Shodan — Computer Search Engine | OSINT Framework #2
What is Shodan?
Shodan, unlike search engines (Google, Bing, Yahoo, etc.), is a search engine that uses various filters to scan all systems open to the internet and obtain information about the systems. Examples of systems open to the Internet, such as servers, routers, and webcams. Shodan performs a port scan of the systems it detects, detects the services running on the open ports and detects the versions of the services. If there is any vulnerability related to the service versions detected, it gives a short explanation about the vulnerability with the CVE code of the vulnerability. In addition, when scanning web pages running on Shodan web services, it can expand the scanning scope by using the directory information it has. Shodan works by requesting connections to every imaginable internet protocol (IP) address on the internet and indexing the information that it gets back from those connection requests.
Shodan is a search engine similar to Google. But while Google searches for websites, Shodan searches for devices that are connected to the internet. Users can perform a search using the Shodan search engine based on an IP address, device name, city, and/or a variety of other technical categories. Users can sign up for free accounts, but they are very limited — Shodan limits its free service to only 50 search results.
Any user who wants to use the Shodan application can access it via https://shodan.io. After gaining access and performing the necessary registration procedures, passive discovery operations can be performed.
Shodan has created a specific cheatsheet for users to make passive discovery easier and more efficient. According to the created cheatsheet, passive discovery operations can be performed using the parameters defined by shodan. The use of the basic parameters in the specified cheatsheet is shown below.
Shodan CheatSheet
Server: It can be expressed as the Server header information in the HTTP Request header. By giving any server information to this parameter, passive discovery can be made about that server. For example, passive discovery can be made by entering a server information that has a vulnerability. Picture shows a passive discovery run using the server parameter.
In the search made using the server: apache 2.2.4. In the search made using the server: apache 2.2.4 command, a total of 935316 servers using the 2.2.4 version Apache web server service were detected. The distribution of these servers according to countries, services used, service providers and products are given. In addition, the IP information, domain information, country and city information of the detected systems, the information of the web technologies used and the obtained HTTP Response content are displayed. Server information between HTTP Headers is shown in HTTP Response content command, a total of 623734 servers using the 2.2.4 version Apache web server service were detected. The distribution of these servers according to countries, services used, service providers and products are given. In addition, the IP information, domain information, country and city information of the detected systems, the information of the web technologies used and the obtained HTTP Response content are displayed. Server information between HTTP Headers is shown in HTTP Response content.
Hostname: The word assigned to this parameter searches within the domain or subdomain syntax. If the specified word is in the domain or subdomain, it is reflected on the screen. For example, assignments such as hostname:google.com, hostname:ftp or hostname:login can be made. Figure below shows the use of the hostname parameter.
In Picture above, it has been determined that there are 140,888 hostnames with downloads in the domain or subdomain using the hostname:google.com command.
Net: Systems open to the Internet are detected based on an IP address or CIDR (such as /24) value. This parameter can also be used to find the IP range, IP address and subnet mask. For example, a passive discovery scan can be performed for an IP block with a CIDR of net:36.92.0.0/16. An example is shown in Picture below.
As a result of the search performed according to the net:net:35.94.0.0/12 CIDR value in Picture above, 300,026 systems were identified. Net parameter can be used with other parameters to narrow the scope of passive discovery work.
Os: It is a parameter to filter the target according to the operating systems. Using the os parameter, vulnerable operating systems that are open to the internet can be detected. For example, the os:Windows 11 filter can be used to make a passive discovery for the Windows 11operating system, one of the operating systems that Microsoft has withdrawn support from. Example usage is shown in Picture below.
In Picture above, 244,555 devices using the Internet-enabled Windows 11 operating system were detected using the os parameter. Target systems can be compromised using vulnerabilities that the Windows 11operating system is vulnerable to. Among the results obtained in Picture above, information about the SMB service is given. Vulnerability research can be done in line with the version information of the obtained SMB service.
Port: It is a parameter used to detect open ports of systems. It can be used in a specific passive reconnaissance study. It can also be used to narrow the scope of a passive reconnaissance effort against a target. For example, there are default ports that services use. One of them is port 444 used by the SMB service. It is shown in Figure below as an example.
