CISC205 – Project 9

Part 1: SQL Injection

Log into https://tryhackme.com/room/sqlilab
If you don’t have a logon, you can create a free account. There are 10 tasks to complete the lab.
Each lab will have one or more ‘flags’ that you have to answer. Try to get through as many as
you can this week. At the end of the week, screenshot the lab tasks showing how many you
completed (each successful task will show a checkmark).
CISC205 – Project 9

Part 2: Shodan Search

Warning: Do not attempt to login to any device you find on the Shodan search engine. Doing so
violates your ethical hacking agreement.

In this lab, you will use the Shodan search engine to gain an understanding of why security
should be the focus of any IoT implementation.

Shodan has servers located around the world that continually crawl the Internet looking for
connected devices. It can find specific devices and device types. This data can then be searched.
Some of the more popular searches include terms such as "webcam", "default passwords",
"routers", "video games," and more.

Shodan is a favorite tool used by researchers, security professionals, large enterprises, and
computer emergency response teams (CERTs).

 Researchers can use Shodan to data mine information about what devices are
connected, where they are connected, and what services are exposed.
 Security professionals can use Shodan as part of a penetration testing plan to discover
devices that need to be hardened to prevent potential attacks.
 Large enterprises employ security professionals who should be aware of tools like
Shodan for determining the current risk profile of the enterprise’s connected devices.
 CERTs can use Shodan to quickly generate reports about an emerging attack on
connected devices.

Shodan is also a tool used by nefarious individuals and groups commonly referred to as
threat actors. Shodan can accelerate a threat actor’s reconnaissance of Internet
connected devices. Like all the tools in this course, you must use it responsibly according
to your organization’s ethical hacking policies.

Required Resources

 Device with Internet access.

Obtain Access to Shodan’s Free Features

In this part of the lab, you will navigate to the Shodan search engine and sign up for an account.

1. Open a web browser and navigate to the Shodan website at https://www.shodan.io/.

2. Create an account in one of two ways:
a. If you click Create a Free Account, you will be directed to a page where you can
fill in a form to create an account on Shodan.
CISC205 – Project 9

b. If you click Login or Register, you will be directed to a page where you can sign in
with one of several other accounts that you may have, including Google or
Facebook.
c. After successfully logging in, you will see your account page, as shown below.
Click the Shodan link to return to the homepage.

_______________

Part 2: Investigate Connected IoT Devices

In this part, you will gain familiarity with using Shodan’s features to search for Internet-
connected devices.

Step 1: Use the basic features of the Shodan search engine.

From the main page, you can type keywords in the search field to get a list of results.

1. Type cisco as the keyword and press Enter. How many results did you get for your
search? 4,988,628

Note: Not every device that is found by Shodan is insecure. Shodan simply finds devices
that are accessible from the Internet according to a set of search criteria.

2. Look at other information on the left side of the web page. Your search result is broken
down into various categories. Each entry in a category is a clickable link that will refine
your search.

How many results, if any, are there for the Windows XP operating system? zero
CISC205 – Project 9

3. Although Microsoft stopped supporting Windows XP in April 2014, it continues to

release patches for it because there are so many end devices still using the operating
system. Use an Internet search to discover the well-known 2017 cyberattack that
targeted older Windows operating systems.

What was the attack called, what did it target, and what did it do?

The 2017 cyberattack is known as the WannaCry ransomware attack. This attack
specifically targeted older Windows operating systems, including Windows XP, that had
not been updated with critical security patches.

WannaCry exploited a vulnerability in the Windows Server Message Block (SMB)

protocol, specifically a flaw called EternalBlue. EternalBlue is an exploit originally
developed by the NSA and leaked by a hacker group called the Shadow Brokers. Once
WannaCry infected a system, it encrypted the user's files and made them inaccessible.
The ransomware then displayed a message demanding a payment in Bitcoin to decrypt
the files, effectively holding the data hostage.

From your research, you should have noted that this attack targeted unpatched
systems. Prior to the attack, Microsoft had released patches that addressed the
vulnerabilities. The systems that were affected by the attack were ones that had not
downloaded and applied the patches. Unpatched software is a primary attack vector for
threat actors. Any connected device is vulnerable to this type of attack. In the IoT
landscape, patching devices becomes even more important as tools such as Shodan can
quickly reveal your device’s information, including potential vulnerabilities, to the world.

Note: Not all devices discovered by Shodan are vulnerable. Shodan results consist of
Internet-connected devices and information about those devices. This information may
or may not reveal potential vulnerabilities.

4. On the right side, the main section of your search shows the devices that match your
search. Find an entry that looks interesting to you and fill in the information below.

