Shodan is an internet search engine that is used to search internet devices. It will display the results of their banner information like the software and services that are running, welcome messages or other information. The most difficult thing about Shodan is having the right answer to ask it.
Shodan will map all devices across the internet in order to search for your answer. This means you can ask it to query things such as which MongoDB databases have logins without credentials or search for physical wind turbines connected to the internet by IP addresses.
Shodan has been described as the ‘search engine for hackers’ and has been called the “worlds most dangerous search engine” by this Vice News. Shodan offers a limited number of free queries but can be upgraded with a paid subscription.
Shodan pulls information stored in a webpage object called the banner. Banner refers to a text message received from the host, usually, it includes information about the open ports and services with their version numbers.
- Service running on the device
- IP address of the device
- Port number of the service
- Organization that owns the IP
- Location and country code of the device
By default, only the data property of the banner is displayed. The content of the data property varies by type of service, for example, here is a typical HTTP banner with its data properties.
You click on the “Explore” tab and can start browsing pre-defined search filters, right away, that look for the following;
General rule of thumb, if the device has a web facing interface that has open ports with running services, Shodan can find it and you can query it!
The real power of Shodan comes from combining search filters and performing precision searches on targets by refining your queries. You can use the following filters when using Shodan to find specific devices;
city: find devices in a particular city
country: find devices in a particular country
geo: use geo coordinates
- org: searches for specific organization names
port: find devices on a particular port or range of ports
os: find devices based on operating system
hostname: look for devices that match a specific hostname
net: find devices by CIDR address
before/after: find results within a time-frame
Below is a basic search query, finding all routers with default password in plain-text in the United States with the city name of Arlington:
WWW-Authenticate: Basic country:us city:arlington
Shodan is a great tool for penetration testers, red teams, hackers, and security professionals in general due to its robust search features.
Shodan can be used for many purposes, but it is specifically designed for reconnaissance.
Shodan most shines when it comes down to reconnaissance. They allow you to use a map, which you can query with general filters such as country or city to broadly find vulnerable and publicly exposed devices, and then you can narrow your search using filters to find specific targets.
Using Shodan to Improve Your Organizations Security
Closing the Gaps
Hosts that appear on Shodan can be remediated by security and network teams by updating deprecated software or harden assets that were overlooked and were publicly exposed to the internet.
Shodan is a public tool available to everyone who has access to an internet connection, thus it is very important that you ensure security within your organization. Banners are typically overlooked and left as default and not changed by administrators, which is a bad practice that can be easily exploited using tools like Shodan. Banner refers to a text message received from the host, usually, it includes information about the open ports and services with their version numbers. Network Security teams can remediate this threat by;
Changing the HTTP server banner string
Rearranging HTTP headers
Customizing HTTP error codes
Blocking Shodan.io Servers
The final way to improve your organization by using Shodan is to block Shodan from others using it. Block the following:
*Note, domain and IP may have changed since this original post. Please verify IP’s before pushing these changes into production
Shodan is a tool, like any others, can be exploited for nefarious use. Shodan can expose vulnerable systems and provide information concerning internal mechanisms of organizations.
Is it legal?
From a technical standpoint, Shodan is a massive internet port scanner, which isn’t a violation of the Computer Fraud and Abuse Act because it does no damage to the integrity or availability of the device. Although, most countries have laws prohibiting unauthorized use of computer systems, this is not applicable to Shodan, since it is only querying header information.
Shodan.io can be used as a baseline to start your proactive security investigations into publicly exposed assets for your organization. If you work as a security analyst or network security professional, I highly recommend setting up an account and even paying the monthly fee for access to the API and data exports.