Computers communicate using networks. These networks could be on a local area network LAN or exposed to the internet. Network Sniffers are programs that capture low-level package data that is transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.
In this article, we will introduce you to common network sniffing
techniques and tools used to sniff networks. We will also look at
countermeasures that you can put in place to protect sensitive
information been transmitted over a network.
What is network sniffing?
Computers communicate by broadcasting messages on a network using IP
addresses. Once a message has been sent on a network, the recipient
computer with the matching IP address responds with its MAC address. Network sniffing is the process of intercepting data packets sent over a network.This can be done by the specialized software program or hardware equipment. Sniffing can be used to;
Capture sensitive data such as login credentials
Eavesdrop on chat messages
Capture files have been transmitted over a network
The following are protocols that are vulnerable to sniffing
Telnet
Rlogin
HTTP
SMTP
NNTP
POP
FTP
IMAP
The above protocols are vulnerable if login details are sent in plain text
Passive and Active Sniffing
Before we look at passive and active sniffing, let’s look at two major devices used to network computers; hubs and switches. A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast.
The recipient computer responds to the broadcast message if the IP
address matches. This means when using a hub, all the computers on a
network can see the broadcast message. It operates at the physical layer
(layer 1) of the OSI Model.
The diagram below illustrates how the hub works.
A switch works differently; it maps IP/MAC addresses to physical ports on it.
Broadcast messages are sent to the physical ports that match the IP/MAC
address configurations for the recipient computer. This means broadcast
messages are only seen by the recipient computer. Switches operate at
the data link layer (layer 2) and network layer (layer 3).
The diagram below illustrates how the switch works.
Passive sniffing is intercepting packages transmitted over a network that uses a hub.
It is called passive sniffing because it is difficult to detect. It is
also easy to perform as the hub sends broadcast messages to all the
computers on the network. Active sniffing is intercepting packages transmitted over a network that uses a switch. There are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding.
Hacking Activity: Sniff network traffic
In this practical scenario, we are going to use Wireshark to sniff data packets as they are transmitted over HTTP protocol.
For this example, we will sniff the network using Wireshark, then login
to a web application that does not use secure communication. We will
login to a web application on http://www.techpanda.org/
The login address is admin@google.com, and the password is Password2010. Note:
we will login to the web app for demonstration purposes only. The
technique can also sniff data packets from other computers that are on
the same network as the one that you are using to sniff. The sniffing is
not only limited to techpanda.org, but also sniffs all HTTP and other
protocols data packets.
Sniffing the network using Wireshark
The illustration below shows you the steps that you will carry out to complete this exercise without confusion
Select the network interface you want to sniff. Note for this
demonstration, we are using a wireless network connection. If you are on
a local area network, then you should select the local area network
interface.
Click on start button as shown above
Open your web browser and type in http://www.techpanda.org/
The login email is admin@google.com and the password is Password2010
Click on submit button
A successful logon should give you the following dashboard
Go back to Wireshark and stop the live capture
Filter for HTTP protocol results only using the filter textbox
Locate the Info column and look for entries with the HTTP verb POST and click on it
Just below the log entries, there is a panel with a summary of captured
data. Look for the summary that says Line-based text data:
application/x-www-form-urlencoded
You should be able to view the plaintext values of all the POST variables submitted to the server via HTTP protocol.
What is a MAC Flooding?
MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses.
This leads to overloading the switch memory and makes it act as a hub.
Once the switch has been compromised, it sends the broadcast messages to
all computers on a network. This makes it possible to sniff data
packets as they sent on the network.
Counter Measures against MAC flooding
Some switches have the port security feature.
This feature can be used to limit the number of MAC addresses on the
ports. It can also be used to maintain a secure MAC address table in
addition to the one provided by the switch.
Authentication, Authorization and Accounting servers can be used to filter discovered MAC addresses.
Sniffing Counter Measures
Restriction to network physical media highly reduces the chances of a network sniffer been installed
Encrypting messages as they are transmitted over the network greatly reduces their value as they are difficult to decrypt.
Changing the network to a Secure Shell (SSH)network also reduces the chances of the network been sniffed.
Summary
Network sniffing is intercepting packages as they are transmitted over the network
Passive sniffing is done on a network that uses a hub. It is difficult to detect.
Active sniffing is done on a network that uses a switch. It is easy to detect.
MAC flooding works by flooding the MAC table address list with fake MAC addresses. This makes the switch to operate like a HUB
Security measures as outlined above can help protect the network against sniffing.