In the passive discovery study in Picture above, approximately 765 thousand systems with port 444 open were detected. Among the detected systems, it is shown that the authentication mechanism is passive and the directories are listed by providing direct access to the system. With this type of passive reconnaissance, attackers can infiltrate systems and obtain critical information.
Org: When an organization is targeted specifically, the organization’s information is assigned to the org parameter to detect devices belonging to the organization. Thus, a passive reconnaissance study can be conducted for the targeted organization. Figure 8 shows the use of the org parameter.
In Picture above, approximately 40 thousand results were detected in the passive discovery study using the org:Apple command. As a result of narrowing the scope by using it with other parameters, more specific information about the target can be obtained. In line with the information obtained, scenarios for taking over the organization can be created.
City: It is a parameter used to detect systems within a certain scope as a location. It can often be shown as a passive reconnaissance exercise that can be used in cyber attacks. Figure below shows the use of the city parameter.
In Picture above, using the city parameter, it has been determined that more than 1.45 million systems are open to the internet in the city of Istanbul. By using the City parameter with other parameters, the scope of passive exploration work can be narrowed down.
Country: It is used to detect devices that are open to the internet in a certain country as a location. It is usually a filter used to narrow and determine the scope of cyber attacks between countries. An example of the use of the country parameter is given in Picture below.
In Picture above, using the country parameter, it has been determined that approximately 76 thousand systems in AZERBAIJAN are open to the internet. By using the country parameter with other parameters, the scope of passive discovery work can be narrowed down. (You can find countries by searching their abbreviations)
Geo: It is a parameter used to detect the systems that are open to the internet in the targeted region, in line with the geographically given location information (latitude, longitude). Figure below shows the use of the geo parameter.
In Picture above, it has been determined that 456 systems are open to the internet by using the coordinate information of a certain location. It is seen that one of the systems shown in Picture above is the security cameras management panel.
Before/after: These are the parameters used to show the systems that are open to the internet between certain dates. Thus, it can be used for passive reconnaissance specifically for systems. Example usage is shown in Picture below. ( find results within a timeframe)
In Picture above, it is stated that before/after parameters can only be used via API.
Has_screenshot: Used to display only screenshots. It usually works on systems with remote desktop access open. Figure below shows the use of has_screenshot.
In Picture above, it has been determined that there are 5288 systems that can be taken screenshots in the city of Miami. It can also be concluded that the RDP protocol of the screen shot system is open.
title: Filtering can be done using the information written in the titles of the devices. For example, filtering can be done by specifying the product name and model. An example of the title parameter is given in picture below.
In picture above, 45716 Citrix Gateway devices open to internet access in the world were detected using the title parameter. When a vulnerability is found in any product, the vulnerable product that is open to the internet can be detected using Shodan. After detection, it can be reported by well-intentioned people or attacked by malicious people.
Some Passive Explorations with Shodan
Incorrectly Configured WordPress Sites: As a result of detecting the systems where the access to the wp-config.php file is not restricted, database connection information in the file can be obtained. Figure below shows an example of passive reconnaissance work.
In picture above, 12 misconfigured WordPress sites were detected. It is shown in picture that critical information on one of the sites in figure is open to unauthorized access.
Picture above contains the username and password information used to connect to the database. This is due to misconfiguration of WordPress sites.
Systems Open to FTP Anonymous Access: As a result of passive discoveries made with Shodan, systems with anonymous access to FTP ports can be detected. In detected systems, file transfer can be done via FTP port with anonymous access. Figure below shows an example of FTP Anonymous access.
In picture above, as a result of the specific passive discovery made, it has been determined that there are 100751 systems of FTP Anonymous access in the world. This is because the FTP protocol is installed by default and no configuration changes have been made.
Some extra filters:
Here are the most popular Filters used by Shodan:
For Webcams –
- Code: Server: SQ-WEBCAM
- Link — https://www.shodan.io/search?query=Server%3A+SQ-WEBCAM
For Cams –
- Code: linux upnp avtech
- Link — https://www.shodan.io/search?query=linux+upnp+avtech
For Netcam –
- Code: netcam
- Link — https://www.shodan.io/search?query=netcam
For Default Passwords –
- Code: “default password”
- Link — https://www.shodan.io/search?query=%22default+password%22
For detailed information:
Thank you for reading.
