Banner specification of shodan

Banner Specification of shodan search engine | part – 4

Search Query Fundamentals

The Banner

Devices run services and those services are what Shodan collects information about. For example, websites are hosted on devices that run a web service and Shodan would gather information by speaking with that web service. The information for each service is stored in an object called the banner. It is the fundamental unit of data that Shodan gathers and what you'll be searching for. A simplified banner looks like the following:

{
    "data": "Moxa Nport Device
            Status: Authentication disabled
            Name: NP5232I_4728
            MAC: 00:90:e8:47:10:2d",
    "ip_str": "46.252.132.235",
    "port": 4800,
    "org": "SingTel Mobile",
    "location": {
        "country_code": "SG"
    }
}

The above banner has 5 properties. Note that a real banner will contain many more properties and detailed information about the service. Each property stores a different type of information about the service:

  • data: the main response from the service itself
  • ip_str: IP address of the device
  • port: port number of the service
  • org: the organization that owns this IP space
  • location.country_code: the country where the device is located

By default, only the data property is searched by Shodan. The content of the data property can vary greatly depending on the type of service. For example, here is a typical HTTP banner:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sat, 03 Oct 2015 06:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6466
Connection: keep-alive

The above banner shows that the device is running the nginx web server software with a version of 1.1.19. To show how different the banners can look like, here is a banner for the Siemens S7 industrial control system protocol:

Copyright: Original Siemens Equipment
PLC name: S7_Turbine
Module type: CPU 313C
Unknown (129): Boot Loader           A
Module: 6ES7 313-5BG04-0AB0  v.0.3
Basic Firmware: v.3.3.8
Module name: CPU 313C
Serial number of module: S Q-D9U083642013
Plant identification: 
Basic Hardware: 6ES7 313-5BG04-0AB0  v.0.3

The Siemens S7 protocol returns a completely different banner, this time providing information about the firmware, its serial number and a lot of detailed data to describe the device.

You have to decide what type of service you’re interested in when searching in Shodan because the banners vary greatly.

Search Syntax

Lets look again at the simplified banner for Moxa devices:

{
    "data": "Moxa Nport Device
            Status: Authentication disabled
            Name: NP5232I_4728
            MAC: 00:90:e8:47:10:2d",
    "ip_str": "46.252.132.235",
    "port": 4800,
    "org": "SingTel Mobile",
    "location": {
        "country_code": "SG"
    }
}

If you wanted to find more of these Moxa Nport devices then a simple search query would be:

Moxa Nport

For the latest list of fields that the banner contains please visit the online documentation. A banner may contain the following properties/ fields:

General Properties

Name Description Examples
asn
Autonomous system number
AS4837
data
Main banner for the service
HTTP/1.1 200...
ip
IP address as an integer
493427495
ip_str
IP address as a string
199.30.15.20
ipv6
IPv6 address as a string
2001:4860:4860::8888
port
Port number for the service
80
timestamp
Date and time the information was collected
2014-01-15T05:49:56.283713
hash
Numeric hash of the data property
-
hostname
List of hostnames for the IP
[“shodan.io”, “www.shodan.io”]
domains
List of domains for the IP
[“shodan.io”]
link
Network link type
Ethernet or modem
location
Geographic location of the device
see below
opts
Supplemental/ experimental data not contained in main banner
-
org
Organization that is assigned the IP
Google Inc.
ISP
ISP that is responsible for the IP space
Verizon Wireless
os
Operating system
Linux
uptime
uptime Uptime of the IP in minutes
50
tag
List of tags that describe the purpose of the device (Enterprise-only)
[“ics”, “vpn”]

Elastic Properties

The following properties are collected for Elastic (formerly ElasticSearch):

Name Description
elastic.cluster
General information about the cluster
elastic.indices
List of nodes/ peers for the cluster and their information
elastic.nodes
List of nodes/ peers for the cluster and their information

HTTP(S) Properties

Shodan follows redirects of HTTP responses and stores all intermediate data in the banner. The only time the crawlers don’t follow a redirect is if a HTTP request gets redirected to a HTTPS location and vice versa.

Name Description
http.components
Web technologies that were used to create the website
http.host
Hostname sent to grab the website HTML
http.html
HTML content of the website
http.html_hash
Numeric hash of the http.html property
http.location
Location of the final HTML response
http.redirects
List of redirects that were followed. Each redirect item has 3 properties: host, data and location.
http.robots
http.server
hash
Server header from the HTTP response
http.server
Server header from the HTTP response
http.sitemap
Sitemap XML for the website

Location Properties

The following properties are sub-properties of the location property that is at the top-level of the banner record.

