Welcome.
Thanks.
Thank you.
Good morning everybody.
My name is Greg Evans.
I work for a company called the Getz.
I'm sorry, I got the wrong slide.
Wrong slide, sorry.
That doesn't look like me either, sorry.
He's not a su-yu!
Oh, that's a good one.
Probably will sue me.
My presentation this morning is called How to Own an ISP in 10 Minutes or Less without
really trying.
My name is Michael Shearer, ThePresident98.
There's my Twitter account.
I warn you ahead of time, I tweet a lot.
Probably about 10 times a day, so there's a lot of stuff.
If there's something that's pissing me off, I'm usually talking about it a lot.
And just to close up a point about what Deviant was talking about, he mentioned the Assault
on Privacy blog.
That's one that I run.
And the reason is because we're very protective of our First Amendment rights.
Many of us are very protective of our Second Amendment rights, but the Fourth Amendment
is just as important because that really deals with privacy, so it's very important to me.
Okay, what am I going to talk about today?
I'm going to talk in a little bit about Shodan.
Most of you have probably heard of Shodan or used Shodan, so I'm going to talk a little
bit about that.
But I don't want to spend too much time on it because I want to spend the bulk of my
presentation on Shodan and its application to penetration testing and a case study involving
infrastructure exploitation.
I'll talk a little bit about disclosure at the end because that's very important in terms
of what I was doing, and then we'll make a few conclusions, or perhaps he will have a
few conclusions.
This is myself.
I work for Booz Allen up in Maryland.
Spent almost nine years in the U.S. Navy, EA6B electronic communications, or electronic
countermeasures officer, been in Iraq and Afghanistan, and I also did counter-ID work
for the U.S. Army in Iraq.
And I'm one of the founding members of Unallocated Space.
Yay!
Okay, what is Shodan?
Now I will start out with this because a lot of people call to me about Shodan and they
think that I made Shodan, and I didn't.
So I tell you this right up front.
A guy named John Matherlinck, who is Achillean, is his Twitter handle.
He is the one who designed Shodan.
So people come up to me and they say, they talk to me as if I created Shodan, and then
I tell them, no, I didn't create it.
And then they get a confused look on their face because I'm the person who talks about
Shodan.
So I know what they're thinking.
They're thinking, well, I don't understand.
They don't say this, but this is what they're thinking.
I don't understand.
Somebody else created Shodan, but you're the guy who always talks about it.
Why are you talking about me?
Why are you talking about someone else's tool?
Okay, fair enough.
John is a software developer.
He was not in the InfoSec community, and he created Shodan as a marketing tool.
That was what he created it for.
And myself and a few other people said, hey, we could use this for penetration testing.
It's got some really cool InfoSec applications.
So myself and some other people started talking about this, and I talked to John, and I said,
hey, do you realize what you can do with this thing?
And he's like, yeah, I'm starting to figure it out.
And I'm like, well, do you mind if I talk about it?
Because there's some really cool things that you could do with Shodan.
And he's like, yeah.
Because he created it, he's got all the searches that people were doing in the first...
Shodan is just barely a year old now.
And in the first couple of weeks, he said, I'm looking at the searches, and I think people
don't really understand how to use the search engine.
They don't really know what they're looking for.
So I said, OK, well, I'll talk about it.
So that's where it's gone from.
So Shodan is a search engine, but it's not like Yahoo or Google or Bing or other search
engines for a couple of reasons.
So a typical search engine is going to crawl data on a web page.
It's going to index that for you.
Excuse me.
Shodan instead, instead of looking for the data on the web page, it's going to interrogate
the port, so port 80, and it's going to take the banner or the header, and that's what
it's going to actually capture.
So it's capturing the header or banner data instead of the actual content of the web page
itself.
And then it indexes that for searching.
So instead of indexing the data on the web page, it's indexing the banner or the header.
So instead of finding specific content on a web page or a device, it's designed to find
specific devices, nodes, desktop, server, router, switch, based on the content of the
banner itself.
So we'll talk about that a little later.
Optimizing search results in Shodan requires to have a little bit of basic knowledge in
what a banner looks like.
