Search Query Fundamentals
The Banner
Devices run services and those services are what Shodan collects information about. For example, websites are hosted on devices that run a web service and Shodan would gather information by speaking with that web service. The information for each service is stored in an object called the banner. It is the fundamental unit of data that Shodan gathers and what you'll be searching for. A simplified banner looks like the following:
The above banner has 5 properties. Note that a real banner will contain many more properties and detailed information about the service. Each property stores a different type of information about the service:
- data: the main response from the service itself
- ip_str: IP address of the device
- port: port number of the service
- org: the organization that owns this IP space
- location.country_code: the country where the device is located
By default, only the data property is searched by Shodan. The content of the data property can vary greatly depending on the type of service. For example, here is a typical HTTP banner:
The above banner shows that the device is running the nginx web server software with a version of 1.1.19. To show how different the banners can look like, here is a banner for the Siemens S7 industrial control system protocol:
The Siemens S7 protocol returns a completely different banner, this time providing information about the firmware, its serial number and a lot of detailed data to describe the device.
You have to decide what type of service you’re interested in when searching in Shodan because the banners vary greatly.
Search Syntax
Lets look again at the simplified banner for Moxa devices:
If you wanted to find more of these Moxa Nport devices then a simple search query would be:
Banner Specification
For the latest list of fields that the banner contains please visit the online documentation. A banner may contain the following properties/ fields:
General Properties
| Name | Description | Examples |
|---|---|---|
|
asn |
Autonomous system number |
AS4837 |
|
data |
Main banner for the service |
HTTP/1.1 200... |
|
ip |
IP
address
as an integer |
493427495 |
|
ip_str |
IP address as a string |
199.30.15.20 |
|
ipv6 |
IPv6 address as a string |
2001:4860:4860::8888 |
|
port |
Port number for the service |
80 |
|
timestamp |
Date and time the information was collected |
2014-01-15T05:49:56.283713 |
|
hash |
Numeric hash of the data property |
- |
|
hostname |
List of hostnames for the IP |
[“shodan.io”, “www.shodan.io”] |
|
domains |
List of domains for the IP |
[“shodan.io”] |
|
link |
Network link type |
Ethernet or modem |
|
location |
Geographic location of the device |
see below |
|
opts |
Supplemental/ experimental data not contained in main banner |
- |
|
org |
Organization that is assigned the IP |
Google Inc. |
|
ISP |
ISP that is responsible for the IP space |
Verizon Wireless |
|
os |
Operating system |
Linux |
|
uptime |
uptime Uptime of the IP in minutes |
50 |
|
tag |
List of tags that describe the purpose of the device (Enterprise-only) |
[“ics”, “vpn”] |
Elastic Properties
The following properties are collected for Elastic (formerly ElasticSearch):
| Name | Description |
|---|---|
|
elastic.cluster |
General information about the cluster |
|
elastic.indices |
List of nodes/ peers for the cluster and their information |
|
elastic.nodes |
List of nodes/ peers for the cluster and their information |
HTTP(S) Properties
Shodan follows redirects of HTTP responses and stores all intermediate data in the banner. The only time the crawlers don’t follow a redirect is if a HTTP request gets redirected to a HTTPS location and vice versa.
| Name | Description |
|---|---|
|
http.components |
Web technologies that were used to create the website |
|
http.host |
Hostname sent to grab the website HTML |
|
http.html |
HTML content of the website |
|
http.html_hash |
Numeric hash of the http.html property |
|
http.location |
Location of the final HTML response |
|
http.redirects |
List of redirects that were followed. Each redirect item has 3 properties: host, data and location. |
|
http.robots |
http.server |
|
hash |
Server header from the HTTP response |
|
http.server |
Server header from the HTTP response |
|
http.sitemap |
Sitemap XML for the website |
Location Properties
The following properties are sub-properties of the location property that is at the top-level of the banner record.
| Name | Description |
|---|---|
|
area_code |
Area code of the device’s location |
|
city |
Name of the city |
|
country_code |
2-letter country code |
|
country_code3 |
3-letter country code |
|
country_name |
Full name of the country |
|
dma_code |
Designated market area code (US-only) |
|
latitude |
Latitude |
|
longitude |
Longitude |
|
postal_code |
Postal code |
|
region_code |
Region code |
SMB Properties
| Name | Description |
|---|---|
|
smb.anonymous |
Whether or not the service allows anonymous connections (true/ false) |
|
smb.capabilities |
List of features that the service supports |
|
smb.shares |
List of network shares that are available |
|
smb.smb_version |
Protocol version used to gather the information |
|
smb.software |
Name of the software powering the service |
|
smb.raw |
List of hex-encoded packets that were sent by the server; useful if you want to do your own SMB parsing |
SSH Properties
| Name | Description |
|---|---|
|
ssh.cipher |
Cipher used during negotiation |
|
ssh.fingerprint |
Fingerprint for the device |
|
smb.shares |
List of network shares that are available |
|
ssh.kex |
List of key exchange algorithms that are supported by the server |
|
ssh.key |
SSH key of the server |
|
ssh.mac |
Message authentication code algorithm |
SSL Properties
If the service is wrapped in SSL then Shodan performs additional testing and makes the results available in the following properties:
| Name | Description |
|---|---|
|
ssl.acceptable_cas |
List of certificate authorities that the server accepts |
|
ssl.cert |
Parsed SSL certificate |
|
ssl.cipher |
Preferred cipher for the SSL connection |
|
ssl.chain |
List of SSL certificates from the user certificate up to the root certificate |
|
ssl.dhparams |
Diffie-Hellman parameters |
|
ssl.tlsext |
List of TLS extensions that the server supports |
|
ssl.versions |
Supported SSL versions; if the value starts with a “-“ then the service does not support that version (ex. “-SSLv2” means the service doesn’t support SSLv2) |
ISAKMP Properties
The following properties are collected for VPNs using the ISAKMP protocol (such as IKE):
| Name | Description |
|---|---|
|
isakmp.initiator_spi |
Hex-encoded security parameter index for the initiator |
|
isakmp.responder_spi |
Hex-encoded security parameter index for the responder |
|
isakmp.next_payload |
The next paylod sent after the initiation |
|
isakmp.version |
Protocol version; ex “1.0” |
|
isakmp.exchange_type |
Exchange type |
|
isakmp.flags.encryption |
Encryption bit set: true or false |
|
isakmp.flags.commit |
Commit bit set: true or false |
|
isakmp.flags.authentication |
Authentication bit set: true or false |
|
isakmp.msg_id |
Hex-encoded ID for the message |
|
isakmp.length |
Size of the ISAKMP packet |
Special Properties
The _shodan property contains information about how the data was gathered by Shodan. It is different than all the other properties because it doesn’t provide information about the device.
Instead, it will tell you which banner grabber Shodan was using to talk to the IP. This can be important to understand for ports where multiple services might be operating on. For example, port 80 is most well-known for web servers but it’s also used by various malware to circumvent firewall rules. The _shodan property would let you know whether the http module was used to collect the data or whether a malware module was used.
| Name | Description |
|---|---|
|
_shodan.crawler |
Unique ID that identifies the Shodan crawler |
|
_shodan.id |
Unique ID for this banner |
|
_shodan.module |
Name of the Shodan module used by the crawler to collect the banner |
|
_shodan.options |
Configuration options used during the data collection |
|
_shodan.hostname |
Hostname to use when sending web requests |
|
_shodan.options.referrer |
Unique ID of the banner that triggered the scan for this port/ service |
