Tuesday, November 19, 2019

i0t-pr0be - IoT Device Search & Default Credential Scanner

A Python 3 script to automate search via Shodan, save IoT device query results and also scan for their respective default credentials.


The script utilizes two main APIs; Shodan & Python Selenium.

Shodan
Shodan membership allows you to get 100 query credits that resets every month while for the API plans it can range from thousands  up to unlimited.

How shodan query credits work
Search query without any filters and 1st page of results no query credit used
Search query with a filter e.g product:mongodb 1 query credit
Search query requesting only the 3rd page: 1 query credit
1st-5th page search query results: 4 query credits
More about Shodan credits: Shodan Credits Explained

Python Selenium
This library is used to scrap and authenticate web forms. I chose it over conventional libraries like Beautiful Soup and Scrapy because Selenium was developed to automate browser automation hence easy to be mimic a real user scenario by handling mouse and keyboard events.

Selenium has an optional headless feature which hides the GUI making it easy to implement console scripts but the GUI really does help in debugging and sorting out errors during program development.

One main disadvantage of Selenium is; it's slow. This is because selenium drivers are not 'thread-safe' hence hard to create task queues and threads. ...'But this is life on earth, you can't have everything.'

Installation 
The script needs a WebDriver for the selenium library. I used Firefox WebDriver for this script.

Download WebDriver from https://github.com/mozilla/geckodriver/releases depending on your Linux architecture then extract the file to the /usr/bin/ directory.

Do the git thing:
git clone https://github.com/e13olf/i0t-pr0be.git
cd i0t-pr0be
pip3 install -r requirements.txt 
chmod +x i0t-pr0be.py
./i0t-pr0be.py -h
./i0t-pr0be.py -s <search-term> -a <api-key>

Note
There are many ways to find devices on Shodan. Usually, using the name of the manufacturer or the server name which is the most effective because Shodan query results will output the IP and the corresponding web port.

Unfortunately most devices do not have server names indexed, so when searching you'll have to add the web server port filter e.g D-Link port:"80" This will use 1 extra query credit but the results will have the IP and web server port needed for later credential scanning.

Shodan also  indexes information in the banner but not the content, this means that if the manufacturer puts its name in the banner, you can easily search by it. If they don't then no results from your search query.

Nowadays most IoT firmware require password creation during first login but you can still find some old firmware that still accept default credentials.



References
https://danielmiessler.com/study/shodan
https://www.ispyconnect.com/userguide-default-passwords.aspx
https://ipvm.com/reports/ip-cameras-default-passwords-directory
http://www.critifence.com/default-password-database/
https://192-168-1-1ip.mobi/default-router-passwords-list/
https://selenium-python.readthedocs.io

1 comment:

  1. Thanks for such a great article here. I was searching for something like this for quite a long time and at last I’ve found it on your blog Visit Germany VPS Hosting

    ReplyDelete