Reconaissance with Shodan.io

Search engines are designed to carry out search queries by systematically indexing web pages and displaying the results, ranking them by relevance or some other attribute. Nearly everybody has used a search engine, such as Google, in one way or another to look up things like addresses or phone numbers.

Shodan is a search engine specifically designed for a community of security professionals to query devices connected to the internet and display the results of their banner information like the software and services that are running, welcome messages or other information.

Shodan has been described as the ‘search engine for hackers’ and has been called the “worlds most dangerous search engine” by this Vice News article during an interview with creator John Matherly.

According to Vice, the software ‘ crawls the internet to find every connected device’ which technically means that Shodan pulls service banners from servers and devices connected to the web, on well known ports such as HTTP (80), SSH (22), FTP (21) and others.

In layman’s terms, this means that Shodan pulls information stored in a webpage object called the banner that has fundamental meta-data associated to it, like which service is running on the device, such as ;

  • Service running on the device
  • IP address of the device
  • Port number of the service
  • Organization that owns the IP
  • Location and country code of the device
The above banner shows the device is running the nginx web server software with version 1.1.19

By default, only the data property of the banner is displayed. The content of the data property varies by type of service, for example, here is a typical HTTP banner with its data properties

Exploring Shodan

You click on the “Explore” tab and can start browsing pre-defined search filters, right away, that look for the following;

  • Webcams
  • Traffic Cameras
  • Video Projectors
  • Routers
  • SCADA Systems

General rule of thumb, if the device has a web facing interface that has open ports with running services, Shodan can find it and you can query it!

The ‘Explore’ page

Precision Searches

The real power of Shodan comes from combining search filters and performing precision searches on targets by refining your queries. You can use the following filters when using Shodan to find specific devices;

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: find devices with specific coordinates
  • port: find devices on a particular port or range of ports
  • os: find devices based on operating system
  • hostname: find devices with a specific or wildcard hostname
  • net: find devices by CIDR address
  • before/after: find results within a time-frame

Below is an interesting and scary search, finding all routers with default password in plain-text in Hamilton, Ontario, Canada by using the precision search filter;

WWW-Authenticate: Basic country:ca city:hamilton

shodan
All devices in Hamilton, Ontario, Canada with default passwords

It is scary to see so many well known institutions and organizations that have publicly known vulnerable hosts that are able to be queried by Shodan. Because of this, Shodan is invaluable to penetration testers, red teams, hackers, and security professionals.

Reconnaissance

Shodan can be used for many purposes, but it is specifically designed for reconnaissance.

You can begin to query Shodan with general filters such as country or city to broadly find vulnerable and publicly exposed devices, and then you can narrow your search using filters to find specific targets.

In the picture below, we queried Hamilton, Ontario, Canada and found an asset belonging to a university that is running a deprecated version of Apache that has vulnerabilities with high CVE scores.

Using Shodan to Improve Your Organizations Security

Closing the Gaps

Hosts that appear on Shodan can be remediated by security and network teams by updating deprecated software or harden assets that were overlooked and were publicly exposed to the internet.

Secure Banners

Since Shodan can also be misused, it is very important that you ensure security within your environment. Banners are typically overlooked and left as default and not changed by administrators—a practice that can be easily exploited using tools like Shodan. Network Security teams can remediate this threat by;

  • Changing the HTTP server banner string
  • Rearranging HTTP headers
  • Customizing HTTP error codes

Blocking Shoadn

The final way to improve your organization by using Shodan is to block Shodan from others using it. Block the following;

DNSIP addressLocation
shodan.io208.180.20.97US
census1.shodan.io198.20.69.74US
census2.shodan.io198.20.69.98US
census3.shodan.io198.20.70.114US
census4.shodan.io198.20.99.130NL
census5.shodan.io93.120.27.62RO
census6.shodan.io66.240.236.119US
census7.shodan.io71.6.135.131US
census8.shodan.io66.240.192.138US
census9.shodan.io71.6.167.142US
census10.shodan.io82.221.105.6IS
census11.shodan.io82.221.105.7IS
census12.shodan.io71.6.165.200US
atlantic.census.shodan.io188.138.9.50DE
pacific.census.shodan.io85.25.103.50DE
rim.census.shodan.io85.25.43.94DE
pirate.census.shodan.io71.6.146.185US
ninja.census.shodan.io71.6.158.166US
border.census.shodan.io198.20.87.98US
burger.census.shodan.io66.240.219.146US
atlantic.dns.shodan.io209.126.110.38US
blog.shodan.io104.236.198.48US
hello.data.shodan.io104.131.0.69US
shodan.io162.159.244.38US

Source: https://wiki.ipfire.org/configuration/firewall/blockshodan

*Note, domain and IP may have changed since this original post.

Final Thoughts

Shodan is a tool, like any others, can be exploited for nefarious use. Shodan can expose vulnerable systems and provide information concerning internal mechanisms of organizations.

Is it legal?

From a technical standpoint, Shodan is a massive internet port scanner, which isn’t a violation of the Computer Fraud and Abuse Act because it does no damage to the integrity or availability of the device. Although, most countries have laws prohibiting unauthorized use of computer systems, this is not applicable to Shodan, since it is only querying header information.

SOC Encounters

From my own experience working in a SOC, Shodan constantly gets caught scanning assets belonging to our clients on a daily basis.

Those scans had prompted myself to start internal investigations where I queried Shodan for my clients and sure enough found our clients assets publicly exposed.

Tickets were raised, meetings had, and vulnerability assessments written, which resulted in our clients satisfaction and a reassessment of their vulnerability management procedures, patching processes and immediate attention to the host in question.

In Conclusion

Shodan can be used as a baseline to start your proactive security investigations into publicly exposed assets for your organization. If you work as a security analyst or network security professional, I highly recommend setting up an account and even paying the monthly fee of $59 for access to the API and data exports.

Last updated for accuracy: July 27, 2020.