Hello Hackers, today we are going to see one of the techniques of how cyber criminal groups and exploitation bots carry out massive identification and later massive exploitation of targets with certain vulnerabilities present.

Objective

But what is the purpose of this technique and what is/was it used for?

We recently witnessed a cyberwar between Russia and Ukraine, this technique was possibly used by groups that were involved in that war to identify and massively exploit industrial and SCADA assets to impact the rival country.

Agility + efficiency.

Technique

This technique persists in a 5-step process, they are:

1. Choice of vulnerability;
2. Collection of information about aspects of hosts in which the vulnerability is present (Example: EternalBlue — Windows 7);
3. Collection of hosts;
4. Scan directed to the hosts to validate the “chosen” vulnerability;
5. Exploitation.

Detailing

• Choice of vulnerability: Let’s use EternalBlue as an example;
• Collection of information about aspects of hosts in which the vulnerability is present: Eternalblue is the characteristics of the hosts in which we can link the vulnerability during our survey of hosts is: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016;
• Collection of hosts: For this step, we are going to use the shodan API.

    shodan download --limit -1 --fields ip_str test.json os:windows 7 country:<>

Here is the meaning of each part of the command:

• “shodan download”: Indicates the command to start downloading the search results;
• “ — limit -1”: Sets the result limit to -1, which means there is no limit on the number of results;
• “ — fields ip_str”: Specifies the fields that will be included in the download file. In this case, only the field “ip_str” (IP address) will be included;
• “test.json”: Is the name of the file where the results will be saved. In this case, the file will be called “test.json”;
• “os:windows 7”: This is a filter applied to the search to return only hosts that have the Windows 7 operating system;
• “country:<>”: This is another filter applied to the search to return only hosts located in country.

In short, this command asks Shodan to download information from all hosts running Windows 7 operating system located in country, saving only the IP addresses of these hosts in the “test.json” file. Using the “ — limit -1” parameter ensures that all results are downloaded, with no quantity restrictions.

    shodan parse --fields ip_str test.json.gz

The command is used to analyze and extract specific information from a compressed file in JSON format, which contains data downloaded from Shodan.

• Scan directed to the hosts to validate the “chosen” vulnerability: For this step, we can use any tool or exploit directed to that vulnerability that we have selected to massively check all the ip’s in search of which ones are in fact vulnerable. Ex: Nmap, Nuclei, Custom Tool.
• Exploitation: In this step, we take all the hosts that are really vulnerable to that vulnerability and we exploit it manually with an exploit or something like that.

Note: This article has the sole purpose of studying and seeking knowledge. The information presented here is intended solely for educational and informational purposes.