Insights For Success

Strategy, Innovation, Leadership and Security

Shodan

Top 10 Free OSINT Resources for Budding SOC Analysts

GeneralEdward Kiledjian

Learn about the top 10 free OSINT resources for junior SOC analysts. Discover tools for threat detection, incident investigation, and cybersecurity analysis to enhance your organization's defense capabilities.

In the digital age, organizations across the globe are increasingly concerned with the security of their networks and data. Among the critical aspects of modern cybersecurity is Open Source Intelligence (OSINT), which entails collecting information from publicly available sources for use in a security context. A proper OSINT tool can assist in the detection of potential threats, the investigation of incidents, and the improvement of overall security posture. Below are the top 10 free OSINT resources ideal for junior Security Operations Center (SOC) analysts.

  1. Shodan (https://www.shodan.io/): Shodan is a search engine for internet-connected devices, which can be used to find information about servers, routers, webcams, and more.

  2. VirusTotal (https://www.virustotal.com/): VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other malicious content detected by antivirus engines and website scanners.

  3. Have I Been Pwned (https://haveibeenpwned.com/): This site allows you to check if an email address has been compromised in a data breach.

  4. Censys (https://censys.io/): Censys is a platform that helps information security practitioners discover, monitor, and analyze devices accessible on the internet.

  5. Google Dorks (https://www.exploit-db.com/google-hacking-database): A collection of Google search queries to identify vulnerabilities, find servers, and discover sensitive data.

  6. OSINT Framework (https://osintframework.com/): This tool is a collection of OSINT resources, categorized and sorted for easy navigation, covering a variety of information types and sources.

  7. PublicWWW (https://publicwww.com/): PublicWWW allows you to search the source code of millions of websites, which can help identify sites with similar code, structure, or elements.

  8. AlienVault OTX (https://otx.alienvault.com/): AlienVault OTX (Open Threat Exchange) is a crowd-sourced threat intelligence platform where security professionals and enthusiasts can share, research, and collaborate on emerging threats.

  9. Whois Lookup (https://whois.domaintools.com/): Whois Lookup provides a way to determine who owns a particular domain name, including information such as the owner's name, contact details, and when the domain was registered.

  10. Intelx.io (https://intelx.io/): Intelx.io is a cybersecurity search engine and data archive, providing access to various datasets, including the dark web, domain registrants, and more.

As we conclude, these top-tier OSINT resources provide a powerful gateway for detecting and investigating cyber threats and proactive cyber defence measures. Since they are free of charge, they are an excellent opportunity for budding SOC analysts to hone their skills and expand their arsenal of security tools. A proactive approach to cybersecurity is necessary in the current digital landscape, and these resources are an integral part of that strategy. Knowledge is power; mastering these tools will enable you to stay ahead of the ever-evolving threat landscape, granting your organization a crucial edge in security.

Keywords: #CyberSecurity #OSINT #SOC #SecurityAnalysis #ThreatDetection #IncidentResponse #DataBreach #VirusTotal #Shodan #HaveIBeenPwned #Censys #GoogleDorks #OSINTFramework #PublicWWW #AlienVaultOTX #WhoisLookup #Intelxio #ThreatIntelligence #InternetSafety #CyberDefence #InfoSec #DigitalSecurity #CyberThreats #OpenSourceIntelligence #DataSecurity #NetworkSecurity #IoTSecurity #MalwareDetection #DomainLookup #CyberRisk

CyberSecurity OSINT - Shodan searches for webcams

GeneralEdward Kiledjian
webcam-153319.png

Everyone on the internet knows what a search engine is. It allows you to find internet connected resources (webpages) quickly and easily without having to catalog the web yourself. Well Shodan.io is a search engine used by researchers and hackers to find Internet of Things devices connected to the internet (printers, webcams, industrial systems, WindowsXP, etc).

The purpose of this article is to provide some hyperlinked examples to help the Open Source Intelligence student play with Shodan and make it immediately useful.

This article will provide some examples of how to find webcams connected to the internet.

While you will find thosands that are unprotected (no username or password required) others will be protected but have the default password enabled. Where can you find webcam default passwords? Just search the net but here is one called iSpy to get you started.

Many of these searches will require a free Shodan account so make sure you create one.