Nmap ( Network Mapper ) is the second program that
we're going to look. It is a huge tool and has many uses. Nmap is used
to gather information about any device. Using the Nmap, we can gather
information about any client that is within our network or outside our
network, and we can gather information about clients just by knowing
their IP. Nmap can be used to bypass firewalls, as well as all kinds of
protection and security measures. In this section, we're going to learn
some of the basic Nmap commands that can be used to discover clients
that are connected to our network, and also discover the open ports on
these clients.
We're going to use Zenmap, which is the graphical user interface for Nmap. If we type zenmap on the Terminal, we'll bring up the application like this:
In the Target field, we're going to put our IP address. In the Profile drop-down menu, we can have various profiles:
In the Target filed, if you want to gather
information of only one IP address, we can just enter that address. We
can also enter a range like we did with netdiscover. We're going to
enter 198.168.1.1/24. Then we are going to select the Ping scan from the Profile drop-down menu and hit the Scan button:
The preceding scan is kind of a quick scan, but it doesn't show too
much information, as we can see in the preceding screenshot. It only
shows the connected devices. This scan is very quick. We are able to see
the connected devices on the left-hand panel, and we can see their IP
addresses, their MAC addresses, and their vendors.
The next scan we're going to learn is the Quick Scan. Now, the Quick scan is going to be slightly slower than the Ping scan. But in Quick scan, we will get more information than the Ping scan. We're going to be able to identify the open ports on each device:
In the above screenshot, we can see that it shows the open ports on
each one of the discovering devices. The main router has an open port
called 53/tcp. 80/tcp is the port used at the router setting page because it runs on a web server.
Now, let's take a look at the Quick scan plus, which take the Quick scan
one step further. It's going to be slower than the Quick scan, but it
will show us the programs that are running on the opened ports. So, in
Quick scan, we saw that port 80 is open, but we didn't know what was running on port 80, and we saw that port 22
was running, but we didn't know what was running. We knew it was SSH,
but we don't know what SSH server was running on that port.
So again, Quick scan plus will take longer than Quick scan, but it
will gather more information, as shown in the following screenshot:
In the preceding screenshot, we can see that we have a Linux device
connected. We can see that the operating system of the device is
connected and that it also got us the version for the programs. In Quick
scan, we only knew that port 22 was open but now we
know that it's running, and the server is OpenSSH 4.7.
Now we know that
it was Apache HTTP server 2.2.8 and it was a Linux device. We can go
ahead and look for exploits and vulnerabilities.
Find Vulnerable Webcams Across the Globe Using Shodan
Search engines index websites on the web so you can find them more
efficiently, and the same is true for internet-connected devices. Shodan
indexes devices like webcams, printers, and even industrial controls
into one easy-to-search database, giving hackers access to vulnerable
devices online across the globe. And you can search its database via its
website or command-line library.
Shodan has changed the way hackers build tools, as it allows for a
large part of the target discovery phase to be automated. Rather than
needing to scan the entire internet, hackers can enter the right search
terms to get a massive list of potential targets. Shodan's Python
library allows hackers to quickly write Python scripts that fill in
potential targets according to which vulnerable devices connect at any
given moment.
You can imagine hunting for vulnerable devices as
similar to trying to find all the pages on the internet about a specific
topic. Rather than searching every page available on the web yourself,
you can enter a particular term into a search engine to get the most
up-to-date, relevant results. The same is true for discovering connected
devices, and what you can find online may surprise you!
Log in to Shodan
First, whether using the website or the command line, you need to log in to shodanhq.com in a web browser. Although you can use Shodan without logging in, Shodan restricts some of its capabilities to only
logged-in users. For instance, you can only view one page of search
results without logging in. And you can only see two pages of search
results when logged in to a free account. As for the command line, you
will need your API Key to perform some requests.
Step 2 Set Up Shodan via Command Line (Optional)
A
particularly useful feature of Shodan is that you don't need to open a
web browser to use it if you know your API Key. To install Shodan,
you'll need to have a working Python installation. Then, you can type
the following in a terminal window to install the Shodan library.
