This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Using Shodan to Measure The Security of the Internet

Shodan is a search engine for potentially vulnerable computer systems, based upon header information.

It allows you to perform a lot of neat tricks, such as see what your organization's public footprint looks like, as well as your competitors.  You can use it to find interesting devices such as routers, webcams, printers, etc.

I performed the following searches to see just how many glaringly obvious vulnerable systems are exposed to the internet.

First search: "IIS/5.0".  This search will produce systems which are running Windows 2000 with an IIS web server.  Of course Windows 2000 and IIS 5.0 are no longer supported by Microsoft, and multiple vulnerabilities are publicly known.

So needless to say, I was quite disturbed when I found half a million exposed IIS/5.0 webservers.

IIS 5.0 on Windows 2000
Surely no one would be running a version of Windows older than Win 2000, and connect it to the Internet, right?




I decided to try my luck and search for even older versions of IIS.  And while the numbers weren't as severe as the IIS/5.0 numbers, the number of extremely vulnerable web servers out there is shocking.

IIS 4.0 on Windows NT 4.0
IIS 3.0 on Windows NT 4.0 SP2+
IIS 2.0 on Windows NT 4.0 with Service Pack less than 2.0
Surely no one would be running a server with less than NT 4.0?

Well, maybe they are.  In fact, there's almost 1,000 of them...

IIS 1.0 on Windows NT 3.51, Unsupported as of December 2001
If you look at the first entry on the list, you'll see that I'm not the first person to look for IIS 1.0 instances with Shodan. Someone actually hacked the first system on the list, and altered its HTTP header information to inform you the system was already compromised.

Every one of these systems is a potential botnet drone just waiting for infection, if they haven't been compromised already.

If you're not concerned, you should be.  These servers are your "neighbors" on the Internet. Once they are compromised, they can be used to attack your organization.

According to Netcraft, in May 2013 there were over 672 million web sites on the Internet.  So while the number of unsupported Microsoft web servers is less than 1% of the Internet, these are still alarming numbers.

If these results are any indication of just how vulnerable the internet is, we've got a long way to go to properly secure it.

No comments:

Post a Comment