Knowing the unknown: discovering devices connected to the internet

Introduction

The present-day internet sees everything from smart toothbrushes, unsecured databases, CCTVs and dirty dishes soaking in a smart kitchen right now .

By 2023 the number of devices connected to the internet will be approximately 29.3 billion. More devices joining the internet with little or no security have become a lucrative target for threat actors.

This article describes a few tools we can use to identify and monitor our devices connected to the internet on a budget.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu

Passive reconnaissance

The first phase of hacking is reconnaissance (recon), where the attacker research and gathers information about a target. Passive reconnaissance collects information about a target without raising alarms; this phase does not directly interact with a target or its network assets.

There are SaaS (Software As A Service Platforms), which provide information gathered from actively scanning the internet (Active Reconnaissance). They are passive recon tools.

Shodan

Shodan is the world’s first search engine for Internet-connected devices and my favourite tool.

Shodan allows you to search devices based on various metadata, including but not limited to IP address, CVE (Common Vulnerability Exposure), HTTP banners, and the list go on.

In addition, they do provide network monitoring features where if something pops up in your given IP address space, the service will send you an alert. According to Shodan’s documentation, it scans the entire internet at least once a week. However, their API does provide on-demand scanning if you want to build continuous scanning and alerting.

Quickly check if your IP is exposing any ports to the Internet by visiting https://t.co/suJA6fndpX

If you see a 404 page then you don't have anything exposed!

— Shodan (@shodanhq) September 21, 2020

Shodan pro subscriptions cost 49 $ a month, but they offer 5$/per month pro shodan accounts during the Black Friday sale. If you have a .edu email, they offer the pro account features for free.

Greynoise

Greynoise comes in handy if we want to identify any compromised devices within a specified IP address range.

Greynoise does provide a free community subscription, allowing users to search IP addresses to identify whether they have been compromised and scanning the internet for other machines to infect.

Active Recon

Nmap

Nmap is the go-to opensource tool for network discovery and if you want to host your network scanning service. Nmap comes in many flavours.

• Zenmap GUI version
• Dockerized Version
• CLI

Nmap can be used to find open-ports, OS fingerprinting and vulnerabilities too.

If you need an excellent place to start on continous network scanning Jeremy Gamblin has written a simple guide on that with alerting.

Conclusion

Attackers put in the time to know the network and the devices better than the defenders. That’s how they win.

— Rob Joyce (@NSA_CSDirector) September 13, 2021

As defenders, we need to monitor the devices connected to the internet to prevent/identify a breach. We can only defend what we can see !.

Misconfigured and vulnerable devices are the root cause of some of the notable hacks in the past :

• Printers Were Exploited for PewDiePie Propaganda
• An unsecured database exposed thousands of British passports
• Hackers Enlisted Tesla’s Public Cloud to Mine Cryptocurrency
• How a Dorm Room Minecraft Scam Brought Down the Internet