So we'll talk a little bit about that as well.
Okay, basic operations.
So yeah, in the search engine, yeah, it's just like a search box.
You go to Shodan, the URL is www.shodanhq.com, and there's a search box, and you just put
stuff in there.
You can use quotations, just like any other things.
You can use Boolean operators to exclude and exclude terms.
We'll show you how excluding terms is very useful for eliminating false positive data.
There's a couple ways you can do this.
You can go to Shodan, and you don't have to log in, and you can use the site.
However, there's some limitations on what you can do.
So you can create an account.
You can create a Shodan exclusive account, or if you have any one of these services that
you already have an account with, Google, Twitter, whatever, you can use those accounts
to authenticate into Shodan as well.
So again, login is not required, but if you want to use, there's two filters, country
and net filters, and if you want to use those filters, which we'll talk about briefly, you
have to log in to use them.
There's also an export option, allows you to export large amounts of data from the search
engine, and if you want to use that, you also have to log in.
There are more filters than this, but these are the basic ones in terms of searching.
The country filter, so the filter as I listed on the screen is actually how it is.
So it's the word and then the colon and then whatever.
So the country filter is country colon and then whatever the two letter country code
is.
So if you only wanted devices in the United States, country colon US, or whatever the
two letter country code is for your target.
Host name, if you want to filter by specific text in the host name or the domain.
We'll show you some examples of all these searches.
The net filter, if you want to filter results by a specific IP range or a subnet, so if
you're obviously going after a specific target and you're looking for results, you can do
that.
OS filter for specific operating systems, and then port filter if you only want specific
services.
You only want port 21 or you only want port 23 or whatever.
So I know you can't see this, but I will read it out to you.
And the search I have up here is Apache country colon CH.
So my search term is Apache and my filter is country colon, so the country filter and
then CH.
And CH is the country code for Switzerland.
So what this will do is it will find in Showdown's results all the results that have the word
Apache in the banner and that their IP address is allocated to the Switzerland IP block.
And you see up in the right-hand corner we have 24,000 results.
So if I were to click on any of these individual links, IP addresses, it would take me to that
web page or that result.
So you can start to see now how if you can use certain search terms, you may be able
to narrow down really what you're looking for.
Okay so here I have my search here now is Apache 2.2.3.
So now we're looking for a specific version of Apache.
And we find the results are there's 1.3 million results, which makes sense.
If I do not include a country code, Showdown is going to be very helpful and it's going
to list me in the top four countries with those results.
So you see up in the top here, United States, 382,000, Germany, France, Canada.
If you were to click on one of those, it would further take your search down.
So it would search for Apache 2.2.3 in that country.
This is one of those circumstances where if you don't have an account, it won't let you
filter by the country.
So it's very useful to have an account.
Hostname filter.
Apache hosting colon dot miss dot gov.
So I want to find any devices in a dot miss dot gov domain that have Apache in the banner.
Obviously we're really starting to narrow down now.
IAS 5.0 hosting colon dot edu.
Find IAS 5.0 servers in the dot edu domain.
Or you know you can even filter that more.
Like university or specific institution.
And then in OS filters, if you want to filter by IP or cider range or IP range or cider
notation or OS filter, just using Linux or Windows or whatever.
The port filter.
You can filter by port.
Most of the collection is 21, 22, 23, and 80.
And there's also now collection on HTTPS.
So there's a lot of HTTPS data.
And there's also 161 SNMP data that is now in Showdown.
So he's certainly adding more data.
And as people request more data, he's adding more features.
There are popular searches that are available on the main page.
So if you log in and create your own account, you can actually save your searches.
And you save your searches and it makes them, you can vote on searches and see what popular
searches other people are doing.
Share them with other users.
So this is all just the background information about what Showdown is.
All that right there is a talk in itself that I just kind of put in the front here because
I don't want to talk so much about Showdown.
I want to talk about using it for penetration testing.
Excuse me.
I'm getting a drink of water.
So I want to talk about penetration testing and using Showdown for penetration testing,
what you can and can't do.
These are rhetorical questions.
