Shodan: The Hacker's Search Engine
What Is Shodan?A web search engine is a software system that's designed to search for information on the World Wide Web. As we all know, the information we usually get through search engines (like Google, Yahoo or Bing) is a mix of web pages, images and other types of files. Some search engines also mine data in databases or open directories. I will not address in detail how the search engines work, since it's a vastly complex subject, but they all maintain the following processes in near real time:
- Web crawling
Shodan is the world's first search engine for Internet-connected devices.
How does it work?You start by navigating to the home page, and entering text into the search bar, like you'd do with any other search engine. In the search above, I looked for a specific IP address, but I could have searched for a specific word, like we usually do while browsing the internet. The most popular searches are for things like webcams, linksys, cisco, netgear, SCADA and other relevant keywords. But how does Shodan actually work? It works by scanning the entire Internet and parsing the service banners, which are the meta-data that the server (or device) returns to the client. The returned data can be information about the server software, what options the service supports, a welcome message or anything else that client finds out before interacting with the server/device. Shodan collects data mostly on web servers (HTTP, port 80), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 22), Telnet (port 23), SNMP (port 161), SIP (port 5060), and RTSP (port 554) - the latter can be used to access webcams and their video stream. The project currently tests for around 200+ services. All information obtained is stored in a database and provided to the public through the website without the need of an account. Using that information, Shodan can tell you things like what web server (and version) is most popular, or how many anonymous FTP servers exist in a particular location, and what make and model the device may be. Shodan currently returns 10 results to users without an account and 50 results to those with one. If users want to remove the restriction, they're required to provide a reason and pay a fee. With an account, you also get access to more filters and the Developer API, which makes it easy to access the data from within your own scripts (as I intend to address soon in a short tutorial).
Basic UsageI've already presented some features and how to conduct searches using keywords or IP addresses. Now, I'll talk about filters. As with any search engine, Shodan works well with basic, single-term searches, but the real power comes with customized queries. Below are the basic search filters you can use. The usage is pretty simple. You just need to put the keyword, the filter and your query within quotes. For example, to find Apache servers in San Francisco, we need to type the following:
Apache city: "San Francisco"You start with a base search term and narrow down your search using the filters like we see above, by passing your query. To combine filters, simply keep adding them. You can also do this by clicking filters in the left sidebar for a given result set. If you want to search for Apache servers in San Francisco, that are running on port 8080, that are also running Tomcat, you could do the following:
Apache city: "San Francisco" port:"8080" products:"Apache Tomcat/Coyote JSP engine"
Advanced UsageBulk searching and processing of Shodan queries can be performed using Shodan Diggity (part of SearchDiggity, Bishop Fox's free search engine attack tool suite). The tool provides an easy-to-use scanning interface to Shodan via it's Developer API.It comes equipped with a convenient list of 167 search queries ready in a pre-made dictionary file, known as the Shodan Hacking Database (SHDB). This dictionary helps target various technologies including webcams, printers, VoIP devices, routers, toasters, switches and even SCADA/Industrial Control Systems (ICS) - just to name a few. Here are a few other advanced things you can do with Shodan:
- Data Export: You can export your results in various formats using the top menu, after you've performed a search or through your own scripts using the API.
- Browser Plugin: The Shodan plugin tells you where a website is hosted (country, city), who owns the IP and what other services/ports are open. The plugin is available only for Chrome and Firefox.
- Developer API: Shodan provides a public API that allows other tools to access all of Shodan's data. Integrations are available for Nmap, Metasploit, Maltego, FOCA and many more.
- Enterprise Access: The Shodan Data License provides access to all the information that is gathered by Shodan. It allows you to subscribe to the real-time data feed, download daily files and optionally get a hard drive once a month containing all the data that Shodan has gathered.
- Shodan uses its own internally developed port scanner, not Nmap or Zmap.
- The system uses banners and banners can be modified, spoofed and faked. What you see is what’s being presented - and not necessarily what's real.
- Check out the Shodan blog at https://blog.shodan.io.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!