Rated the best search engine for hackers, Shodan was referred to as the scariest search engine on the internet, back in 2013. While Shodan is similar to Google, in that they are both search engines that use crawlers, it crawls the entire internet to map and index internet-connected IoT devices. To put this into perspective, Google’s crawlers only index a part of the internet that is publicly accessible, the World Wide Web. And although Shodan is infamous for being instrumental in blackhat hacking, in the right hands, this search engine is effective in the process of vulnerability assessment and pen-testing IoT devices.
In this article we delve into Shodan and its working, and discuss the features that make this search engine useful for pen-testers and bug bounty hunters.
What is Shodan?
As mentioned earlier, Shodan (Sentient Hyper-Optimized Data Access Network) is a search engine for devices connected to the internet. Designed and developed by Web Developer John Matherly, this search engine crawls the entire internet, parses the service banners of IoT devices, and indexes them for future searches. It maps and reports any device, such as webcams, smart devices, medical devices, traffic lights, C2 systems of devices, etc., that is connected to the internet and is not secure.
The service banners of IoT devices contain metadata relevant to the devices, such as:
- Geo-location
- Make and model
- IP address
- Default username and password
- Software version
How does Shodan work?
Upon scanning the entire internet, the search engine sends queries to connected IoT devices for publicly available information related to them. The servers of such devices return their service banners to the user. Shodan also supports customized queries using filters like city, country, hostname, OS, etc. to find out the corresponding details.
The Basics
Similar to other search engines, Shodan also utilizes a search box, to which users can enter search terms that adhere to its search query syntax. Moreover, search results can be narrowed down to be as accurate as possible, by making use of quotation marks and other such operators.
For instance, boolean operators + or — can be used to include or exclude terms in the query.
Shodan Filters
This search engine only searches for the data property on the IoT devices’ banners. Hence, it employs search filters for refined results. Here are some basic search filters you can use:
- city: find devices in a particular city
- country: find devices in a particular country
- geo: you can pass it coordinates
- hostname: find values that match the hostname
- net: search based on an IP or /x CIDR
- os: search based on operating system
- port: find particular ports that are open
- before/after: find results within a timeframe
Search examples:
org:”Amazon” ssl:”target”
ssl:”target”
html:”Dashboard Jenkins”
http.component:”jenkins”
http.title:”302 Found”
http.component:”java”
ssl.cert.subject.cn:”target”
hostname:”target”
http.favicon.hash:-335242539
html:”© 2020 target”
product:elastic port:9200
Continuous Monitoring
This IoT search engine can be used to monitor your networks or products continuously, to help you stay informed of any threats to them. For this, you can make use of the Shodan Command-line Interface (CLI).
- Use the following command to set up an alert for notifications related to your IP range:
shodan alert create “Bug-Bounty-Target” 198.172.0.0/24
- The following command allows you to create a trigger to send the alert:
shodan alert triggers
- When Shodan detects a malware or a new CVE against your product, get a notification using this:
shodan alert enable {ALERTID} malware
Automation
Every new trick boils down to automation these days. Fortunately, with this search engine you can automate various tasks that are within its range of activities. There are the three main ways to automate this search engine:
- Shodan-API
- Shodan Python Module
- Shodan CLI
Check out this handy tool that makes the entire process easier and hassle-free: m4ll0k/Shodanfy.py
Conclusion
Although it seems quite perverse, security professionals, researchers, and even government agencies trust Shodan to alert them on unmanaged IoT devices that may present vulnerabilities. Such devices could potentially expose critical data belonging to an enterprise, organization or individual, to attacks. This search engine helps prevent this. By following the methods prescribed above, you can also explore Shodan and monitor and protect your network or product from exploitation.