And what I will do is I will, on the next slide, I'm going to play a white to black
question and I will continue them and where I think these questions would belong, I will
continue them.
Because we are going to come across all these circumstances in our results.
Is it acceptable under any circumstances to view the configuration of a device that requires
no authentication to view?
So if I click on one of those results and that takes me into a device that there was
no authentication required, is it okay for me to view that?
What about viewing the configuration of a device and it asked me for a username and
password but it took the default.
What about viewing the configuration of a device using a unique username and password?
Or what about changing the configuration of the device?
So this presumes that we have no authority to do any of this.
We are just playing around on the internet.
So the first one is viewing a configuration of a device, no authentication.
I think it's fairly white.
You got to the page, they probably didn't exactly want you to be there, but you didn't
provide any authentication so you're probably okay.
Yes?
That sounds good, but say you happen to have more knowledge and someone took away the authentication
that was there before and you didn't know that.
Still fair game?
I don't know.
I mean, just ask.
Maybe.
I don't know that there's a right answer.
It's a good question though.
What about using default username and password?
Now someone's trying to keep you out and they're stupid because they haven't changed the default
username and password but you're still bypassing authentication.
So I think you're starting to get gray in that area.
These are just my kind of general areas.
You can certainly move these around.
I think username and password getting pretty black now and changing the configuration of
a device that you don't have permission to use in the first place.
Yeah, I'm going to go to jail I think.
If you get caught.
Why did you put changing in the very end?
Because changing can happen anywhere in the middle.
Because it's a malicious action rather than actually just viewing the action.
Taking action and changing the action.
Right.
So all these previous options, presumably you're just viewing and you're not changing
anything.
Okay, so applications of Shodan for penetration testing.
So it does require some knowledge of banners and HTTP status codes which we'll talk about
briefly.
Banners will often advertise a service, a version of software they're running.
So if you know certain versions vulnerable to something, you've done some kind of vulnerability
analysis.
Some people spoof banners but it's fairly unlikely.
I talked to very few people who've actually done it on a regular basis.
So HTTP status codes, you know these.
I will review them very briefly because they will play important in filtering data out
for us.
The best answer that we can get is a 200 okay which means we can actually view the page.
300, 301, 302 are moved or found and it turns out that most of those will not be useful
for us.
And then the distinction between 401 and 403.
A 401 is typically a page that we cannot view unless we authenticate to.
So it will typically indicate the presence of a pop-up box.
And then 403 is a page for whatever reason we cannot view it.
There's no option to authenticate to view it.
So it's just we don't have that option.
So here are our assumptions.
A 200 okay, the page is going to load without any authentication required.
There might be a password and username request on that page but we're not going to get a
pop-up box.
301 and 302, talked about that.
A 401 unauthorized page will typically have a www authenticate line and that is going
to indicate a pop-up box.
And we talked about some banners who actually advertise the defaults.
The default username and password for this device is this and this.
That doesn't mean that those devices are actually using it but they're advertising it.
So this is one of the devices I found.
This is a Cisco 1812W switch.
This is the name of the device up here, CT198 whatever.
This is the HTML interface for Cisco switch that I just found on the internet.
And for those of you who are familiar with this interface, the numbers on the right there,
those are the levels of authentication.
So if you want like top access you go level 15.
When you click on level 15 then you should get like a username or password.
It's going to say, okay you need access to view this page.
You know, this should require some authentication.
Or it doesn't.
No authentication required for level 15 access so I can do whatever I want.
This is on the configure command.
So I can configure whatever.
And if you're not brushed up on your CCNA and you don't remember the commands, this nice
little HTML interface, like you see that you scroll down and they're all there.
All the commands are there.
So you don't even have to know what they are.
It tells you what they do.
What about execute commands?
No, no authentication.
I haven't put in any passwords at this point.
I'm just browsing.
Anything you want.
Execute commands.
Show running config.
Show CDP neighbors.
Whatever.
Change some routes.
Yeah.
Okay, so I ran a couple commands.
I just did show command so I didn't change any configurations.
Show running config and I, this goes down and I just cut it up and paste it up here.