~$ pip install shodan
Collecting shodan
Downloading https://files.pythonhosted.org/packages/22/93/22500512fd9d1799361505a1537a659dbcdd5002192980ad492dc5262717/shodan-1.14.0.tar.gz (46kB)
100% |████████████████████████████████| 51kB 987kB/s
Requirement already satisfied: XlsxWriter in /usr/lib/python2.7/dist-packages (from shodan) (1.1.2)
Requirement already satisfied: click in /usr/lib/python2.7/dist-packages (from shodan) (7.0)
Collecting click-plugins (from shodan)
Downloading https://files.pythonhosted.org/packages/e9/da/824b92d9942f4e472702488857914bdd50f73021efea15b4cad9aca8ecef/click_plugins-1.1.1-py2.py3-none-any.whl
Requirement already satisfied: colorama in /usr/lib/python2.7/dist-packages (from shodan) (0.3.7)
Requirement already satisfied: requests>=2.2.1 in /usr/lib/python2.7/dist-packages (from shodan) (2.21.0)
Building wheels for collected packages: shodan
Running setup.py bdist_wheel for shodan ... done
Stored in directory: /root/.cache/pip/wheels/fb/99/c7/f763e695efe05966126e1a114ef7241dc636dca3662ee29883
Successfully built shodan
Installing collected packages: click-plugins, shodan
Successfully installed click-plugins-1.1.1 shodan-1.14.0
Then, you can see all the available options -h to bring up the help menu.
~$ shodan -h
Usage: shodan [OPTIONS] COMMAND [ARGS]...
Options:
-h, --help Show this message and exit.
Commands:
alert Manage the network alerts for your account
convert Convert the given input data file into a different format.
count Returns the number of results for a search
data Bulk data access to Shodan
domain View all available information for a domain
download Download search results and save them in a compressed JSON...
honeyscore Check whether the IP is a honeypot or not.
host View all available information for an IP address
info Shows general information about your account
init Initialize the Shodan command-line
myip Print your external IP address
org Manage your organization's access to Shodan
parse Extract information out of compressed JSON files.
radar Real-Time Map of some results as Shodan finds them.
scan Scan an IP/ netblock using Shodan.
search Search the Shodan database
stats Provide summary information about a search query
stream Stream data in real-time.
version Print version of this tool.
These controls
are pretty straightforward, but not all of them work without connecting
it to your Shodan API Key. In a web browser, log in to your Shodan
account, then go to "My Account" where you'll see your unique API Key.
Copy it, then use the init command to connect the key.
There
are many ways to find webcams on Shodan. Usually, using the name of the
webcam's manufacturer or webcam server is a good start. Shodan indexes
the information in the banner,
not the content, which means that if the manufacturer puts its name in
the banner, you can search by it. If it doesn't, then the search will be
fruitless.
One of my favorites is webcamxp, a
webcam and network camera software designed for older Windows systems.
After typing this into the Shodan search engine online, it pulls up
links to hundreds, if not thousands, of web-enabled security cameras
around the world.
To do this from the command line, use the search option. (Results below truncated.)
~$ shodan search webcamxp
81.133.███.███ 8080 ████81-133-███-███.in-addr.btopenworld.com
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nConten t-Length: 7313\r\nCache-control: no-cache, must revalidate\r\nDate: Tue, 06 Aug 2019 21:39:29 GMT\r\nExpires: Tue, 06 Aug 2019 21:39:29 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
74.218.███.██ 8080 ████-74-218-███-██.se.biz.rr.com
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 7413\r\nCache-control: no-cache, must revalidate\r\nDate: Wed, 07 Aug 2019 14:22:02 GMT\r\nExpires: Wed, 07 Aug 2019 14:22:02 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
208.83.██.205 9206 ████████████.joann.com HTTP/1.1 704 t\r\nServer: webcam
XP\r\n\r\n
115.135.██.185 8086
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 2192\r\nCache-control: no-cache, must revalidate\r\nDate: Wed, 07 Aug 2019 06:49:20 GMT\r\nExpires: Wed, 07 Aug 2019 06:49:20 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
137.118.███.107 8080 137-118-███-███.wilkes.net
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 2073\r\nCache-control: no-cache, must revalidate\r\nDate: Wed, 07 Aug 2019 12:37:54 GMT\r\nExpires: Wed, 07 Aug 2019 12:37:54 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
218.161.██.██ 8080 218-161-██-██.HINET-IP.hinet.net
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 7431\r\nCache-control: no-cache, must revalidate\r\nDate: Mon, 05 Aug 2019 18:39:52 GMT\r\nExpires: Mon, 05 Aug 2019 18:39:52 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
...
