How to use cyber security training

How To Use | Recon Analysis

Shodan is an internet search engine that is used to search internet devices. It will display the results of their banner information like the software and services that are running, welcome messages or other information. The most difficult thing about Shodan is having the right answer to ask it.

Shodan will map all devices across the internet in order to search for your answer. This means you can ask it to query things such as which MongoDB databases have logins without credentials or search for physical wind turbines connected to the internet by IP addresses.

How to use Shodan. Learn cyber security.

Shodan has been described as the ‘search engine for hackers’ and has been called the “worlds most dangerous search engine” by this Vice News. Shodan offers a limited number of free queries but can be upgraded with a paid subscription.

Shodan pulls information stored in a webpage object called the banner. Banner refers to a text message received from the host, usually, it includes information about the open ports and services with their version numbers.

  • Service running on the device
  • IP address of the device
  • Port number of the service
  • Organization that owns the IP
  • Location and country code of the device
HTTP banner example
The above banner shows the OWASP vuln server is running the apache web server

By default, only the data property of the banner is displayed. The content of the data property varies by type of service, for example, here is a typical HTTP banner with its data properties.

Exploring Shodan

You click on the “Explore” tab and can start browsing pre-defined search filters, right away, that look for the following;

  • Webcams
  • Traffic Cameras
  • Video Projectors
  • Routers
  • SCADA Systems

General rule of thumb, if the device has a web facing interface that has open ports with running services, Shodan can find it and you can query it!

Shodan Explore Page. Learn cyber security.

Precision Searches

The real power of Shodan comes from combining search filters and performing precision searches on targets by refining your queries. You can use the following filters when using Shodan to find specific devices;

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: use geo coordinates
  • org: searches for specific organization names
  • port: find devices on a particular port or range of ports
  • os: find devices based on operating system
  • hostname: look for devices that match a specific hostname
  • net: find devices by CIDR address
  • before/after: find results within a time-frame

Below is a basic search query, finding all routers with default password in plain-text in the United States with the city name of Arlington:

WWW-Authenticate: Basic country:us city:arlington
Shodan Explore Page. Learn cyber security.

Shodan is a great tool for penetration testers, red teams, hackers, and security professionals in general due to its robust search features. Reconnaissance

Shodan can be used for many purposes, but it is specifically designed for reconnaissance.

Shodan most shines when it comes down to reconnaissance. They allow you to use a map, which you can query with general filters such as country or city to broadly find vulnerable and publicly exposed devices, and then you can narrow your search using filters to find specific targets.

Using Shodan to Improve Your Organizations Security

Closing the Gaps

Hosts that appear on Shodan can be remediated by security and network teams by updating deprecated software or harden assets that were overlooked and were publicly exposed to the internet.

Secure Banners

Shodan is a public tool available to everyone who has access to an internet connection, thus it is very important that you ensure security within your organization. Banners are typically overlooked and left as default and not changed by administrators, which is a bad practice that can be easily exploited using tools like Shodan. Banner refers to a text message received from the host, usually, it includes information about the open ports and services with their version numbers. Network Security teams can remediate this threat by;

  • Changing the HTTP server banner string
  • Rearranging HTTP headers
  • Customizing HTTP error codes

Blocking Servers

The final way to improve your organization by using Shodan is to block Shodan from others using it. Block the following:

DNSIP addressLocation


*Note, domain and IP may have changed since this original post. Please verify IP’s before pushing these changes into production

Final Thoughts

Shodan is a tool, like any others, can be exploited for nefarious use. Shodan can expose vulnerable systems and provide information concerning internal mechanisms of organizations.

Is it legal?

From a technical standpoint, Shodan is a massive internet port scanner, which isn’t a violation of the Computer Fraud and Abuse Act because it does no damage to the integrity or availability of the device. Although, most countries have laws prohibiting unauthorized use of computer systems, this is not applicable to Shodan, since it is only querying header information.

In Conclusion can be used as a baseline to start your proactive security investigations into publicly exposed assets for your organization. If you work as a security analyst or network security professional, I highly recommend setting up an account and even paying the monthly fee for access to the API and data exports.

Similar Posts