And then I did show CDP neighbors over there.
So inevitably someone asks a question about this point.
Well, you know, people practicing for their CCNAs or people set up devices on their networks
that they're not really useful devices.
So some of these Cisco devices you're finding, that's what they are, right?
And it's very possible.
It turns out that when you do show CDP neighbors, you get a neighbor device of a Cisco, two
neighbor devices, Cisco 3745s.
And the device is named direction CN, CNC, VPN hub, etc.
Country code CN, everybody, China, right?
Everybody knows what CNC is.
China Netcom, like biggest ISP in China.
Oh no.
Sorry.
So the neighbor device to this device, the two neighbor devices to this device are China
Netcom, China ISP devices.
And this is not the ISP that I own.
But you see that it's a legitimate devices that are out there.
Okay.
So here's the case study.
And when I first did this infrastructure exploitation, I was like, that sounds kind of boring.
Because what does that really mean?
What it means is how to point an ISP.
So that's what I did.
Sort of.
Okay.
So I came across this device.
Cisco 3750 to switch.
3750B fiber R2-2.
And again, click on 15.
You know, you go right to 15.
Why not?
Yeah.
It's right there.
So I'm going through the commands.
I'm just looking at stuff.
Show IK route.
Show running config.
I just want to see what I can find out about this device.
And it turns out that this device was a little bit more important.
This was just not some random device on the Internet.
And here's the running config.
I think.
Yeah.
And I was definitely struck by a couple things.
Was the configuration change was like OTC.
It says OTC core.
I know you can't read that.
And then because it said fiber or something, I thought, well, that's pretty interesting.
So then I found all these VLANs in the configuration.
There's more than this, but these are the ones that I found.
So MGT, like management.
We set OTC, OTC net.
Building wireless.
Lab network.
Public backbone.
Hilton Convention Center.
Courtyard.
Marriott.
Cocoa.
Protected backbone.
Inside.
And PLS backbone and lots of other cool stuff like that.
So at this point, I'm pretty convinced this isn't somebody's CCNA practice device.
So here is the courtyard Marriott Cocoa Beach.
I don't know if you've ever stayed there.
It looks like a nice hotel.
I wonder who provides the Internet from them.
Well, certainly I have sort of figured it out.
You do.
So let's see what other nice places are connected to this Internet.
Cypress Fairway.
Private Residences in Florida.
Orlando.
What else?
Hilton Orlando Convention Center.
What else?
The Village at Lake Lily.
These places look really nice.
The Rosen Center Hotel.
So I did show CBP neighbors and took out this device.
The device ID, this is the one right here that we're actually looking at.
Or these are the devices next to it.
So we were looking at 3750B and it's Orlando Telecode out there.
How's the talk going, honey?
Perfect timing.
So it turns out that the 3750A also required no authentication and the 7606 was their core
router and that required no authentication at all either.
Yeah, it was bad.
So two of their core switches and their core router, no authentication at all into their
network.
So what could I do?
Anything.
You want to route their traffic to you and then send it right back to them?
Yeah, question.
I didn't even look, I literally, when I say 10 minutes, this was 10 minutes worth of looking
and I didn't go any further because I didn't want to, you know.
So what could you do?
Could you do pretty much anything you want with this ISP?
Yeah.
I mean you could own them.
You could own all their customers.
So here's Orlando Telephone Company.
Nice little page.
I love when you see these, so you go to pages and they have these like certified, you know,
or hacker safe or all that stuff.
Am I hackerproof.com?
Yeah.
So you go to these sites that have all these nice little logos that indicate like how safe
they are.
Well, that's cool.
I'm not.
So what do you do?
So this is what I found.
Two 3750 infrastructure switches and a 7606 router, VLAN IDs, SNMP, I mean pretty much
everything you'd want to own the ISP.
Now I didn't go any further than this, so I didn't technically own the ISP, but you
can see that.
I don't think I'm exaggerating the total.
So what do you do now?
I am not a software guy.
I don't find bugs and then say, hey, Microsoft, this software here, it's got a bug in it and
I don't do disclosure.
