-2

I would like to know how Security Researchers and hackers scan the internet to find vulnerable devices. For example in this article here, what sort of request/packets are those researchers sending to find the backdoored routers?

Likewise with the heartbleed vulnerability, many hackers and security researchers scanned the internet to find vulnerable servers, how was this done and how did it work?

To expand on this, I have also read about people/companies finding millions of vulnerable servers due to a certain vulnerability by scanning the entire IPv4 address space. What type/sort of genre would these exploits that hackers use to exploit devices by scanning the internet be (examples of old exploits that are obsolete would help)? (Technical answers in detail is what I am looking for)

schroeder
  • 123,438
  • 55
  • 284
  • 319
J.Paddock
  • 25
  • 2
  • Far too broad for a useful answer here. Stick with a single question, and you might get more useful answers – Matthew Jun 17 '16 at 13:15
  • 1
    I don't think it is terribly too broad. I think the OP just wants a high-level overview of how this is done. – Mark Stewart Jun 17 '16 at 14:20
  • @MarkStewart That doesn't fit with the "technical answers in detail" line - high level overview is fine. – Matthew Jun 17 '16 at 15:21
  • @Matthew The problem with questions which you know nothing about is you sometimes ask for too much detail, or ask the question in the wrong way. I think it's perfectly valid to read between the lines and re-interpret the question in a more informed way. – Steve Sether Jun 17 '16 at 15:33
  • I think the answer by @TheIriekid was a good answer to a broad question and covered the main points the OP wanted; but yes, wanting a full discourse is out of scope. – Mark Stewart Jun 17 '16 at 16:21
  • 1
    It looks like your real question is, "how does one scan the entire Internet?" Is that accurate? – schroeder Jun 18 '16 at 10:04
  • I would scan the internet using a program called masscan. https://github.com/robertdavidgraham/masscan – Joe Jun 18 '16 at 19:58

2 Answers2

4

Simply put, this is done using the banner grabbing technique over specific popular service TCP/IP ports such as 80, 8080, 9100, 21 etc.

Basically a host will use a piece of software such as netcat or telnet to scan a specific range of IP addresses.

A popular website which facilitates this is https://www.shodan.io. They basically have a back end system doing the banner grabbing globally based on your keyword. For example if you enter any publish banner value of a device such as a kyocera Printer's model number "8001" Uou'll get the results of all "opened port" Kyocera devices which are accessible on the internet or local lan which have 8001 in their banner.

You can basically grab that public or private IP address and install an instance of that printer on your computer and cause havoc.

Network Admins: Please! Please!!!!! Lock down your bombo rass Clare network and any unused service ports. Use port masked forwarding or virtual servers if you must assign a device's public IP address.

TheIriekid
  • 126
  • 4
  • 3
    The number of unprotected software on Shodan is truly baffling, and an illustration of why the population isn't ready for the Internet of Things (be it manufacturers or end users). – MadWard Jun 17 '16 at 15:02
0

First they use cloud compute like amazon AWS for fast internet. Second all IP are known for you just next some basic looping function.

simplification

for a=0 to 229 
  for b= 0 to 255
     for c=0 to 255
       for d=0 to 255
          ipaddress=str(a)&"."&str(b)&"."&str(c)&"."&str(d)
          connect ipaddress:80
          send probes
          collect results
          connect ipaddress:21
          send probes
          collect results
       next d
      next c
     next b
   next a

Each documented exploit typically only effect 1 or a small number of ports which can be added to the inner loop. You asked about heartbleed, well it works on port 443, you either use the technical documents to write your own exploit or find a pre-built kit on the web.

Once you know the exploit you know which ports to scan. The backtrack linux distro has a zillion pre built exploit tools.

Say you find a server running Apache 2.0.1, go to apache website look at the change log find the list of vulnerabilities that have been patched since then. Lookup how to exploit that vulnerability, write or find code to implement this exploit. Hit the ip address with the exploit and your in. Unless they have firewall specifically set up to catch this, but there a dozen more for you to try.

cybernard
  • 518
  • 2
  • 10