script
      • Leverage metasploits powerful auxiliary scanner tools to do enumeration
      • Launch very targeted attacks on huge attack surface with NO PORT SCANS :)
    • whatever else you can think up python can do for you! :D

 

Screenshotter script: PYTHON!

RC Script generator: PYTHON MOAR!

Slides: PDF!

 

LayerOne 2012 | Drinking from the caffeine firehose we know as shodan

Video of my presentation:

(edit: the videos audio doesnt start until 18 seconds in. I’ve edited it, and the video is updating on youtube. This is temporary, please bear with me)


Slide Deck: long-tail-of-the-internet.pdf

Script: shodan-turk.py

Get your creep on

About a week ago, I stumbled across this post in google reader:

Console Cowboys -I always feel like somebodies watching me.

I read it, I was impressed, and it immediately reminded me of previous work I’ve done. In collaboration with @achillean we scanned the whole internet looking for ddwrt routers with a directory traversal vuln, and wrote a script to step through the findings.The result was a map you could use to find routers based on their mac addresses. The vulnerability was information disclosure of the wan mac address, which likely would have been found by the google street view cars, and the skyhook cars during their sweeps, so if you know the wan mac address of a router, you can translate that to a physical location on a map. I thought this would be perfect to apply the same formula to – except in this case it would be difficult to pinpoint where the camera actually existed unless there was some kind of information disclosure in the video stream itself.

Now let me make this abundantly clear: Nothing is getting recorded or saved. The output here are IMG SRC html links to cameras on the internet. Your browser renders those image streams directly from the cameras. Nothing gets saved or written unless you explicitly choose to save something – kind of like watching television – unless you dvr something or god forbid still own a vcr, in the same manner, you have to choose to record things. That onus is on the viewer.

The author of the console-cowboys blogpost wrote a script to do all the proper API calls against shodan to search for the cameras, then another loop to manually test each result found for the path that shows video. If an HTTP 200 OK was returned for the path, the url was saved.

I took that script, and simply added IMG SRC tags to the output, also adding threading during the checks and one or two small performance tweaks – my second python script ever, and I’m already using threads! (I was kind of proud of this :D)

The results looked something like this. Very simple, but effective:

 

Each image there is actually video. The cameras each output mjpg straight to the browser, so firefox and chrome were both happy to render video. The trouble was that I found more than 550 cameras – so loading that html into a browser caused my ram and cpu to spike.. a lot. It also wanted 2 megs a second (MEGS, not megabits..) of bandwidth just to view the cameras. So I used the split command to tear the huge list into 6 parts, each list containing 100 cameras, and one with ~56 or so. I posted it off the main website before having writing the script – there were several pastebins floating around with the camera list already, so adding html tags to that was dead easy.  I had 200-300 cams in one giant html posted maybe 5 days ago. Everyone had a laugh, and one friend even interacted with one of shops. It was all in good fun for about a week.

Last night I had a member of the information security community raise a concern with me. There was a discussion, and in the end I was berated and called names. As such, I’ve taken down the cam streams from my site. However, I’m absolutely happy to post my script that  generated all the cam streams, since its just a updated version of the console-cowboys posting. I encourage you to buy a shodan account like I did, get an API key and have a look at the sort of things people find valuable enough to put on camera. You’d be surprised. Most of it is HORRIFICALLY BORING, but some of the cameras are streaming labs and industrial areas with what appear to be scada devices and other interesting stuff. I’m glad that the girl in the pizza shop had a sense of humor about it, so good on her for that.

I also encourage you to do some research before you buy something like an internet-enabled camera so that you better understand what it is you’re getting yourself into – there’s a chance your camera has not only a ‘known vulnerability’, but a flat out hardcoded backdoor, like these cameras. This is BY DESIGN. Trendnet wrote in a back door.

Anyhow, I was going to use this as material for my LayerOne presentation if my CFP submission got approved but if there are more infosec patrons out there like our generous benefactor here I can expect more headaches the more I talk about this stuff, so I’ll have to think of something else (sorry Noid/Datagram/M).

Now for the meat!

Here’s the script: camcreep.py

You’ll need to install gevent and shodan modules for python. Google can help you with that.

You’ll need a shodan API key: Shodan API key (insert it where it says ‘key =’ .. you’ll see)

I ran this on my mac with 150 threads. It returned about 10,000 results from shodan, and took Just a hair shy of 7 minutes to run.

The script outputs “camlog_new.html”. Thats one giant monolithic file with ALL the cameras. You’ll want to use the linux ‘split’ command to slice it up into various files. I manually added the page links to the bottom of those files since there were only 6 of them.

Also, since I did this all using chrome, I was using “Ultimate Chrome Flag” which is a really neat extension that lets you see some IP GeoData about the site you’re on. If you right click, then open a cam stream in a new tab, you should see the little flag on the right hand side of the URL bar – that will at least tell you what city or major geographic region the camera you’re viewing is in.

Happy Hunting!