Exploiting the internet with shodan

Exploiting the internet with shodan | part – 5.1

Exploiting Internet With Shodan

Analysing public network range

The most common use-case for Shodan is using it to get a better picture of what’s running on your public network range. The shodan command-line tool can help you get a quick idea of what you’re dealing with. For the purpose of this example we will take a look at the range of 78.13.0.0/16. To get started lets see how many services are exposed to the Internet:

To get your public IP you have to use this command:

shodan myip

You will get this kind oof output in the terminal.

shodan

After getting your public IP you can now procced for scanning your public network range.

shodan count net:(your subnet range)
shodan

Here, in my public range there are 237 services are exposed in my public network range.

The count command will provide us the total number of banners that Shodan has gathered for the subnet. At the moment of writing this turns out to be 237 results. The count gives us an idea of how big the public network surface is for the organization but it doesn’t give much insight into whether the exposed services are intended to be that way or not. As such, the next step is to get a breakdown of the open ports on the network:

shodan stats --facets port:(Your subnet)
shodan

The count command will provide us the total number of banners that Shodan has gathered for the subnet. At the moment of writing this turns out to be 4,363 results. The count gives us an idea of how big the public network surface is for the organization but it doesn’t give much insight into whether the exposed services are intended to be that way or not. As such, the next step is to get a breakdown of the open ports on the network:

shodan stats --facets port:10000 net:(Your subnet)
shodan

Here you can see that I have specified 10000 ports to display but in my public network there are only 19 open ports. So, shodan has shown only 19 ports.

There are a total of 19 unique ports that were discovered open on the network. We asked for a large maximum number of facets (10,000) since it’s much larger than the 300 ports that Shodan crawls. At this point we have a few areas that can be further explored. Firstly, the most common port is 443 which is used by modems to update their settings and has been in the news5 due to security issues. There are also many web servers running on non-standard ports 8080, 81, 82, 8443 etc which could be worth looking into. For example, these are the web servers that power the services on the non-standard ports:

Here you can see that I have specified 10000 ports to display but in my public network there are only 19 open ports. So, shodan has shown only 19 ports.

There are a total of 19 unique ports that were discovered open on the network. We asked for a large maximum number of facets (10,000) since it’s much larger than the 300 ports that Shodan crawls. At this point we have a few areas that can be further explored. Firstly, the most common port is 443 which is used by modems to update their settings and has been in the news5 due to security issues. There are also many web servers running on non-standard ports 8080, 81, 82, 8443 etc which could be worth looking into. For example, these are the web servers that power the services on the non-standard ports:

shodan stats --facets product "HTTP net:78.38.0.0/1 -port:80,443"
shodan

Note: the search query is wrapped in quotes to prevent Bash from thinking that -port is a flag for the shodan command.

Another common interest is understanding the SSL usage across a network. For this, we can take advantage of Shodan’s SSL testing that is performed automatically on all SSL-capable services (HTTPS, POP3, IMAP etc.). To get started lets see which SSL/ TLS versions are most common for web servers:

shodan stats --facets ssl.version HTTP net:(your subnet range)
shodan

The good news is that the majority are running on TLS1.0 and above, however there are still a few devices that support the ancient, deprecated SSLv2.

Finding top 10 vulnerabilities in India

shodan stats --facets vuln country:IN
shodan

This is is the list of top 10 CVE for India. You can change the country parameter to get the results for a specific country.

D-Link internet camers without authentication

D-Link Internet Camera DCS-5300 series, without authentication. For finding it you have to use this command:

shodan search 'd-link internet cameras, 200 OK'

The output will be like this

Unreadbale

So, on the above image you can see that this is not a human readable format. So, I prefer to download the full data and then use parse command to make it in a readable format. For that you have to use this command:

shodan downlaod camera-data 'd-link internet camera, 200 OK' 
shodan json

After downloading it you have to decompress it with gunzip.

gunzip camera-data.json.gz

after decompressing it you can use the parse command to only get the ip address and port.

shodan parse --fields ip_str,port camera-data.json
camera-data.json

FTP server with anonymous authentication enabled

shodan search '230 login successful port:21'

For using search fillers you have to upgrade your plan. But you can use the search fillters in download option and then parse it to get only port 21 as shown in the previous example.

discovering databases with shodan

You can also find databases with the help of shodan. Below there will be some examples of most common databases used by organizations.

# MySql

shodan search 'product:MySQL'

# MongoDB

shodan search 'product:MongoDB'

# elastic

shodan search 'port:9200 json'

# Memcahced

shodan search 'product:Memcached'

# CouchDb

shodan search 'product:couchDB'

# PostgreSQL

shodan search 'port:5432 PostgreSQL'

# Riak

shodan search 'port:8087 Riak'

# Redis

 shodan search 'product:Redis'

# Cassandra

 shodan search 'product:Cassandra'

Discovering games servers with shodan

# Minecraft

 shodan search 'Minecraft Server port:25565'

# Counter-Strike: Global Offensive

shodan search 'product:"Counter-Strike Global Offensive"'

# Starbound

shodan search 'product:Starbound'

# ARK: Survival Evolved

 shodan search 'product:"ARK Survival Evolved"'
Spread the love

Leave a Comment

Your email address will not be published. Required fields are marked *