One of the problems of being white-hat hacker is that we scare ourselves. Such is the case of the "Shodan" engine that was released last month. It's a simple idea, one that has been discussed before. It simply scans the Internet for likely web server ports and indexes the HTTP headers that come back. Now that somebody has actually done it, and we can play with it, we find it's a lot scarier than we had imagined.
What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it.
Every white-hat/hacker has some specialized skills. For example, Errata Security does a lot of pentests into IBM AS/400 System i Series mainframes. These systems are easily hacked precisely for the reason that few people have experience hacking them. We have a 100% success rate of breaking into them using the simplest means, and we have some more advanced exploits for getting into hardened ones.
With Shodan, we can find an AS/400 in seconds that is vulnerable to being hacked. For example, let’s say that I want to find a system in China to hack. I type in “IBM-HTTP-Server Country:CN” (“IBM-HTTP-Server“ is the string for the AS/400 web server). I get a list of systems in response, shown in the picture below:
If I telnet to the fifth IP address in that list, I get the following window:
At this point, I can *probably* hack into the system. I don’t know for certain it’s vulnerable, because I’m not going to try (unless the cyberwar with China heats up), but I’d bet money I could do it.
As I mentioned at the start of this post, this scares me. As with the absurdly simple way of finding systems vulnerable to SQL injection, it’s absurdly simple finding AS/400s that I can hack. I can dust off an old Apache or IIS exploit, and within seconds get a list of system that are vulnerable to that exploit. If I can find systems to hack this easily, thousands of hackers can do likewise.
Shodan is just one example of cloud pentesting. At some point, somebody will nmap and snmpcan the entire Internet and put the results in a database, making it even easier to match exploits to targets.
Right now at Errata Security, we have the policy that the moment it looks like we’ll get a company as a client, we go into “hands off” mode. We cannot port scan them, we cannot let our fingers “accidentally” slip to enter a quote ‘ in a web form, we cannot even traceroute to their servers. We know of too many cases where bad things have happened during sales negotiations where consults have jumped the gun and started their scans early. The basic reason is that pentests feel like hacking, so the client wants to be 100% in control and know everything the pentester is doing. Finding out the pentester was off doing stuff outside of their control usually gets the pentester fired.
However, with cloud pentesting, we don’t have to scan the potential client. We can instead simply ask the cloud system “what do you know about that client already?”. This brings me to the ethical question of “can we ask Shodan about a potential client while negotiating to do a pentest for them?”. I’m not sure what would happen when we are talking to the potential customer and they say “we don’t use Microsoft for web services” and you respond with “actually, you have four older IIS/4.0 servers on your DMZ”. I suspect that I will have to add this to our ethical guidelines.