top of page
Search

Shodan Tutorial

Updated: Oct 31, 2020

Shodan is a search engine for finding devices and their types, that exist on the world wide web. The most popular searches are for things like webcams, cisco devices, SCADA servers, etc.

It works by scanning the entire Internet and parsing the banners that are returned by the scanned devices. Using that information, Shodan can tell you things like what web server (and version) is most popular, is this version of the server is exploitable, or how many anonymous FTP servers exist in a particular location, etc.

This article is for education purposes only.




How it works?

Shodan’s algorithm works this way:

  • Generates a random IPv4 address for the scanning & crawling procedure.

  • Collects a real-time list of connected devices online.

  • Queries the supported port.

  • Checks the IPv4 address on the port.

  • Grabs a service banner.

  • Repeat.

Inside the banner, Shodan can read all the metadata related to a specific device. For example, Shodan collects information about the Geographic location, Default username and passwords, IP address, and software version, through the service banner.


Shodan's User Interface

Shodan user interface suggests more than active searching. In this section, we will explore a few of the features.

Explore:

This interface summarizes the top searching activities Shodan may offer and represents Shodan's real power finding open login pages, default passwords, and software versions.

On this page, we are getting familiar with the most searched devices and systems that can be exploited by the great & sophisticated hacking tool – a browser.


Honeypot or not: This interface provides the user the ability to hunt for honeypots (looks like a real computer system, with applications and data, fooling cybercriminals into thinking it is a legitimate target.) The services score the IP address on a scale of 0.0-1.0 and determine the possibility of a honeypot by that.


Shodan CLI:

The Shodan command-line interface (CLI) is packaged with the official Python library for Shodan. That means that if you're running the latest version of the library on your host system, you already have access to the CLI.

At first, we need to initialize the CLI with our API key, and we are good to go:

Shodan init <YOUR API KEY>

Now, we can perform some command line activities such as:

Shodan host <IP ADDRESS>

Shodan count apache tomcat

Shodan host 54.237.229.181



Shodan API tool - Python

Shodan provides a functional API, there are 2 APIs for accessing Shodan:

  • The REST API and the Streaming API. The REST API provides methods to search Shodan, look up hosts, get summary information on queries and a variety of utility methods to make developing easier.

  • The Streaming API provides a raw, real-time feed of the data that Shodan is currently collecting. for some of the popular programming languages there are libraries that make it easy to access the Shodan API.

Some of the basic options:

  • Searching Shodan

  • Looking up a host

  • Collecting Summary information using facets

  • Access SSL certificates in Real-Time

Here is some tool I created to show how easy it is –



Shodan Search Queries & Filters

Shodan, as a search engine, provides smart search operations to make our life easier:

  • Boolean operators + and – can be used to include and exclude query terms (e.g. city:”Pittsburgh” + country:US)


  • country: filters results by two letter country code (e.g. apache country:CH),can be accomplished by clicking on the country map.


  • os: search for specific operating systems (e.g. microsoft-iis os:"windows"),allows you to refine searches by operating system.


  • hostname: filters results by specified text in the hostname or domain (e.g. "Server: gws" hostname:google), can be filtered using any portion of a hostname or domain name.


  • port: narrow the search for specific services (e.g. proftpd port:21)


  • net: filter results by a specific IP range or subnet (e.g. net: 149.129.136.0/24),allows you to refine your searches by IP/CIDR notation.


To gain more knowledge about Shodan queries & filters, I refer you to Awesome Shodan Search Queries (https://github.com/jakejarvis/awesome-shodan-queries) that provides multiple searching examples that might be helpful.


Use Cases

Members can follow each other, write and reply to comments and receive blog notifications. Each member gets their own personal profile page that they can customize.

For the POC, let’s assume that we hired to do some offensive work on a company and find some vulnerable services on the internet.

After we did some scanning, we brought up a few of their services:


Use case 1 – HUAWEI HG8245:

In this case, we managed to find the company’s router with multiple ports waiting for us. All this information displayed along with general information –

When we scroll down to find some vulnerable ports/ web interfaces, we can put a notice to a special port, 49153, that sent us ‘200 OK’ response and seems to be vulnerable –

To continue our case, we can go to the IP:49153 and try the default user and password –






Use case 2 – MySQL:

In this case, we managed to find the company’s Database with MySQL port waiting for us. All this information displayed along with general information –

When we scroll down, we can see Shodan did all the hard work for us and brought up all the known vulnerabilities (CVE) relevant to this version of MySQL DB –

To continue our case, we can open MySQL client and start exploiting the server.



Use case 3 – Cisco:

In this case, we managed to find the company’s Cisco device with Cisco port waiting for us. All this information displayed along with general information –

Here is a typical “401 Unauthorized” banner we received from the Cisco device –

Now consider an example of a “200 OK” banner which does not include the Www authenticate line –

A comparison of the two banners finds the second banner to include the Last-modified line which does not appear when Www-authenticate appears –

This suggests that Cisco “200 OK” banners that include the Last-modified line do not require any authentication.




Conclusion

This resource is just an intro to what Shodan is and how to do the basics of what Shodan is and how to do the basics. Shodan currently tests for around 200+ services.

You should know! the system works with banners, and banners can be modified, spoofed, and faked. What you see is what is being presented, not necessarily what is real.

Shodan’s main blog – https://blog.shodan.io

Comments

ABOUT THIS SITE

This site is intended for educational purposes in the cybersecurity world. 
All rights reserved to Security Hive only and his owners.

 

GET IN TOUCH

Leave us a message on

Contact page>>

© Security Hive 2020

 
bottom of page