With Shodan it's easy to get an overview of the security for a country. Real-world borders don't necessarily translate to the Internet but it can still reveal useful information as shown by OECD. I will show how I use Shodan to get a big picture view of a country; in this case I'm looking at the USA.

First, lets have a look at how SSL is deployed in the USA. I will start off by getting a breakdown of the SSL versions that are supported by web servers:

shodan stats --facets ssl.version country:US has_ssl:true HTTP

To do this I'm faceting on the ssl.version property which contains a list of SSL versions that the web server supports. This is possible because Shodan crawlers explicitly test for SSLv2 through TLSv1.2.

Unsurprisingly, the majority of the HTTPS servers are hosted by Akamai and Amazon. However, there's still a sizable chunk (600,000+) devices that support SSLv2 so lets look at those briefly:

shodan stats --facets org country:US ssl.version:sslv2 HTTP

Here I'm faceting on the org (organization) property and filtering for web servers that support SSLv2. This doesn't mean that they only accept SSLv2 connections but it is one of the versions the service supports.

Around 25% of the services that support SSLv2 are operating on CenturyLink's network. Just looking at the results it seems like some of CenturyLink's modems are the reason for their #1 spot on the list. Their numbers are significantly higher than the next provider but I'm hoping these numbers will decline as CenturyLink phases out their older equipment.

The Shodan crawls also check for the various SSL vulnerabilities such as Heartbleed and FREAK so lets see how the US fares for those. For Heartbleed there are at least ~30,000 devices in the US still vulnerable to it.

Interestingly, Verizon Wireless is the network with the most services vulnerable to Heartbleed. The runner-up, Amazon, is less surprising since it's not unusual for people to deploy old images that haven't yet been patched (or lack protection). There are 2 types of devices operated by Verizon Wireless that are affected:

1. Wireless routers that run on the alternate HTTPS port 8443 and are made by CradlePoint Technology.

2. Digital billboards made by Watchfire Signs that run a web server on port 9443.

I have not heard of these products before but this explains why Verizon Wireless has the most devices affected by Heartbleed - I wouldn't have expected many regular web servers to operate on their network. The same analysis can be performed by looking at services that support export ciphers (CVE-2015-0204) which I will leave as an exercise.

Finally, lets look at the distribution of SSL certificates. It usually isn't a good sign if the same SSL certificate is deployed across a large number of devices. To see the usage of duplicate SSL certificates we can facet on the ssl.cert.fingerprint property:

shodan stats --facets ssl.cert.fingerprint country:us has_ssl:true http

The results of the command will give us the 10 most common SSL certificate fingerprints:

If you want to get more than 10 you can also provide a number to the facet. For example, this is how to get the top 100 SSL fingerprints:

shodan stats --facets ssl.cert.fingerprint:100 country:us has_ssl:true http

The most common SSL certificate is for what looks like Google's CDN on IPv6. However, the 2nd most often seen SSL certificate is for Ecommerce Corporation which is a familiar company if you've read some of my earlier articles on defaced websites. While we're looking at duplicate fingerprints, what about SSH fingerprints?

shodan stats --facets ssh.fingerprint country:us

The most common duplicate SSH fingerprint in the US belongs to GoDaddy. Looking at those results will require another blog post but the above is how I usually get started when trying to identify systemic problems.

Here is a short video that shows how I've done a similar analysis for Germany:

SSL is only one of many aspects that should be looked at and I will be discussing some other angles in future posts. I hope I've given you a better idea of how I use Shodan to breakdown SSL issues on a national level.

Dell has been hit with 2 security issues the past few days. I wanted to quickly summarize my findings from an external network perspective:

1. Laptops come pre-installed with a root certificate

https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html

The root certificate is issued by eDellRoot. Initially, the story mentioned just one certificate but it quickly became clear that there was a 2nd certificate that can be found on live web servers using Shodan with the search query:

ssl:eDellRoot

At the moment, the search returns 28 results that are located mostly in the US with a few in Switzerland, Canada, Singapore and Malaysia:

Even though there are very few results, at least one of them has turned out to be a control system. This isn't a big surprise since there are millions of control systems connected to the Internet but it's a good reminder that the Internet has much more than just web servers.

Dell has issued a statement explaining the existence of the root certificate and released a tool/ instructions on how to remove it.

2. Webserver runs on port 7779 that provides unauthenticated access to the Dell service tag

http://www.theregister.co.uk/2015/11/25/dellbackdoorpart_two/

There are ~12,800 webservers on the Internet running on port 7779. Out of those, roughly ~2,300 are running software that looks like it's from a Dell computer:

I wrote a quick script to grab the service tags from those IPs and was able to collect ~1,000 service tags. The other 1,300 devices didn't respond in time or otherwise errored out when trying to query the information. Of course, much of the threat is the ability to execute Javascript to gather the information from localhost but I wanted to get a sense of how many are Internet-connected. I've also added port 7779 to Shodan so it will be possible to keep track of how the issue gets resolved over time.

I've made some improvements to the way SSL is indexed and added 2 new filters:

1. ssl
   Search all SSL-related information that Shodan collects.
   Example: ssl:Google
2. has_ssl
   Boolean filter to only show results/ banners that contain SSL information.

There was also a bug in how the SSL serial numbers were indexed so after that got patched I kept an eye on the results. To do so I used the command-line interface and faceted on the ssl.cert.serial property to get a list of the most popular SSL serial numbers:

The top 5 SSL serial numbers are:

1. 15264109253415148488
2. 17803741903183845083
3. 0
4. 40564819207326832829647457238321
5. 295

I wasn't sure what to expect so lets take a look at what the most popular SSL serial on the Internet is used by:

There are more than a million devices that use the serial number 15264109253415148488 and none of them return a banner. They're all self-signed certificates that are running a service on port 443 but otherwise aren't responding to HTTP requests. Hmmm, ok well what about the 2nd most popular serial number?

Once again a huge amount of devices are responding on port 443 and not providing any banners but this time for Motorola Mobility devices. In both instances the devices are located on AT&T's network, and based on the netblock ownership the IPs are being used for U-verse. I started searching for more information about these certificates and eventually found an answer:

Apparently, AT&T is running a service on port 443 to manage their wireless set top boxes. I don't have any way to verify those claims but they seem plausible. If nothing else it's now very easy to see how many of AT&T's users purchased their wireless Internet package (~2 million households).