Friday, January 8, 2016

Gnome in Your Home Part Three: Hunting Gnomes with Shodan

Part Three of the SANS Holiday Hack challenges is best solved using Shodan: a search engine for Internet-connected devices.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Three: Internet-Wide Scavenger Hunt


Challenges:
  1. What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?
  2. Where is each SuperGnome located geographically?
Useful tools: Shodan, Burp Proxy

Summary: Using Shodan and a unique HTTP header found on the first SuperGnome, finding all five is a snap.

The packet capture file from Part 1 gave us an IP address for a "DNS server" that doubled as a command-and-control server for the gnomes, so right off the bat that seemed a good place to start. Tom Hessman's avatar confirmed that it was in scope, so I ran a quick nmap scan against 52.2.229.189 and found only one open port - TCP port 80 (i.e. HTTP, a basic, unencrypted web server).

nmap 52.2.229.189
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-26 21:42 UTC
Nmap scan report for ec2-52-2-229-189.compute-1.amazonaws.com (52.2.229.189)
Host is up (0.079s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
4242/tcp closed vrml-multi-use
5555/tcp closed freeciv

Pointing my web browser to that address, I find the first SuperGnome:

The first SuperGnome

As luck would have it, the username and password ("admin" / "SittingOnAShelf") discovered in Part 2 allow me to log into the SuperGnome. After poking around, I find that the Files View allows the logged-in administrator to download several files including gnome.conf (the "flag" requested by the next set of challenges), a zipped pcap, and several photographs - but nothing to clue me in to the other SuperGnome IP addresses.

Ah, but there is another tool at my disposal. Shodan is perhaps a security researcher's best friend: where Google and Bing are search engines for websites, Shodan is a search engine for Internet-connected devices. A basic account is free; an upgraded account normally costs $49 for a lifetime membership, but this Thanksgiving they had a Black Friday promotion, offering a lifetime membership for $5.

Shodan records HTTP "headers" - information sent back and forth between your web browser and a web site that helps the two work together. Headers specify the website name (since more than one site may be hosted at the same IP address - think of how many blogs are hosted by Google's Blogger platform, for example); the preferred language; the type and version of the web browser; the types of content that are acceptable; and various other settings. These headers are typically handled in the background and never seen by the end user - but they can be seen in a proxy such as Burp.

Using Burp Proxy, I see an unusual header - one that is likely to be unique to the Holiday Hack SuperGnomes:

X-Powered-By: GIYH::SuperGnome by AtnasCorp

A quick search for "giyh" immediately reveals all five SuperGnomes:

Shodan quickly reveals every SuperGnome on the Internet, easily pinpointing it's geographic location.

  1. What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?

    and

  2. Where is each SuperGnome located geographically?

    SG1: 52.2.229.189 (Ashburn, VA, United States)
    SG2: 52.34.3.80 (Boardman, OR, United States)
    SG3: 52.64.191.71 (Sydney, Australia)
    SG4: 52.192.152.132 (Tokyo, Japan)
    SG5: 54.233.105.81 (Brazil)
Update January 11:

After posting this, a reader pointed out another search engine focused on Internet of Things devices: Censys. I have not spent much time on the site, but it does identify the GiYH gnomes in much the same way as Shodan:

Censys gives slightly more detailed genlocation data on the IP addresses: where Shodan simply reports that 54.233.105.81 is in Brazil, Censys reports the location to be São Paulo, Sao Paulo, Brazil. Curiously, Censys reports SG3 to be in Seattle, Washington, whereas Censys reports that it is in Sydney Australia. I tend to believe Shodan in this case - I suspect Censys reported the location of the company that owns the address (i.e., Amazon, which is in fact based in Seattle), while Shodan correctly located the data center in Australia.

Regardless, there is an up-and-coming alternative to Shodan that might be useful in some cases.