IP address: 97.68.32.222

Hostname: syn-097-068-032-222.biz.spectrum.com

ISP: Charter Communications, Inc

Date the entry was added: 2024-11-02

Country: United States

CISC205 – Project 9

Your entry will also show some banner information. You may see the beginnings of an SSH
banner or an HTTP banner. Click Details for more information about your entry. You should see
several open ports. If not, try a different entry. List the information you found below.

City and Country: Ormond Beach,United States

Ports open: 22, 2002, 4002, 6002, 9002

Services running: Cisco telnetd, ssh, tcp

Key types: ssh-rsa

5. Return to the Shodan homepage and click Explore. What are some of the Top Voted
results? Webcam, cams, netcam, default password, ufanet. dreambox

One of the Top Voted results for you may have been default password. If so, click
default password to see the results. If not, in the search field, type the keywords
“default password,” with the quotes, and press Enter. You will see several results that
show default passwords embedded in the banners for devices. Hopefully, the owners of
these devices have changed the default password. However, this highlights how easy it
can be to login to a device if appropriate security measures are not implemented.

Warning: Do not attempt to login to any device you find on the Shodan search engine.
Doing so violates your ethical hacking agreement.

6. In the search field, type the keyword “webcam” with the quotes and press Enter. What
is your count for Total Results? 12519
CISC205 – Project 9

7. In the search field, type the keyword “refrigerator” with the quotes and press Enter.
What is your count for Total Results? 33

Use keywords together with search operators to filter your search.

You may have noticed that you can only get two pages of results with your free account access.
However, even with a paid account you would not want to click through the pages that list
thousands or millions of results. Instead, you can combine keywords and search operators to
filter your results.

Shodan searches for the services running on a device. It then collects banner information for
each service. For example, here is the banner information for the SNMP service running on a
Cisco device found with the Shodan search:

Cisco Internetwork Operating System Software

IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(23)BC10, RELEASE SOFTWARE
CISC205 – Project 9

(fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by cisco Systems, Inc.

A search for just "cisco" most likely reveals one to two million results for you. That information
may be helpful to you. However, if you are interested in more specific information, you will
want to filter your search using filter names and values from the banner information.

For example, if you are interested in seeing how many Cisco 7200 routers in the United States
are running the SNMP service, you would enter the following search phrase.

country:US product:"Cisco 7200 Router" port:161

Note: Shodan searches use the two letter (alpha-2) country code based on the International
Standards Organization’s 3166 publication (ISO 3166-1993).

Create your own searches to find the following:

1. Minecraft is a popular video game where players can set up their own servers for others
to access online. Use an Internet search to find the following information.

What is the common port number used by Minecraft servers? 25565

What is the ISO 3166 alpha-2 code for South Africa? ZA

What Shodan search phrase can you use to discover how many Minecraft servers are
currently online in South Africa? country:ZA port:25565

How many Minecraft servers are currently online in South Africa? 881
CISC205 – Project 9

2. Moxa is a supplier of devices that connect industrial equipment to the Internet. How
many Moxa devices are running the Telnet service in Brazil?

Search phrase: country:BR product:"Moxa" port:23

Total results: 28

3. Use an Internet search or review Shodan help pages and tutorials to discover how you
can filter your searches based on a range of IP addresses.
4. Mr. Robot is an American drama television series that chronicles the adventures of a
cybersecurity engineer. In the series, the protagonist uses the Shodan search engine to
research a fictional corporation. Use an Internet search to find the search string that
was used to discover E Corp’s web server.

What string was used? org:"E-Corp"

Does the string work on the Shodan search engine? NO

What IP address was returned by the search? -----
What is the URL for the IP address? -----

5. There are many home devices connected and controlled using IoT. Apply the methods
previously used to search for “garage door” in the state of Michigan in the United
States. What was the search string you used?
CISC205 – Project 9

How many results were returned? 5

What was the top city listed with the most connected garage doors? Barton Hills

What are the potential risks of someone having access to this information?

Unauthorized gaining of access to garage door systems is very dangerous since hackers
can easily open the garage door remotely and get access to the property without
permission. In addition to this, some garage door openers come with cameras or
sensors, which may be used to carry out surveillance whereby unauthorized individuals
will check on the on-goings of a place. In addition, since garage door devices are often
exposed, they can easily be compromised by network attackers for them to get access
to other home network devices hence increasing the extent of security breaches and the
vulnerability the entire system consists of.

6. You can check to see if your IP address has any vulnerabilities by using the Internet of
Things Scanner at the following address: https://iotscanner.azurewebsites.net/ Click
Check if I am on Shodan to allow the “Internet of Things Scanner” to scan your IP
address. This process may take some time to complete.
CISC205 – Project 9