92.78.██.███ 37215 ███-092-078-███-███.███.███.pools.vodafone-ip.de
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 8163\r\nCache-control: no-cache, must revalidate\r\nDate: Wed, 07 Aug 2019 05:17:22 GMT\r\nExpires: Wed, 07 Aug 2019 05:17:22 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
85.157.██.███ 8080 ████████.netikka.fi
HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 7947\r\nCache-control: no-cache, must revalidate\r\nDate: Wed, 07 Aug 2019 00:25:41 GMT\r\nExpires: Wed, 07 Aug 2019 00:25:41 GMT\r\nPragma: no-cache\r\nServer: webcamXP 5\r\n\r\n
108.48.███.███ 8080 ████-108-48-███-███.washdc.fios.verizon.net
HTTP/1.1 401 Unauthorized\r\nConnection: close\r\nContent-Length: 339\r\nCache-control: no-cache, must revalidate\r\nDate: Tue, 06 Aug 2019 22:40:21 GMT\r\nExpires: Tue, 06 Aug 2019 22:17:21 GMT\r\nPragma: no-cache\r\nServer: webcamXP\r\nWWW-Authenticate: Basic realm="webcamXP"\r\nContent-Type: text/html\r\n\r\n
(END)
To exit results, hit Q on your keyboard.
If you only want to see certain fields instead of everything, there are
ways to omit some information. First, let's see how the syntax works by
viewing the help page for search.
~$ shodan search -h
Usage: shodan search [OPTIONS] <search query>
Search the Shodan database
Options:
--color / --no-color
--fields TEXT List of properties to show in the search results.
--limit INTEGER The number of search results that should be returned.
Maximum: 1000
--separator TEXT The separator between the properties of the search
results.
-h, --help Show this message and exit.
Unfortunately, the help page does not list all of the available fields you can search, but Shodan's website has a handy list, seen below.
Properties:
asn [String] The autonomous system number (ex. "AS4837").
data [String] Contains the banner information for the service.
ip [Integer] The IP address of the host as an integer.
ip_str [String] The IP address of the host as a string.
ipv6 [String] The IPv6 address of the host as a string. If this is present then the "ip" and "ip_str" fields wont be.
port [Integer] The port number that the service is operating on.
timestamp [String] The timestamp for when the banner was fetched from the device in the UTC timezone. Example: "2014-01-15T05:49:56.283713"
hostnames [String[]] An array of strings containing all of the hostnames that have been assigned to the IP address for this device.
domains [String[]] An array of strings containing the top-level domains for the hostnames of the device. This is a utility property in case you want to filter by TLD instead of subdomain. It is smart enough to handle global TLDs with several dots in the domain (ex. "co.uk")
location [Object] An object containing all of the location information for the device.
location.area_code [Integer]The area code for the device's location. Only available for the US.
location.city [String] The name of the city where the device is located.
location.country_code [String] The 2-letter country code for the device location.
location.country_code3 [String] The 3-letter country code for the device location.
location.country_name [String] The name of the country where the device is located.
location.dma_code [Integer] The designated market area code for the area where the device is located. Only available for the US.
location.latitude [Double] The latitude for the geolocation of the device.
location.longitude [Double] The longitude for the geolocation of the device.
location.postal_code [String] The postal code for the device's location.
location.region_code [String] The name of the region where the device is located.
opts [Object] Contains experimental and supplemental data for the service. This can include the SSL certificate, robots.txt and other raw information that hasn't yet been formalized into the Banner Specification.
org [String] The name of the organization that is assigned the IP space for this device.
isp [String] The ISP that is providing the organization with the IP space for this device. Consider this the "parent" of the organization in terms of IP ownership.
os [String] The operating system that powers the device.
transport [String] Either "udp" or "tcp" to indicate which IP transport protocol was used to fetch the information
Optional Properties:
uptime [Integer] The number of minutes that the device has been online.
link [String] The network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem".
title [String] The title of the website as extracted from the HTML source.
html [String] The raw HTML source for the website.
product [String] The name of the product that generated the banner.
version [String] The version of the product that generated the banner.
devicetype [String] The type of device (webcam, router, etc.).
info [String] Miscellaneous information that was extracted about the product.
cpe [String] The relevant Common Platform Enumeration for the product or known vulnerabilities if available. For more information on CPE and the official dictionary of values visit the CPE Dictionary.