So that's disclosure.
I don't do that stuff.
So what do you do?
So disclosure is just for bugs, right?
Find bugs or you find out something wrong with the software.
You figure out, are you just going to release it, post it online, full disclosure, or are
you going to do like partial disclosure, are you going to talk to the vendor ahead of time
and say, I'm going to publish this in a week and after that you're on your own, or you're
just not going to talk about it at all.
So these are three quotes that are kind of going through my head at the time.
Number one, I don't really know what I'm doing because I don't do this stuff on a regular
basis.
So I'll show you the email, I send an email to the ISP and did you say you wanted to call
me?
And you want my address too.
So I looked up who is, and I found the guy who was the security contact or whatever and
I sent him an email and I'll read this email to you because you probably can't read it
and it says, good evening, to whom I concern, I was doing some rousing the other day and
I came across the following IP addresses that appear to allow unauthorized access to similar
companies and licenses, list the IP addresses.
Found that they were registered to you, I wanted to tell you, and I said just contact
me back to let you know that you got this email.
And I didn't go into details about how I found it, not because I thought I was doing anything
malicious because I certainly wasn't, I was really just looking.
So I sent an email.
And it is, I used my real email address.
And he said, I got an email back about maybe like the next day or within 24 hours and this
guy was like, holy shit, thank you.
That's like not exactly what he said, but that was like the crux of what he said.
And then that was like, can I call you?
So what's going through my mind?
The alarm's going off in my head.
Like I said, I don't do this.
What is the procedure for disclosure to an ISP that their devices are totally owned?
I don't know.
So this is what he wrote back to me.
We greatly appreciate your honesty.
These switches were new additions to our network, did not have the proper security applied.
We would like to extend our gratitude and appreciation in offering you a compensation
of $500.
Please contact me so we can arrange a spot.
Thank you.
So I called him up, I did, I'll admit it, I called him up and he basically wanted to
know how did I find it?
How did I find their devices?
And I told them that I didn't go into the whole showdown thing, but I did tell them
that I do research on banners.
I did it because I do.
And you know, it was just more of a needle in a haystack.
I just happened to find them.
And sad to report that despite actually sending him, I did send him my address.
And no, I have not gotten a legal anything in the mail, but I haven't gotten a paycheck
either, which is kind of annoying.
Although at this point, I'm not really, I don't think it's, you know, I'm not really
ready to call them back and be like, Hey, where's my 500 bucks?
Although it would be really nice.
I mean, 500 bucks.
Yeah.
And to check back, I did check back and within like two or three days they did, they either
whatever they did, they show off the web interfaces to the devices.
So you couldn't, I don't know if they password protecting them or not, but you couldn't get
them through, through the way I did.
So they did close them off.
And so this was trying to think when we look at the timeframe on this, because I do want
to talk a little bit about talking about it.
So this is April.
This is April of last year.
And I, so I gave, I gave us a version of this talk at the Sky Talks at DEF CON.
And yeah, Sky Talks at DEF CON is awesome.
And you probably don't know about it, but there's a, there's Sky Talks in the Sky Boxes
at DEF CON.
And unless you try to get in line, like an app, like they're packed, all the talks are
packed because they're awesome.
They're not recorded.
There's no slide.
There's no, it's kind of like, you want to talk about something, but not really put it
out there.
It's that's a great way to do it.
So I encourage you to look into that next year.
So I gave this talk at Sky Talks, but this, it wasn't recorded or anything.
So I didn't really put anything out publicly.
And then I gave this talk at, at B-Sides in Delaware.
It was the first time that I actually, which was last month or two months ago.
And that was the first time that I actually publicly talked about the company at all.
So I guess at this point, you know, they probably know who I am and they're like, I'm not going
to go pay this guy anymore.
Well, whatever.
I mean, there's lots more out there.
So you never got the money.
I never got the money.
It's in the records.
It's in the mail.
So I don't know what, I don't know what to do.
So and so to finish off the disclosure thing, well, how do you disclose it?
Do you, do you send out like at all email to all their customers and say your ISP screwed
you because how do you just, cause you're not going to, there's, it only affects, you
know, they're fairly, fairly small regional ISP.