I am providing this information for educational purposes only. Don’t do anything illegal.

html:"DVR_H264 ActiveX" - Security Digital Video Recorders
Screen Shot 2021-01-31 at 9.16.21 PM.png

title:camera - This is a quick search that lists anything with the word camera in it

Screen Shot 2021-01-31 at 8.55.39 PM.png

webcam has_screenshot:true - This search lists any device that self identifies as a webcam and where Shodan has a screenshot.

Screen Shot 2021-01-31 at 8.59.01 PM.png 
Server: IP Webcam Server "200 OK" - android IP webcam server
Screen Shot 2021-01-31 at 9.14.42 PM.png

server: webcampxp - Looking for a very popular windows Webcam server software

Screen Shot 2021-01-31 at 9.01.00 PM.png

title:”blue iris remote view” - Webcams using the Blue Iris webcam management software

Screen Shot 2021-01-31 at 9.03.32 PM.png

product:”Yawcam webcam viewer httpd - Yet Another Webcam is a free webcam publishing server software.

Screen Shot 2021-01-31 at 9.06.16 PM.png

title:”IPCam Client” - Devices using the IPCam software

Screen Shot 2021-01-31 at 9.08.23 PM.png

title:”+tm01+” - loads of unsecured Linksys webcams

Screen Shot 2021-01-31 at 9.10.43 PM.png

Others

I will be posting more articles about other interesting Shodan searches but here are a couple extra to wet your appetite.

"230 login successful" port:"21" - Find FTP servers without logins

Screen Shot 2021-01-31 at 9.19.22 PM.png

Fun with Shodan and IOT

Edward Kiledjian

Read this related article: Find phishing and malware with a simple search

Search engines have become a favourite starting point for threat actors, so it should also be your starting point. Beyond Google, there are a bunch of specialized search engines that are powerful and scary. This article talks a bit about Shodan. Think of this article as a gentle introduction.

What is shodan

Shodan is often called the world's most dangerous search engine. Shodan attempts to catalogue metadata about its targets and its targets are often Internet of Things (IOT) devices. Hackers and security researches use Shodan daily to find vulnerable webcams, open traffic light systems, SCADA in manufacturing plants and much more.

I'm going to assume you have a free Shodan account.

Browse the categories

If you visit the Shodan Explore section, you can find all kinds of interesting systems listed.

Unprotected webcam

For this example, I searched for the Axis 212 webcam which is known to have many vulnerabilities and a known default password.

As an example, the webcam I highlighted seems to be in a daycare facility and isn't even password protected.

I've blurred out the children and teacher.

Some are unprotected. Some have kept their default passwords (there are lots of default password lists like this one). Obviously many of these cameras are made by a handful of manufacturers in China and are never updated. Once you find a vulnerability on one model it is often workable on dozens of others.

Routers

You can search Shodan for common router brands like Belkin, D-Link, Netgear, etc and then try to log in using the default admin passwords. Above is an example of a Linksys router exposed to the internet without a password. Others are exposed with the default password.

Intel AMT Exposed to the internet

There is a major Intel AMT vulnerability but Shodan shows that 4,647 devices with AMT (on July 22) were connected to the internet.

If you search for "http intel active management" in Shodan, you will get a listing of these devices.

Other searches you can perform

Netgear device with port 80 open to the internet

Bitcoin servers

You can even use the Shodan ShipTracker dashboard to track realtime ship

ShipTracker is harmless on its own, but combined with data available from other sources and the knowledge that many ship systems use default passwords and it is a disaster waiting to happen.

There is a known vulnerability that allows a threat actor to steal or modify information from a Memcached server. This vulnerability was used to target GitHub with a massive DDoS attack. Not all Memcached servers are vulnerable ( I won't show you how to find the vulnerable ones) but how would you search for Memcached servers on the net? The answer is with a Shodan query.

 

Conclusion

Obviously, this is just the tip of the iceberg. A true threat intel specialist will be able to automate Shodan queries and then combine them with known vulnerabilities, exploits or default credentials. I am hoping this article created a bit of interest in you to learn more. 

For this article, I only chose examples that were exposed to the internet and were not password protected. Be careful as laws differ around the world. In some countries even testing default passwords could be considered "hacking".