SSL Properties:
If the service uses SSL, such as HTTPS, then the banner will also contain a property called "ssl":
ssl.cert [Object] The parsed certificate properties that includes information such as when it was issued, the SSL extensions, the issuer, subject etc.
ssl.cipher [Object] Preferred cipher for the SSL connection
ssl.chain [Array] An array of certificates, where each string is a PEM-encoded SSL certificate. This includes the user SSL certificate up to its root certificate.
ssl.dhparams [Object] The Diffie-Hellman parameters if available: "prime", "public_key", "bits", "generator" and an optional "fingerprint" if we know which program generated these parameters.
ssl.versions [Array] A list of SSL versions that are supported by the server. If a version isnt supported the value is prefixed with a "-". Example: ["TLSv1", "-SSLv2"] means that the server supports TLSv1 but doesnt support SSLv2.
So, if we wanted to only view the IP address, port number, organization name, and hostnames for the IP address, we could use --fields as such:
Look through the results and find webcams you want
to try out. Input their domain name into a browser and see if you get
instant access. Here is an array of open webcams from various hotels in
Palafrugell, Spain, that I was able to access without any login
credentials:
Although
it can be fun and exciting to voyeuristically watch what's going on in
front of these unprotected security cameras, unbeknownst to people
around the world, you probably want to be more specific in your search
for webcams.
Try Default Username & Passwords
Although
some of the webcams Shodan shows you are unprotected, many of them will
require authentication. To attempt to gain access without too much
effort, try the default username and password for the security camera
hardware or software. I have compiled a short list of the default
username and passwords of some of the most widely used webcams below.
ACTi: admin/123456 or Admin/123456
Axis (traditional): root/pass,
Axis (new): requires password creation during first login
Cisco: No default password, requires creation during first login
Grandstream: admin/admin
IQinVision: root/system
Mobotix: admin/meinsm
Panasonic: admin/12345
Samsung Electronics: root/root or admin/4321
Samsung Techwin (old): admin/1111111
Samsung Techwin (new): admin/4321
Sony: admin/admin
TRENDnet: admin/admin
Toshiba: root/ikwd
Vivotek: root/<blank>
WebcamXP: admin/ <blank>
There
is no guarantee that any of those will work, but many inattentive and
lazy administrators simply leave the default settings in place. In those
cases, the default usernames and passwords for the hardware or software
will give you access to confidential and private webcams around the
world.
Find Webcams, Databases, Boats in the sea using Shodan
SHODAN:- Shodan is a scanner
which finds devices connected over the internet. Shodan can finds
devices like traffic lights, security cameras, home heating devices and
baby monitors, ethical hacking consultants assure. This web scanner can
also finds the SCADA system like -gas stations, nuclear power plants.
Shodan tells the physical location of connected devices over the
internet. researcher says that shodan can
creates violation on users privacy because it ping almost on any device
connected over the internet without taking users permission. For using shodan go to: https://www.shodan.io/
For creating an account go to https://account.shodan.io/register
Shodan search engine can also be used without signing up. Signing up is not compulsory.
Enter the necessary details- your username,password and email for signing up in shodan.
After creating an account sign in with your credentials.
After singing in, shodan will open. Now you can explore shodan.
After
creating your account in shodan. Sign in to your account and shodan will
show your account api key. For security reasons the key has been hided
(ZoxxxxxxPFmYHJvSWhKixxxxxxxxxxHmT).
You can also use the API key in recon-ng for reconnaissance.
You can also
search any website/IP address simply enter the your target name and as
you see below it will show the details of the target, mention ethical
hacking investigators.
Fun with SHODAN:-
The below site in the screen shot is most popular for testing your hacking skills.(hackthissite.org)
After typing the target website, open ports and the IP address has found which can be used in footprinting and reconnaissance.
SHODAN FEATURES:-
Shodan offers many great features to search. Normal user can easily
explore shodan. Most of the pentesters use shodan for finding
vulnerabilities, according to ethical hacking courses.
There are many keywords to search in shodan and here are some of the
keywords which have been used to show you how shodan works:-
VSAT – Mainly works in boats/ship tracker to detect boats/ship location.
Cameras – Shows the open IP’s of the web-cameras which are used in surveillance.
Exploring the other like – databases, video game servers, Industrial Control System.
Databases – show the databases with lack of security.
Video Game Servers – shows the running open servers of the games.
ICS (Industrial Control System) – shows the open ICS systems which are vulnerable.