It's not like they're going to, you know, you don't have to send it to everybody.
And there's no, is there any indication that any of their stuff has ever changed?
I have no idea.
So I had some conclusions up here, but really it's, I mean, what are, what conclusions can
you draw from this?
I mean, there's, there's a lot of interesting things you can do with SHODAN and it kind
of gets, you can see that you can very quickly get into some gray areas in terms of what
you can find and do.
You didn't say how it was searching and finding and stuff, did port scans, colors or what?
Oh yeah.
I've, I must have skipped over some slides because, so SHODAN works by using a, a custom
script that is more or less just ports.
I mean, it's, it's more or less a port scanner, just grabbing banners.
I haven't talked to John specifically about what he's using, but I mean, you could use
Nmap to do this.
You could use, right.
I mean, there's, there's a whole bunch of different things that you could do.
It's not, it's not very technically sophisticated to do any of this.
It's just somebody's done it for you.
So and I thought I had the slides in here, but apparently I took them out.
So I wanted to talk about the Cisco to what?
Yeah.
So I thought I had the slides in here and it looks like I took it out.
And the reason I wanted to talk about it is because it specifically involved these Cisco
devices.
Okay.
And obviously I took it out.
So it turns out that a Cisco device, a Cisco banner, so a Cisco device has a web interface
on it, the banner.
And so I didn't create Showdown, but I could, I think I can accurately claim to having found
this, this issue.
And that is that if there's two things that can be in a Cisco banner, one is a www authenticate
line, which indicates a pop-up box.
So you are required to authenticate.
There's another line in a Cisco banner that says last modified, which has a date, presumably
that the thing was last modified.
It turns out that these two lines are about 99% plus mutually exclusive.
So it turns out that if you can find a Cisco banner with the words last modified in, and
there are, I don't know, 7,000, chances are those devices require no authentication at
all.
And you can do that in five seconds.
I can do that right now.
You can do that right now.
As a matter of fact, why not, you know.
I'm not hooked up to the internet.
That's fine.
But yeah, I'm not, I'm actually not hooked up to the internet.
So I'm not going to do it.
But point being, you can, so if you go on to Shodan, the same search is on there, Cisco
last modified.
You'll find 7,000, 8,000 devices.
A lot of these will try to load up like the Cisco security device manager as soon as you
connect to them.
A fair number of them, probably a third of them will go right into that web interface
you found right there.
So that I showed you up there.
So really, like I think it's actually, while I don't know that it's necessarily a bug,
it is a, the banner itself is telling you that the device is vulnerable.
Because of what's included in the banner.
I'm actually going to do further research on this and I hope to talk about it at Shmukan
about using banners to actually identify vulnerable devices and how you can go after them based
on the banners themselves.
So yeah, I think the last time I checked there was 7,000 of these Cisco devices and they're
probably, probably 75% or more of them are vulnerable just because they're there.
Now again, some of these are, you know, whatever devices and there's one more thing I wanted
to talk about before I close my slides.
Stand by.
Don't believe it yet.
I'm trying to find something first.
Thanks.
Before I talk, before I take any questions, I want to talk about one thing.
Please.
Okay.
Some of you who know me know that about two months ago my son Andrew was killed in a car
accident in which one of the drivers in the accident was drunk.
And the only, I'm not asking for your money, but I'm asking that if you are interested
in doing this.
There's an organization called the Tony Hawk Foundation.
Many of you are familiar with who Tony Hawk is.
He's a skateboarder.
My son was a skateboarder.
And the Tony Hawk Foundation provides grants to communities to build skate parks.
And skate parks in my community were where my son hung out all the time.
So a lot of people in the community have already donated to the Tony Hawk Foundation in my
son's name.
So if that's something that you were inclined to do, I would appreciate it.
And that's it.
Also just to add one more thing, and I apologize for the political tangent.
I met with my state senator on Thursday.
So in the state of Maryland, many of you from Maryland, if you are driving a car and you're
drunk and you kill someone, the maximum sentence is five years.
Five years.
