Table Of Contents :
Exploiting Internet With Shodan
Analysing public network range
The most common use-case for Shodan is using it to get a better picture of what’s running on your public network range. The shodan command-line tool can help you get a quick idea of what you’re dealing with. For the purpose of this example we will take a look at the range of 78.13.0.0/16. To get started lets see how many services are exposed to the Internet:
To get your public IP you have to use this command:
shodan myipYou will get this kind oof output in the terminal.
After getting your public IP you can now procced for scanning your public network range.
shodan count net:(your subnet range)
Here, in my public range there are 237 services are exposed in my public network range.
The count command will provide us the total number of banners that Shodan has gathered for the subnet. At the moment of writing this turns out to be 237 results. The count gives us an idea of how big the public network surface is for the organization but it doesn’t give much insight into whether the exposed services are intended to be that way or not. As such, the next step is to get a breakdown of the open ports on the network:
shodan stats --facets port:(Your subnet)
The count command will provide us the total number of banners that Shodan has gathered for the subnet. At the moment of writing this turns out to be 4,363 results. The count gives us an idea of how big the public network surface is for the organization but it doesn’t give much insight into whether the exposed services are intended to be that way or not. As such, the next step is to get a breakdown of the open ports on the network:
shodan stats --facets port:10000 net:(Your subnet)
Here you can see that I have specified 10000 ports to display but in my public network there are only 19 open ports. So, shodan has shown only 19 ports.
There are a total of 19 unique ports that were discovered open on the network. We asked for a large maximum number of facets (10,000) since it’s much larger than the ∼300 ports that Shodan crawls. At this point we have a few areas that can be further explored. Firstly, the most common port is 443 which is used by modems to update their settings and has been in the news5 due to security issues. There are also many web servers running on non-standard ports 8080, 81, 82, 8443 etc which could be worth looking into. For example, these are the web servers that power the services on the non-standard ports:
Here you can see that I have specified 10000 ports to display but in my public network there are only 19 open ports. So, shodan has shown only 19 ports.
There are a total of 19 unique ports that were discovered open on the network. We asked for a large maximum number of facets (10,000) since it’s much larger than the ∼300 ports that Shodan crawls. At this point we have a few areas that can be further explored. Firstly, the most common port is 443 which is used by modems to update their settings and has been in the news5 due to security issues. There are also many web servers running on non-standard ports 8080, 81, 82, 8443 etc which could be worth looking into. For example, these are the web servers that power the services on the non-standard ports:
shodan stats --facets product "HTTP net:78.38.0.0/1 -port:80,443"
Note: the search query is wrapped in quotes to prevent Bash from thinking that -port is a flag for the shodan command.
Another common interest is understanding the SSL usage across a network. For this, we can take advantage of Shodan’s SSL testing that is performed automatically on all SSL-capable services (HTTPS, POP3, IMAP etc.). To get started lets see which SSL/ TLS versions are most common for web servers:
shodan stats --facets ssl.version HTTP net:(your subnet range)
The good news is that the majority are running on TLS1.0 and above, however there are still a few devices that support the ancient, deprecated SSLv2.
Finding top 10 vulnerabilities in India
shodan stats --facets vuln country:IN
This is is the list of top 10 CVE for India. You can change the country parameter to get the results for a specific country.
D-Link internet camers without authentication
D-Link Internet Camera DCS-5300 series, without authentication. For finding it you have to use this command:
shodan search 'd-link internet cameras, 200 OK'The output will be like this
So, on the above image you can see that this is not a human readable format. So, I prefer to download the full data and then use parse command to make it in a readable format. For that you have to use this command:
shodan downlaod camera-data 'd-link internet camera, 200 OK' 
After downloading it you have to decompress it with gunzip.
gunzip camera-data.json.gzafter decompressing it you can use the parse command to only get the ip address and port.
shodan parse --fields ip_str,port camera-data.json
FTP server with anonymous authentication enabled
shodan search '230 login successful port:21'For using search fillers you have to upgrade your plan. But you can use the search fillters in download option and then parse it to get only port 21 as shown in the previous example.
discovering databases with shodan
You can also find databases with the help of shodan. Below there will be some examples of most common databases used by organizations.
# MySql
shodan search 'product:MySQL'# MongoDB
shodan search 'product:MongoDB'# elastic
shodan search 'port:9200 json'# Memcahced
shodan search 'product:Memcached'# CouchDb
shodan search 'product:couchDB'# PostgreSQL
shodan search 'port:5432 PostgreSQL'# Riak
shodan search 'port:8087 Riak'# Redis
shodan search 'product:Redis'# Cassandra
shodan search 'product:Cassandra'Discovering games servers with shodan
# Minecraft
shodan search 'Minecraft Server port:25565'# Counter-Strike: Global Offensive
shodan search 'product:"Counter-Strike Global Offensive"'# Starbound
shodan search 'product:Starbound'# ARK: Survival Evolved
shodan search 'product:"ARK Survival Evolved"'
