Shodan Primer

What is Shodan?

There are tons of web search engines available out there. In our day-to-day lives we use the usual search engines like google, wikipedia, bing etc. which crawls the world wide web and gives us information about websites. But have you ever thought about a search engine that can actually search the devices connected to the internet and give us information about them?!

Perhaps you might have heard of this search engine Shodan? Shodan is a search engine of Internet connected devices. Literally any device connected to the public internet can be searched with this engine. This includes Web Servers, IP Cameras, Smart TVs, Smart Bulbs and other IoT devices and even Industrial Control Systems(ICS)!! You could even look up a power plant on Shodan and gather information regarding it like in what country & city it is located and so on. Shodan can also look up the services running on the devices.

Now this sounds straight away scary, right? Just imagine what a attacker could do if they found your Smart TV on Shodan and they find a telnet service running on it which has some default credentials for authentication?!!! They can get straight away into your network and further pivot and gain access of other devices in your network.

Let’s learn more about Shodan and how we can use it to gain information about our target during our penetration tests.

Using Shodan

When Shodan finds a device connected to the internet directly, it queries it for publicly available information. Most of the data indexed by Shodan is taken from banners. Banners are metadata about the services running on the device.

For example following is the banner displayed when we connect to a SSH server. We can see that the remote system is running Debian and has architecture of 64 bits. The banner also shows the last login time and the IP address from which login was performed.

To be able to make the best use of Shodan, we need to understand the syntax of search. Let’s understand it.

Shodan can be accessed by visiting the URL https://shodan.io.

Although you can search without logging in, but the results would be limited. So creating an account would be better.

Filters are used to search for devices having specific properties. Shodan has various filters like city, country, ip, os etc.

The syntax for filters is “filtername:value”. They can be put in the search bar located on the top left of the website’s interface.

For example, to look up devices present in US, one can put in a filter like country:US

A number of results are displayed in output. Observe how Shodan also nicely sorts the Top cities, Top Services, Top organizations etc. Click on Download Results to download the results you obtained. Shodan also provides ability to create reports which provides nice visual representation of output. This can be done by clicking on create report.

You can also click on a particular result to get detailed information regarding it.

The detailed information is shown which includes information regarding location, organization and ISP. It also displays list of open ports and identifies the services. Further, even the vulnerabilities are shown! Awesome! There is a lot of juicy information out there.

To look up devices part of “One solutions” firm in city Boston, the search query would be org:”One solutions” city:Boston

You can find complete list of filters here: https://github.com/JavierOlmedo/shodan-filters

https://maps.shodan.io/ can be used to search with an interactive map. Following are the results displayed for the query “tomcat

https://images.shodan.io/ shows the screenshots from devices crawled by Shodan.

https://exploits.shodan.io/ can be used search exploits across multiple vulnerability databases.

We can also look at queries shared by other users. Visit the URL https://www.shodan.io/explore to explore the devices & various services connected to the internet.

For instance, clicking on cams shows various security cameras exposed to the internet.

Visiting one of the host gives the login panel of the IP camera.

Anyone on the internet can login to this IP camera and view the camera stream. If the default password has not been changed or a weak login password is used, any one can guess and login.

Real time network monitoring

We can perform real time monitoring of a specified IP or a range of IP addresses using Shodan. Whenever a new service is discovered on that IP, we would get a notification. This can be very handy to monitor your network for any malicious services.

Visit https://monitor.shodan.io/dashboard and click on Setup Network Monitor button. Next give a name & IP(s)/domain and choose whether you would like to be notified by email.

Save it and you will be shown with Manage Assets interface. This allows you to modify trigger rules.

Triggers cause notification to be sent to you whenever the condition is met. Say for instance you’ve enabled the ssl_expired trigger. You will get notification when SSL certificate gets expired.

From the Manage Assets interface it’s also possible to scan that particular IP.

Shodan add-on

Shodan even has a firefox add-on. On installing this in your firefox browser, you can view information about a website when you visit it.

The add-on is available at https://addons.mozilla.org/en-US/firefox/addon/shodan_io/

As can be seen in the above image, the add-on shows the location of the host and the open ports.

This is very useful in information gathering.

Conclusion

Shodan is a very powerful search engine that can show the metadata of any device/service exposed to the public internet. It is a valuable asset when gathering information about the target. It can be used both for offensive & defensive purposes.

It also provides API for various programming languages which can be used to integrate Shodan into your own tools.

The free Shodan account provides limited search features. If you are going to use Shodan a lot then it would be wise to invest in the pro account.

As we saw, it’s so easy for an attacker to look up any device via Shodan and check for the available services. However, you can set up the monitoring on your network using Shodan and enable all the triggers so whenever a new malicious service is started on network and exposed to the internet, Shodan can notify you.