It turns out that most people get about six months.
So I'm working with my state senator to change the laws such that the sentences are greater
or something like that because I think it's kind of ridiculous.
So I will probably post something in the near future on Twitter because my state senator
is going to introduce a bill to change the law.
And I would appreciate if those of you who are in Maryland at the time, when I do post
that, can call up your state senator and urge them to support the changing of the law.
The maximum sentence in Maryland for DUI manslaughter is the second weakest one in the country.
So we're going to change that.
Yeah, I mean, a ton of things that you do in any state will get you more punishment
than you will for killing somebody when you're driving.
Okay, that's over.
Questions on show day?
Anything?
Yes?
Did you use Tor when you were surfing those?
Negative.
Just one straight tone.
You have bigger balls than I.
We are a society of litigation.
And ISP quickly could have turned around and just been like, hey, oh, that's very nice.
Thank you.
Stabbing you in the back.
You're right.
They could have.
You're very fortunate.
And it probably came out of the fact that I wasn't really looking for it in the first
place.
It was just like, hey, what's this?
Hey, what's this?
But you're right.
The question was, was I using Tor or anything?
I was not.
I just straight up from my home.
Risky, probably.
Any other questions?
You mentioned before, I think I heard you talk about there was Chinese routers and stuff
that were available.
Yeah.
I mean, they're all over.
What's the search thing for those?
Well, there's a couple different options.
I mean, you can just do the Cisco last modified search and just use the country code of China,
which will narrow down to China.
I'll give you another example of some devices I found.
I was doing a search.
So I was going after Cisco, Cisco, Cisco.
Like, OK, that's enough Cisco.
Who else is out there that's big?
Well, Huawei is probably number two in the world now.
So let's go after Huawei and see what we can find.
So I searched for Huawei devices and I found something called, I don't remember the name,
something 523.
And it turns out it was an IP phone.
Huawei IP phone.
The page, so the page, it allowed you to, it was a 200 OK to allow you to view the page,
but it asked for username and password.
So I was like, darn.
So I looked up one of those default password lists.
What's the default password for any random Cisco device?
And whatever it was, admin, whatever it was, I tried it and it worked.
It was the first thing I tried worked.
So now I understand that this is probably, we're probably crossing the line now here,
but the device was in Venezuela.
Turns out that there was a group of about 200 plus IP phones that belonged to some
government technology corporation in Venezuela.
And if you go to their homepage, it's like Kilo Chavez smiling on their page,
so they have some government connected corporation.
And when you authenticated with the default username and password,
it was the web interface for the phone.
So you need to change the ringtones or do whatever you want.
But one of the cool things was there was a feature where you could change the URL
where the firmware was being upgraded from.
So let's say you had your own rogue firmware to do something, whatever.
Boom, change it.
You just own the phone to do whatever you want.
And I'm going to use those examples and some other ones in my further research on
going after rogue countries or rogue people, rogue organizations or stuff like that.
But that was just one example.
Other things you can find, webcams just like Google.
I found this one webcam in, I think it was in Japan, and it was one of these pan and tilt ones.
So I'm at the web interface, and there's these three ladies that are like,
they must have been the most diligent employees in the world because they're just typing away.
And I'm up and down, back and forth, trying to get their attention.
Nothing, nothing.
And it turns out that the web interface had a, so you could take snapshots with a webcam,
and then there was a button for administration or setup or something like that.
And you could, again, you could do anything you wanted with the webcam in terms of, you know, you could own it.
So a lot of stuff out there that you can find.
What should Dan's only doing with those five or so ports right now?
Those are the main ones, and I think SNMP has been added to that,
as well as there's a lot of new HTTPS data, so full 43.
I don't know that there's been anything recent, but John has been willing to,
like people have made suggestions to add stuff, and he's willing to add it.
Initially, I think he said he was using his own home, whatever, ISP, to do it,
and now I guess he's doing everything to like some distributed cloud solution.
But he hasn't gotten any complaints from anybody, or you know, so a lot of people have asked that.
Very cool.
Any other questions?
Thank you very much. Enjoy your day.
Applause