Name Description
area_code
Area code of the device’s location
city
Name of the city
country_code
2-letter country code
country_code3
3-letter country code
country_name
Full name of the country
dma_code
Designated market area code (US-only)
latitude
Latitude
longitude
Longitude
postal_code
Postal code
region_code
Region code

SMB Properties

Name Description
smb.anonymous
Whether or not the service allows anonymous connections (true/ false)
smb.capabilities
List of features that the service supports
smb.shares
List of network shares that are available
smb.smb_version
Protocol version used to gather the information
smb.software
Name of the software powering the service
smb.raw
List of hex-encoded packets that were sent by the server; useful if you want to do your own SMB parsing

SSH Properties

Name Description
ssh.cipher
Cipher used during negotiation
ssh.fingerprint
Fingerprint for the device
smb.shares
List of network shares that are available
ssh.kex
List of key exchange algorithms that are supported by the server
ssh.key
SSH key of the server
ssh.mac
Message authentication code algorithm

SSL Properties

If the service is wrapped in SSL then Shodan performs additional testing and makes the results available in the following properties:

Name Description
ssl.acceptable_cas
List of certificate authorities that the server accepts
ssl.cert
Parsed SSL certificate
ssl.cipher
Preferred cipher for the SSL connection
ssl.chain
List of SSL certificates from the user certificate up to the root certificate
ssl.dhparams
Diffie-Hellman parameters
ssl.tlsext
List of TLS extensions that the server supports
ssl.versions
Supported SSL versions; if the value starts with a “-“ then the service does not support that version (ex. “-SSLv2” means the service doesn’t support SSLv2)

ISAKMP Properties

The following properties are collected for VPNs using the ISAKMP protocol (such as IKE):

Name Description
isakmp.initiator_spi
Hex-encoded security parameter index for the initiator
isakmp.responder_spi
Hex-encoded security parameter index for the responder
isakmp.next_payload
The next paylod sent after the initiation
isakmp.version
Protocol version; ex “1.0”
isakmp.exchange_type
Exchange type
isakmp.flags.encryption
Encryption bit set: true or false
isakmp.flags.commit
Commit bit set: true or false
isakmp.flags.authentication
Authentication bit set: true or false
isakmp.msg_id
Hex-encoded ID for the message
isakmp.length
Size of the ISAKMP packet

Special Properties

The _shodan property contains information about how the data was gathered by Shodan. It is different than all the other properties because it doesn’t provide information about the device.
Instead, it will tell you which banner grabber Shodan was using to talk to the IP. This can be important to understand for ports where multiple services might be operating on. For example, port 80 is most well-known for web servers but it’s also used by various malware to circumvent firewall rules. The _shodan property would let you know whether the http module was used to collect the data or whether a malware module was used.

Name Description
_shodan.crawler
Unique ID that identifies the Shodan crawler
_shodan.id
Unique ID for this banner
_shodan.module
Name of the Shodan module used by the crawler to collect the banner
_shodan.options
Configuration options used during the data collection
_shodan.hostname
Hostname to use when sending web requests
_shodan.options.referrer
Unique ID of the banner that triggered the scan for this port/ service

Example of shodan banner

{
        "timestamp": "2014-01-16T08:37:40.081917",
    "hostnames": [
    "99-46-189-78.lightspeed.tukrga.sbcglobal.net"
    ],
    "org": "AT&T U-verse",
        "guid": "1664007502:75a821e2-7e89-11e3-8080-808080808080",
        "data": "NTP\nxxx.xxx.xxx.xxx:7546\n68.94.157.2:123\n68.94.156.17:123",
        "port": 123,
        "isp": "AT&T U-verse",
        "asn": "AS7018",
        "location": {
        "country_code3": "USA",
        "city": "Atlanta",
        "postal_code": "30328",
        "longitude": -84.3972,
            "country_code": "US",
            "latitude": 33.93350000000001,
            "country_name": "United States",
            "area_code": 404,
            "dma_code": 524,
            "region_code": null
    },
    "ip": 1664007502,
    "domains": [
    "sbcglobal.net"
    ],
    "ip_str": "99.46.189.78",
    "os": null,
    "opts": {
Appendix A: Banner Specification 74
"raw": "\\x97\\x00\\x03*\\x00\\x03\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01G\\x06\\xa7\\x8ec.\\xbdN\\x00\\
\x00\\x00\\x01\\x1dz\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00q\\x00\\x00\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00XD^\\x9d\\x02c.\\xbdN\\\
x00\\x00\\x00\\x01\\x00{\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00q\\x00\\x00\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00YD^\\x9c\\x11c.\\xb\
dN\\x00\\x00\\x00\\x01\\x00{\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\
x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\
x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
        "ntp": {
            "more": false
            }
        }
    }
Spread the love

Leave a Comment

Your email address will not be published.