Current IoT device search portals are widely known and used by the hacker community to make queries or to get a first picture of the services enabled in a pentesting.
Due to the current situation of confinement, many organisations had to implement in a very short time the necessary infrastructure to guarantee that their employees could telework. Quickly, making use of these search engines, a high level of services enabled for this purpose was detected − most of them RDP. At the beginning of the confinement, there were 29,657. Ten hours later it increased to 29,835, and to this day (when this post was written) there are 34,753.
The main cities where technological activity stands out.
Bear in mind: no to public RDP, yes to VPN.
This means that RDP services that may be vulnerable to BlueKeep are being released (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) because the relevant security patches have not been applied.
What Are the Implications of This?
Since the beginning of the lockdown, a high number of phishing campaigns or file attachments containing malware that used the COVID-19 as bait have already been detected. In the end the same actors are always behind these threats.
To detect peaks like these or to collect information from these search engines, we should not limit ourselves to one of them, but instead use as many as we can and compare the resulting data. Some search engines are:
- Shodan: https://www.shodan.io/
- Censys: https://censys.io/
- BinaryEdge: https://www.binaryedge.io/. We already talked about it here: https://empresas.blogthinkbig.com/binaryegde-portal-mas-que-un-buscador-de-activos/(Blog post only available in Spanish)
- Onyphe: https://www.onyphe.io/
The Heisenberg Script
As automation is a must, we have collected a couple of scripts for each of the services and unified them into one that queries each service so we can quickly have a first look. I have called this script “Heisenberg”, you can find it in my github.
Below we let you some questions to understand the features of the script:
- What does it do? Getting open ports from Shodan, Censys, BinaryEdge and Onyphe services.
- What is its programming language? Python3.
- What do we need? Free API of these services.
- Can we export the results? Yes, in .xlsx.
Having seen this, let’s move on to the use of the tool. Through the option h the help is displayed:
As you can see, the script expects to receive the IP addresses in a .txt document via the -i parameter and the necessary APIs via the -a parameter.
Regarding the file containing the APIs, below you can find an example of what the file would look like:
An example as a proof of concept for its use is shown below:
At the end of the program, the output is obtained:
You have the option to export the results in Excel, with the result of the ports according to each service:
Because of the current confinement situation, we would like to take advantage of the functionalities of these services to add some additional options such as an extra column including the summary of identified ports or to develop a database connector.
We hope you liked it. See you in the next one.