Search engines are designed to carry out search queries by systematically indexing web pages and displaying the results, ranking them by relevance or some other attribute. Nearly everybody has used a search engine, such as Google, in one way or another to look up things like addresses or phone numbers.
Shodan is a search engine specifically designed for a community of security professionals to query devices connected to the internet and display the results of their banner information like the software and services that are running, welcome messages or other information.
Shodan has been described as the ‘search engine for hackers’ and has been called the “worlds most dangerous search engine” by this Vice News article during an interview with creator John Matherly.
According to Vice, the software ‘ crawls the internet to find every connected device’ which technically means that Shodan pulls service banners from servers and devices connected to the web, on well known ports such as HTTP (80), SSH (22), FTP (21) and others.
In layman’s terms, this means that Shodan pulls information stored in a webpage object called the banner that has fundamental meta-data associated to it, like which service is running on the device, such as ;
- Service running on the device
- IP address of the device
- Port number of the service
- Organization that owns the IP
- Location and country code of the device
By default, only the data property of the banner is displayed. The content of the data property varies by type of service, for example, here is a typical HTTP banner with its data properties
You click on the “Explore” tab and can start browsing pre-defined search filters, right away, that look for the following;
General rule of thumb, if the device has a web facing interface that has open ports with running services, Shodan can find it and you can query it!
The real power of Shodan comes from combining search filters and performing precision searches on targets by refining your queries. You can use the following filters when using Shodan to find specific devices;
city: find devices in a particular city
country: find devices in a particular country
geo: find devices with specific coordinates
port: find devices on a particular port or range of ports
os: find devices based on operating system
hostname: find devices with a specific or wildcard hostname
net: find devices by CIDR address
before/after: find results within a time-frame
Below is an interesting and scary search, finding all routers with default password in plain-text in Hamilton, Ontario, Canada by using the precision search filter;
WWW-Authenticate: Basic country:ca city:hamilton
It is scary to see so many well known institutions and organizations that have publicly known vulnerable hosts that are able to be queried by Shodan. Because of this, Shodan is invaluable to penetration testers, red teams, hackers, and security professionals.
Shodan can be used for many purposes, but it is specifically designed for reconnaissance.
You can begin to query Shodan with general filters such as country or city to broadly find vulnerable and publicly exposed devices, and then you can narrow your search using filters to find specific targets.
In the picture below, we queried Hamilton, Ontario, Canada and found an asset belonging to a university that is running a deprecated version of Apache that has vulnerabilities with high CVE scores.
Using Shodan to Improve Your Organizations Security
Closing the Gaps
Hosts that appear on Shodan can be remediated by security and network teams by updating deprecated software or harden assets that were overlooked and were publicly exposed to the internet.
Since Shodan can also be misused, it is very important that you ensure security within your environment. Banners are typically overlooked and left as default and not changed by administrators—a practice that can be easily exploited using tools like Shodan. Network Security teams can remediate this threat by;
Changing the HTTP server banner string
Rearranging HTTP headers
Customizing HTTP error codes
The final way to improve your organization by using Shodan is to block Shodan from others using it. Block the following;
*Note, domain and IP may have changed since this original post.
Shodan is a tool, like any others, can be exploited for nefarious use. Shodan can expose vulnerable systems and provide information concerning internal mechanisms of organizations.
Is it legal?
From a technical standpoint, Shodan is a massive internet port scanner, which isn’t a violation of the Computer Fraud and Abuse Act because it does no damage to the integrity or availability of the device. Although, most countries have laws prohibiting unauthorized use of computer systems, this is not applicable to Shodan, since it is only querying header information.
From my own experience working in a SOC, Shodan constantly gets caught scanning assets belonging to our clients on a daily basis.
Those scans had prompted myself to start internal investigations where I queried Shodan for my clients and sure enough found our clients assets publicly exposed.
Tickets were raised, meetings had, and vulnerability assessments written, which resulted in our clients satisfaction and a reassessment of their vulnerability management procedures, patching processes and immediate attention to the host in question.
Shodan can be used as a baseline to start your proactive security investigations into publicly exposed assets for your organization. If you work as a security analyst or network security professional, I highly recommend setting up an account and even paying the monthly fee of $59 for access to the API and data exports.
Last updated for accuracy: July 27, 2020.