Threat Analysis

Welcome to an exciting journey into the world of cyber threat analysis! In this captivating project, I delve in the intricate web of websites to uncover vulnerabilities that lie beneath the surface. Wielding the power of Open Source Intelligence (OSINT) tools as my arsenal, I extracted a wealth of data that was the cornerstone of your analysis. As I navigated through this project, I not only identified potential threats but also utilized the art of automation.

What is Shodan?

Shodan is a search engine specializing in scanning the internet for connected devices all around the world, and providing a centralized location for publicly available information about these devices. Connected devices range from routers and servers such as:

  • Home security cameras

  • IoT (Internet of Things) such as home devices, intelligent refrigerators and smart door locks

  • Medical devices such as internet-connected heart monitors

  • Complex industrial IoT devices (which can include technology for supply chain and logistics processes, remote asset tracking, drone-based delivery and transportation devices)

How does Shodan work?

Shodan will search the internet for information using a crawler (please see the linked Authenticat8 article for how this crawler works). The crawler will regularly be scanning and updating the Shodan database with up-to-date information that it finds (the crawlers work daily to collect data from around the world in different countries). If a device is directly hooked up to the Internet then Shodan will be able to gather all sorts of valuable data about it.

The data is taken from the device's banners. Banners contain metadata about the services, the device's operating system and ports that are running on the individual device. Banner grabbing is the process of getting this information from the port scan.

Banner Examples

HTTP/1.0 200 OK Date: Tue, 16 Feb 2010 10:03:04 GMT Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.1.2 mod_gzip/1.3.19.1a mod_ssl/2.8.9 OpenSSL/0.9.6g Last-Modified: Wed, 01 Jul 1998 08:51:04 GMT ETag: "135074-61-3599f878" Accept-Ranges: bytes Content-Length: 97 Content-Type: text/html

FTP banner, from Shodan.io

HTTP banner, from Shodan.io

In the banner above, we are able to see that the device is running an Apache web server, along with the specific version of it (version 1.3.26). This might give further clues about vulnerabilities that can be exposed, as well as ways to find default login credentials and passwords for the devices and/or ways to access administrator consoles.

Other types of information that you might see in a banner could be:

  • Data about the service

  • its IP address

  • Port numbers that are in use

  • The organization that the device belongs to

  • The location / country where the device lives

Connecting to Shodan API Client

Connecting to Shodan was fairly simple. I already had my environment setup through Kali Linux on VMWare. The process took only a few steps.

My first step: Creating a Shodan account by registering on their website and activating my account through an email link.

My second step: Accessing the generated API key on my Account page, which is automatically generated for me.

My third step: Installing Shodan through the command-line interface (CLI). This is done through a python library, so python already needs to be installed within Linux for the installation to work.

$ pip install -U --user shodan

Confirming proper installation on device

$ shodan

Using previously configured API key, initialize the Shodan CLI with my API key.

$ shodan init MYAPI_KEY

After following these steps, I was able to perform curl commands to perform searches using Shodan’s API client.

Performing Vulnerability Scanning with Shodan on Multiple Websites

With Shodan now being connected on the virtual machine, I was able to begin scanning websites using their host IPs to find CVE’s.

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability.

In this project, Shodan was able to find multiple CVE’s as I scanned through different host IP’s. I was then able to look up the found CVE’s with their results in the National Vulnerability Database.

Results

Website / URL: cloud-outline.com

IP Address: 167.235.17.176

CVE Count: 16

"CVE-2022-22721","CVE-2022-22719","CVE-2023-27522","CVE-2022-36760","CVE-2022-23943","CVE-2022-37436","CVE-2022-26377","CVE-2022-22720","CVE-2022-29404","CVE-2023-25690","CVE-2006-20001","CVE-2022-30556","CVE-2022-31813","CVE-2022-28614","CVE-2022-28330","CVE-2022-28615"


Vulnerability Result

Host: cloud-outline.com

CVE: CVE-2022-26377

Risk Level: 5.0-7.5

Analysis:

The Apache HTTP Server version 2.4.53 and earlier versions are vulnerable to 'HTTP Request Smuggling' due to inconsistent interpretation of HTTP requests in mod_proxy_ajp. This vulnerability allows attackers to smuggle requests to the AJP server.

Website / URL: stacyspizzeria.com

IP Address: 208.109.41.246

CVE Count: 30

"CVE-2014-2532","CVE-2016-10009","CVE-2015-5352","CVE-2015-5600","CVE-2021-36368","CVE-2015-6563","CVE-2018-15473","CVE-2019-6110","CVE-2016-1908","CVE-2011-5000","CVE-2016-0777","CVE-2019-6109","CVE-2023-28531","CVE-2010-5107","CVE-2015-6564","CVE-2018-20685","CVE-2016-10010","CVE-2020-15778","CVE-2019-6111","CVE-2010-4478","CVE-2016-10011","CVE-2012-0814","CVE-2014-1692","CVE-2016-10708","CVE-2014-2653","CVE-2010-4755","CVE-2016-20012","CVE-2017-15906","CVE-2011-4327","CVE-2016-10012"



Vulnerability Result

Host: stacyspizzeria.com

CVE: CVE-2014-2532

Analysis:

OpenSSH version before 6.6 has a vulnerability where wildcards on AcceptEnv lines in sshd_config are not properly supported. This can be exploited by remote attackers to bypass intended environment restrictions by using a substring before a wildcard character.

Risk Level: 4.9-5.8

Website / URL: stacyshaverford.com

IP Address: 52.206.236.149

CVE Count: 6

"CVE-2022-31628","CVE-2022-37454","CVE-2021-21703","CVE-2021-21707","CVE-2021-21706","CVE-2022-31629"



Vulnerability Result

Host: stacyshaverford.com

CVE: CVE-2021-21703

Analysis:

Vulnerable versions of PHP (7.3.x up to 7.3.31, 7.4.x up to 7.4.25, and 8.0.x up to 8.0.12) running PHP FPM SAPI can allow child processes to access and modify memory shared with the main process, causing invalid memory reads and writes, potentially leading to privilege escalation. The issue occurs when the main FPM daemon process is running as root and child worker processes are running as lower-privileged users.

Risk Level: 6.9-7.0

Scraping Information from Shodan

As I dove more into vulnerability scanning, I found there are ways to automatically gather information when doing vulnerability scanning/threat analysis.

As a result I generated two scripts.

One script written in python for data scraping and one looking up a given CVE using CIRCL CVE Search.

This is a gif showing the python script that allows me to gather Shodan information on an IP address and the results.

This is a gif showing the python script that allows me to look up a CVE using the CIRCL CVE SEARCH tool and the results.