The Art of Shodan
Hello hackers, I’m Mo’men Osama(0xMatrix) a bug hunter
In this blog I will share you a cool technique that helps you to find CVEs from shodan
What is shodan?
Shodan is a search engine for Internet-connected devices. It is different from search engines like Google and Bing because Google and Bing are great for finding websites but Shodan helps in finding different things that it can list the services used by scanning open ports and banners in IP addresses instead of searching for the content of websites, how many host are affected with the new CVEs, which countries are becoming more connected, SSL certificates of the websites etc…
What is CVE?
CVE stands for Common Vulnerabilities and Exposures. It’s a system that assigns unique identifiers (CVE IDs) to vulnerabilities and security issues in software and hardware. This system helps in tracking and sharing information about vulnerabilities across the cybersecurity community, ensuring a standardized way to communicate and address security concerns.
How does the CVE system work?
When a new threat is detected, it is reported to MITRE. If it’s new, MITRE assigns it a unique CVE Identifier through the CVE Numbering Authority (CNA) and adds it to the database. MITRE collaborates with major vendors like Microsoft or Adobe as CNAs for their products. The CVE Identifier is unique, starting with “CVE,” followed by the year and specific numbers. It contains essential details about the threat, such as affected products, versions, exploit methods, and code components.
Well let’s start…
1)First CVE (CVE-2017–0143) → MS17–010 SMB RCE Detection
the reference : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Steps to Reproduce:
1- first thing going to shodan search and write the Dork → hostname:*.target.com vuln:ms17–010
when you find the IP that was Vulnerable with this cve
2- secondly scan the ip with nmap → nmap -p445 — script smb-vuln-ms17–010 <target-ip>
Verification Steps With Metasploit
The following demonstrates a basic scenario of an unpatched system.
1-
msf > use auxiliary/scanner/smb/smb_ms17_0102-
msf auxiliary(smb_ms17_010) > set RHOSTS <target-ip>3-
msf auxiliary(smb_ms17_010) > run
The Impact:
The remote code execution vulnerability in Microsoft Server Message Block 1.0 (SMBv1) allows attackers to execute code on the target server. Exploiting this vulnerability grants unauthorized access, enabling manipulation of files, data exfiltration, propagation within networks, and potential disruption of services. It poses a significant security risk and underscores the importance of promptly applying patches to mitigate potential exploitation.
2)Second CVE (CVE-2014–3566) → POODLE attack exploiting SSL
the reference : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
Steps to Reproduce:
1- first thing going to shodan search and write the Dork → hostname:*.target.com vuln:CVE-2014–3566
when you find the IP that was Vulnerable with this cve
2- secondly scan the ip with nmap → nmap -sV — version-light — script ssl-poodle -p 443 <target-ip>
Verification Steps With Metasploit
The following demonstrates a basic scenario of an unpatched system.
msf > use auxiliary/scanner/http/ssl_version
msf auxiliary(ssl_version) > show options
… show and set options …
msf auxiliary(ssl_version) > set RHOSTS ip-range
msf auxiliary(ssl_version) > exploit
The Impact:
The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).
3)Third CVE (CVE-2014–0160) → ssl-heartbleed
the reference : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Steps to Reproduce:
1- first thing going to shodan search and write the Dork → hostname:*.target.com vuln:CVE-2014–0160
when you find the IP that was Vulnerable with this cve
2- secondly scan the ip with nmap → nmap -p 443 — script ssl-heartbleed <target-ip>
Verification Steps:
Install a vulnerable OpenSSL, start the service
Start msfconsole
Do:
use auxiliary/scanner/ssl/openssl_heartbleedDo:
set rhosts [ip]Do:
set action [ACTION]Do:
run
The Impact:
The OpenSSL Heartbleed vulnerability allowed remote attackers to exploit a flaw in the TLS and DTLS implementations, triggering a buffer over-read. This enabled unauthorized access to sensitive information, including private keys, from the server’s memory. The bug, widely known as Heartbleed, had a significant impact on internet security, necessitating immediate patching to mitigate risks, password changes, and SSL/TLS certificate updates.
Hope you learned something good from this blog.
Thanks for reading.☺️☺️
My Linkedin : https://www.linkedin.com/in/astro0x00?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app
My Twitter : https://x.com/0x_astroo?t=ftJvCvIYqSOzJBn81YWOww&s=09
