Malware Intelligence
mins read

Quickstart Shodan: What is it and how does it work

Quickstart Shodan: What is it and how does it work

July 15, 2020
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

 

Rated the best search engine for hackers, Shodan was referred to as the scariest search engine on the internet, back in 2013. While Shodan is similar to Google, in that they are both search engines that use crawlers, it crawls the entire internet to map and index internet-connected IoT devices. To put this into perspective, Google’s crawlers only index a part of the internet that is publicly accessible, the World Wide Web. And although Shodan is infamous for being instrumental in blackhat hacking, in the right hands, this search engine is effective in the process of vulnerability assessment and pen-testing IoT devices. 

In this article we delve into Shodan and its working, and discuss the features that make this search engine useful for pen-testers and bug bounty hunters.

 

What is Shodan?

As mentioned earlier, Shodan (Sentient Hyper-Optimized Data Access Network) is a search engine for devices connected to the internet. Designed and developed by Web Developer John Matherly, this search engine crawls the entire internet, parses the service banners of IoT devices, and indexes them for future searches. It maps and reports any device, such as webcams, smart devices, medical devices, traffic lights, C2 systems of devices, etc., that is connected to the internet and is not secure. 

The service banners of IoT devices contain metadata relevant to the devices, such as:

  • Geo-location
  • Make and model
  • IP address
  • Default username and password
  • Software version

Shodan service banners

 

How does Shodan work?

Upon scanning the entire internet, the search engine sends queries to connected IoT devices for publicly available information related to them. The servers of such devices return their service banners to the user. Shodan also supports customized queries using filters like city, country, hostname, OS, etc. to find out the corresponding details.

 

The Basics

Similar to other search engines, Shodan also utilizes a search box, to which users can enter search terms that adhere to its search query syntax. Moreover, search results can be narrowed down to be as accurate as possible, by making use of quotation marks and other such operators. 

For instance, boolean operators + or — can be used to include or exclude terms in the query.

Shodan basic search

 

Shodan Filters

This search engine only searches for the data property on the IoT devices’ banners. Hence, it employs search filters for refined results. Here are some basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe

 

Search examples:

org:”Amazon” ssl:”target”

ssl:”target”

html:”Dashboard Jenkins”

http.component:”jenkins”

http.title:”302 Found”

http.component:”java”

ssl.cert.subject.cn:”target”

hostname:”target”

http.favicon.hash:-335242539

html:”© 2020 target”

product:elastic port:9200

Examples of Shodan filter

 

Continuous Monitoring

This IoT search engine can be used to monitor your networks or products continuously, to help you stay informed of any threats to them. For this, you can make use of the Shodan Command-line Interface (CLI).

  • Use the following command to set up an alert for notifications related to your IP range:

shodan alert create “Bug-Bounty-Target” 198.172.0.0/24

 

  • The following command allows you to create a trigger to send the alert:

shodan alert triggers

 

  • When Shodan detects a malware or a new CVE against your product, get a notification using this:

shodan alert enable {ALERTID} malware

 

Automation

Every new trick boils down to automation these days. Fortunately, with this search engine you can automate various tasks that are within its range of activities. There are the three main ways to automate this search engine:

  • Shodan-API
  • Shodan Python Module
  • Shodan CLI

Check out this handy tool that makes the entire process easier and hassle-free: m4ll0k/Shodanfy.py

 

Conclusion

Although it seems quite perverse, security professionals, researchers, and even government agencies trust Shodan to alert them on unmanaged IoT devices that may present vulnerabilities. Such devices could potentially expose critical data belonging to an enterprise, organization or individual, to attacks. This search engine helps prevent this. By following the methods prescribed above, you can also explore Shodan and monitor and protect your network or product from exploitation. 

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
Malware
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
Threat Intelligence
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

min read

Quickstart Shodan: What is it and how does it work

Quickstart Shodan: What is it and how does it work

Authors
Co-Authors
No items found.

 

Rated the best search engine for hackers, Shodan was referred to as the scariest search engine on the internet, back in 2013. While Shodan is similar to Google, in that they are both search engines that use crawlers, it crawls the entire internet to map and index internet-connected IoT devices. To put this into perspective, Google’s crawlers only index a part of the internet that is publicly accessible, the World Wide Web. And although Shodan is infamous for being instrumental in blackhat hacking, in the right hands, this search engine is effective in the process of vulnerability assessment and pen-testing IoT devices. 

In this article we delve into Shodan and its working, and discuss the features that make this search engine useful for pen-testers and bug bounty hunters.

 

What is Shodan?

As mentioned earlier, Shodan (Sentient Hyper-Optimized Data Access Network) is a search engine for devices connected to the internet. Designed and developed by Web Developer John Matherly, this search engine crawls the entire internet, parses the service banners of IoT devices, and indexes them for future searches. It maps and reports any device, such as webcams, smart devices, medical devices, traffic lights, C2 systems of devices, etc., that is connected to the internet and is not secure. 

The service banners of IoT devices contain metadata relevant to the devices, such as:

  • Geo-location
  • Make and model
  • IP address
  • Default username and password
  • Software version

Shodan service banners

 

How does Shodan work?

Upon scanning the entire internet, the search engine sends queries to connected IoT devices for publicly available information related to them. The servers of such devices return their service banners to the user. Shodan also supports customized queries using filters like city, country, hostname, OS, etc. to find out the corresponding details.

 

The Basics

Similar to other search engines, Shodan also utilizes a search box, to which users can enter search terms that adhere to its search query syntax. Moreover, search results can be narrowed down to be as accurate as possible, by making use of quotation marks and other such operators. 

For instance, boolean operators + or — can be used to include or exclude terms in the query.

Shodan basic search

 

Shodan Filters

This search engine only searches for the data property on the IoT devices’ banners. Hence, it employs search filters for refined results. Here are some basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe

 

Search examples:

org:”Amazon” ssl:”target”

ssl:”target”

html:”Dashboard Jenkins”

http.component:”jenkins”

http.title:”302 Found”

http.component:”java”

ssl.cert.subject.cn:”target”

hostname:”target”

http.favicon.hash:-335242539

html:”© 2020 target”

product:elastic port:9200

Examples of Shodan filter

 

Continuous Monitoring

This IoT search engine can be used to monitor your networks or products continuously, to help you stay informed of any threats to them. For this, you can make use of the Shodan Command-line Interface (CLI).

  • Use the following command to set up an alert for notifications related to your IP range:

shodan alert create “Bug-Bounty-Target” 198.172.0.0/24

 

  • The following command allows you to create a trigger to send the alert:

shodan alert triggers

 

  • When Shodan detects a malware or a new CVE against your product, get a notification using this:

shodan alert enable {ALERTID} malware

 

Automation

Every new trick boils down to automation these days. Fortunately, with this search engine you can automate various tasks that are within its range of activities. There are the three main ways to automate this search engine:

  • Shodan-API
  • Shodan Python Module
  • Shodan CLI

Check out this handy tool that makes the entire process easier and hassle-free: m4ll0k/Shodanfy.py

 

Conclusion

Although it seems quite perverse, security professionals, researchers, and even government agencies trust Shodan to alert them on unmanaged IoT devices that may present vulnerabilities. Such devices could potentially expose critical data belonging to an enterprise, organization or individual, to attacks. This search engine helps prevent this. By following the methods prescribed above, you can also explore Shodan and monitor and protect your network or product from exploitation.