公网数据下的白话物联网安全系列文章:白话物联网安全(一):什么是物联网信息安全白话物联网安全(2):物联网安全检测白话物联网安全(3):物联网设备的安全防御白话物联网安全(4):泛在电力物联网前提回顾第一章《什么是物联网的信息安全”》,我们讲了什么物联网,又包括哪些方面物联网,物联网的信息安全涉及到哪些方面?第2章《物联网的安全检测》,我们从自动利用物联网漏洞的工具AutoSploit开始,讨论我们如何检测常见物联网中的安全问题。在第三章中,我们从物理、近场和远程三个方向谈了物联网设备的安全,以及目前市场上缺乏的物联网安全防御体系。在第四章中,我们讨论了一个概念性的话题,无处不在的物联网。在此基础上,我们尝试从甲方爸爸的角度,谈谈如何做好泛在物联网的安全。第五章,从公网数据的角度,让我们看一下目前的物联网安全。文:公网数据下的物联网在分析物联网数据之前,先简单说一下最近发生的一起安全事件。截至2020年1月末,APT228组织披露了50万个被攻击IP地址,包括国内外交换机、路由器、物联网设备等。两者,地址,账号和密码,我拿到一份后,一共16个txt文件,14M文件,tsktsktsk,14Mtxt文件。图:新闻信息图:泄露数据图:部分数据截图(网上分析的很多,不给大家丢人现眼)工欲善其事,必先利其器。我们来看看目前主流的物联网设备包括的类别,在各大搜索数据平台上,我一共查到了1161个物联网设备指纹(数据来源于网络,不完全包括已有的指纹信息)。粗略统计了一下,国内外指纹的比例如下:在此基础上,我把国内的指纹资料拿来分析,发现一个很有意思的事情。现在物联网平台不仅集中在交通、物流、农业、运营商、工控、家居,还涉及电梯、消防、建筑、地质、气象、畜牧、医药等,甚至志愿商场拥有自己的物联网传感控制平台。在我们生活的方方面面,其实都围绕着整个物联网,比如我们出门的电梯,快递箱,送来的蔬菜,晚饭里的炖排骨,都带着物联网的应急,设置了一下,国内指纹的信息分布如下图:说完指纹,我们来分析一下开放公网物联网设备不可否认,绝大多数物联网设备实际上都处于内网环境中。内网系统很少暴露在公网上,比例甚至不到1%。基于有限的公网数据,我们其实可以得出一些简单的结论,比如国家、端口、协议等的分布,现在能查到的数据是3608647条,美国最多,有总计683,415个。接下来是中国、英国、法国、德国等,通过分析发现主要开放的端口有:80、443、8001、8080、8003、554、81、82、83、7547、22,21,23,5060,8080,49152,1024,8000,9002等,主要协议涉及http,rtsp,https,http-proxy,telnet,irc,ftp,ssh,cwmp,sip等,结合结合刚才的案例,其实物联网设备的安全性已经被弱密码覆盖了,我就随便试了下。真的有很多。说实话,至少把密码改成12345。比如我写这个突然发现一个简单的小脚本可以实现批量物联网弱密码检测,添加一个任意ip地址生成的脚本,然后检测存活(设计不合理,大哥轻喷),然后把地址丢给Hydra,在corntab中设置Hydra定时执行,每5分钟执行一次defrandomip():random=[]foriinrange(4):random.append(randomom.randomint(0,256))尽管eTrue:ifrandom[0]==127orrandom[0]==192orrandom[0]==10orrandom[0]==172:random[0]=randomom.randomrange(0,256)else:breakipadd='%d.%d.%d.%d'%(random[0],random[1],random[2],random[3])random.clear()return(ipadd)最后放一些rapid7发送的指纹信息和弱密码如果你想自己写个小脚本,可以直接扔进"axis":{"devTypePattern":[["body","title"],["regex","(?i)axis","(?i)camera"]],"loginUrlPattern":"document\\.write\\(\"([^\"\\]+)[^\\r\\n]+>设置<\/a>","auth":["basic","admin:admin"]},"mobotix":{"devTypePattern":[["body",""],["regex","content=\"MOBOTIXAG"]],"nextUrl":["string","/control/userimage.html"],"auth":["basic","admin:meinsm"]},"basler":{"devTypePattern":[["正文","标题"],["正则表达式","BaslerAG"]],"nextUrl":["string","/cgi-bin/auth_if.cgi?Login"],"auth":["form","","Auth.Username=admin&Auth.Password=admin","body","re??gex","success:true"]},"IQinVision":{"devTypePattern":[["body",""],["substr",""]],"nextUrl":["string","/imageset.html"],"auth":["basic","root:system"]},"JVC":{"devTypePattern":[["header","server"],["regex","^JVC"]],"nextUrl":["string","/cgi-bin/c20display.cgi?c20encodeencode.html"],"auth":["basic","admin:jvc"]},"SAMSUNGTECHWINNVR":{"devTypePattern":[["body","title"],["==","SAMSUNGTECHWINNVRWebViewer"]],"nextUrl":["string","/index.php/auth/login_confirm"],"auth":["form","","id=YWRtaW4%3D&pwd=2558a34d4d20964ca1d272ab26ccce9511d880579593cd4c9e01ab91ed00f325","body","substr","\"is_login_ok\":2"]},"Sentry360":{"devTypePattern","[["head],["==","Sentry360"]],"nextUrl":["string","/user.set?name=admin1&pwd=admin1&type=1"],"auth":["basic","admin:1234"]},"Speco":{"devTypePattern":[["body","title"],["==","SpecoIPCamera"]],"nextUrl":["string","/httpapi?GetUserLevel&ipAddress="],"auth":["basic","admin:1234"]},"Stardot":{"comment":"","devTypePattern":[["body","title"],["==","NetCamSCDLiveImage"]],"nextUrl":["string","/admin.cgi?0"],"auth":["basic","admin:admin"]},"ToshibaeStudio":{"devTypePattern":[["body","TITLE"],["regex","^TOSHIBAe.STUDIO"]],"nextUrl":["string","/cgi-bin/exportfile/printer/config/secure/settingfile.ucf"],"auth":["expect200"]},"Ubiquiti":{"comment":"","devTypePattern":[["body","title"],["==","EdgeOS"]],"nextUrl":["string",""],"auth":["form","","username=ubnt&password=ubnt","body","!substr","formid=\"LoginForm\""]},"W-Box":{"devTypePattern":[["body","title"],["regex","^W\\-BOX:"]],"nextUrl":["string",""],"auth":["form","","action=top&account=admin&password=wbox123&login=Login&parent_id=&app_path=","body","!substr","inputtype=\"password\""]},"Brickcom":{"devTypePattern":[["header","www-authenticate"],["substr","re??alm=\"Brickcom"]],"nextUrl":["string",""],"auth":["basic","admin:admin"]},"Arecont":{"devTypePattern":[["header","www-authenticate"],["substr","re??alm=\"ArecontVision"]],"nextUrl":["string",""],"auth":["basic",""]},"AmericanDynamics":{"devTypePattern":[["body","title"],["substr","AmericanDynamics:VideoManagementSolutions"]],"nextUrl":["string","/video.htm"],"auth":["basic","admin/admin"]},"ACTi":{"devTypePattern":[["body","title"],["substr","WebConfigurator-Version"]],"nextUrl":["string","/video.htm"],"auth":["form","","LOGIN_ACCOUNT=admin&LOGIN_PASSWORD=123456&LANGUAGE=0&btnSubmit=Login","body","!substr",">密码<"]},"GeoVision":{"devTypePattern":[["header","server"],["==","GeoHttpServer"]],"nextUrl":["string","/webcam_login"],"auth":["表单","","id=admin&pwd=admin&ViewType=2&Login=Login","body","!substr","无效"]},"Grandomstream":{"devTypePattern":[["body","title"],["==","GrandomstreamDeviceConfiguration"]],"nextUrl":["string","/cgi-bin/dologin"],"extractFormData":["type=hiddenvalue=(.*?)>"],"auth":["form","substitute","P2=admin&LoginLogin=Login&gnkey=$1","body","!substr","YourLoginPasswordisnotrecognized"]}