SEARCHING BOATS/SHIPS ON SHODAN:-
Boats/ships uses VSAT (Very-Small-Aperture Terminal) which uses
satellite communication to communicate with the outer world. VSAT uses
IPv4 for the communication. As shodan ping all the IP addresses over the
internet, so in this pinging process shodan also list’s the IP’s
associated with VSAT communication on the boat. Now in the below screens
you will see how a normal internet user can search the boats in the
sea.
===================SNIP=================
if you type VSAT in the search engine of shodan you will find there are many unprotected IP’s of the ship.
You can see in the above screen shots, open ports and IP address of the ship which can be used in other hacking activities.
You can also check the location of the ship by typing the longitude and latitude of the ship in the google search engine.
SEARCHING LIVE CAMS:-
You can search the live cameras with open ports.For searching the live webcams. go to shodan search engine and type webcams.
For example :-
For searching webcams, you can type webcams or the query of the webcam which mostly URL path used by IP camera
So we will search /cgi-bin/guestimage.html
The above URL path is normally used by Mobotix company which makes IP surveillance camera.
===================SNIP================
After searching through the query, there is an IP – 166.161.197.253 which we will examine further.
After clicking on the IP, You can see open port and the IP address of the myvzw.com from the organisation verizon wireless.
Now to open IP address type the above IP address with the port into your browser 166.161.197.253:5001 as shown below.
As you can see the targeted IP camera is working but it is night
over there. Now we will try to find some previous recording to check if
the camera is working.
Click on the menu market red in the above screen shot.
Go to the event list.
As there are many previous records.One of the record we will show you the day mode.
One of the previous record as you can see that this surveillance camera is open to exploit.
Another surveillance camera which is found in the list.
When we open the IP address with the listed ports we found that:-
Beach surveillance camera.
Above screen shots, are from the Hotel wellness resort (riva degli etruschi).
Another example:-
Opening the IP address 89.203.117.200 shows live surveillance.
Above screen shot is from Czec Rpublic. A local street location from live cam.
OTHER FEATURES IN SHODAN:- Shodan gives many options to explore.
By clicking on the explore, you can find the most popular searches
which has been done in shodan by other users. And shows the most common
and recent searches.
These common searches can be used easily used to exploit them as they have lack of security.
SEARCHING VIDEO GAMES:-
You can open listed game servers to check IP addresses.
Here we have chosen the target.
==================SNIP====================
Minecraft server can be used in port scanning and in other hacking activities.
The above listed vulnerabilities can be used can be used by remote
attackers to cause denial-of-service attack. And the vulnerability could
allow to get into the directories, as per ethical hacking specialists.
SEARCHING DATABASES:-
Choose the database.
Selecting the target.
In the above screen shot, you can use the IP address with listed ports to open the db page.
It shows the graph of the memory process which can be used in initial phase of penetration testing.
As you can see the above screen shots, the above admin details can be used in other hacking activities.
SEARCHING ICS (INDUSTRIAL CONTROL SYSTEM):-
Select the target.
===================SNIP==================
The above IP address and open ports can be used in port scanning.
In the above screen shots, the listed vulnerabilities can cause a
massive attacks to the target. Denial-of-service attack can be used by
attackers. Remote execution can also be done on this vulnerable website.
USING THE GOOGLE CHROMEEXTENSION:-
For quick
and fast information, you can also use the google chrome addon which is
available in the google chrome appstore. For installing shodan addon in
google chrome go to: https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap?utm_source=chrome-ntp-icon
After
installing the addon, whenever you open the target site. Shodan addon
will start its query and will show the target website open ports/IP
address.
MOST POPULAR SEARCHES:- Shodan offers many features like searching any open cams, searching for routers with default security methods.
============SNIP============
In the above screen shot, here are
some of the listed open devices which can be used in hacking activities.
The most popular searches are easy to find and can be exploited by
script kiddie also.
PAID PLANS:-
You can also
use the paid plans if you working as professional pentester because
shodan provides detailed information for the target.
OTHER RESOURCES:-
You can also use the some other resources to check ship latitude and longitude.
https://shiptracker.shodan.io
https://www.vesselfinder.com
https://www.marinetraffic.com
These websites provide AIS (Automatic Identification System) that
uses transponder device to receive the signal to satellite and then
transmit those signals to receiver to tell their location, but shodan
ship tracker is more than that.
As you can see in the above screen shots, there are two websites who
shows the ship location by using AIS system. Normal user can check to
know the location of the website. These two websites shows the
longitude and latitude of the ship.
