Table Of Contents :
Shodan Web Interfaces
In the previous blog we have learnt about basics about shodan, now we are going to learn about shodan interfaces. The easiest way to access the data that Shodan gathers is through the web interfaces. Almost all of them let you enter a search query, so lets discuss that first:
Search Query Explained Interfaces
By default, the search query only looks at the main banner text and doesn’t search the meta-data. For example, if you’re searching for “Google” then the results will only include results where the text “Google” was shown in the banner; it wouldn’t necessarily return results for Google’s network range.
As seen above, a search for “Google” returns a lot of Google Search Appliances that organizations have purchased and connected to the Internet; it doesn’t return Google’s servers.
Shodan will try to find results matching all search terms, which means that implicitly there is a + or AND between each search term. For example, the search queries “apache + 1.3” is equivalent to “apache 1.3”.
To search the meta-data you need to use search filters.
Filters are special keywords that Shodan uses to let you narrow search results based on the meta-data of a service or device. The format for entering filters is:
Important: There is no space between the colon “:” and the value.
To use a value that contains a space with a filter you have to wrap the value in double quotes. For example, to find all devices on the Internet that are located in San Diego you would search for:
A few filters let you specify several values that are separated by a comma “,”. For example, to find devices that are running Telnet on ports 23 and 1023:
If a filter doesn’t allow commas in its value (ex. port, hostname, net) then it lets you provide multiple values.
Filters can also be used to exclude results by prepending a minus sign “-“ to the filter. For example, the following would return all devices that aren’t located in San Diego:
There are many situations where excluding is easier than including. For example, the following search query uses hash:0 to provide results for services on port 8080 where the main text banner isn’t empty:
Every banner on Shodan has a numeric hash property calculated; for empty banners that value is zero. If you’re trying to find devices that have a short, static banner then the hash filter may provide a good way to accurately identify them.
Shodan supports a lot of filters, a few popular ones are:
Search operator list:
Available categories: ics, malware
Name of the city
Full country name
Only show results inside the provided IP range in CIDR format
Narrow results based on the organization that owns the IP
Shodan Search Engine
The main interface for accessing the data gathered by Shodan is via its search engine located at https://www.shodan.io
By default, the search query will look at the data collected within the past 30 days. This is a change from the old website at shodanhq.com, which searched the entire Shodan database by default. This means that the results you get from the website are recent and provide an accurate view of the Internet at the moment.
In addition to searching, the website also provides the following functionality:
After completing a search there will be a button at the top called Download Data. Clicking on that button will provide you with the option of downloading the search results in JSON, CSV or XML formats.
The JSON format generates a file where each line contains the full banner and all accompanying meta-data that Shodan gathers. This is the preferred format as it saves all available information. And the format is compatible with the Shodan command-line client, meaning you can download data from the Shodan website then process it further using the terminal.
The CSV format returns a file containing the IP, port, banner, organization and hostnames for the banner. It doesn’t contain all the information that Shodan gathers due to limitations in the CSV file format. Use this if you only care about the basic information of the results and want to quickly load it into external tools such as Excel.
The XML format is the old, deprecated way of saving search results. It is harder to work with than JSON and consumes more space, thereby making it suboptimal for most situations.
Downloading data consumes export credits, which are one-time use and purchased on the website. They aren’t associated in any way with the Shodan API and they don’t automatically renew every month. 1 export credit can be used to download up to 10,000 results.
Data files generated by the website can be retrieved in the Downloads section of the website, which Web Interfaces you can visit by clicking on the button in the upper right corner.
The website lets you generate a report based off of a search query. The report contains graphs/ charts providing you a big picture view of how the results are distributed across the Internet. This feature is free and available to anyone.
When you generate a report you are asking Shodan to take a snapshot of the search results and provide an aggregate overview. Once the report has been generated, it doesn’t change or
automatically update as new data is being collected by Shodan. This also means that you can generate a report once a month and keep track of changes over time by comparing it to reports
of previous months. By clicking on the button in the top right corner you can get a listing of previously generated reports.
Finding specific devices requires knowledge about the software they run and how they respond to banner grabs over the Internet. Fortunately, it is possible to leverage the shared knowledge of the community using the search directory on Shodan. People are able to readily describe, tag and share their search queries for others to use. If you’re interested in getting started with Shodan, the shared searches should be your first stop.
Example: Finding Non-Default Services
Specifically, the idea that running the service (in this case Minecraft) on a non-standard port is a good way to stay hidden. In security circles this is also known as the concept of security by obscurity, and it’s considered a largely ineffective, deprecated idea. What’s worse is that it might give you the owner of the server/ device a false sense of security. For example, lets take a look at people running OpenSSH on a non-standard port. To do this we will use the following search query:
The product filter is used to only show OpenSSH servers while -port:22 tells Shodan to exclude all results that were collected from the standard SSH port (22). To get a better overview of the search results lets generate a report:
The report also gives us a breakdown of the most common non-standard ports:
1. 2222: 323,930
2. 5000: 47,439
3. 23: 13,482
4. 26: 7,569
5. 5555: 6,856
6. 9999: 6,286
7. 82: 6,046
8. 2323: 3,622
9. 6666: 2,735
10. 3333: 2,644
These numbers don’t look that random to me… Right away you should realize that your random choice of non-standard port might not be so unique. Port 2222 is popular the same way that HTTP on port 8080 is popular, and it’s also the default port for the Kippo honeypot though I doubt that many people are running honeypots. The next most popular port is 5000, which didn’t follow the same pattern as the other ports to me (repeating/ symmetric numbers). And it was around the same time that I realized that Australia was the 2nd most popular country to run OpenSSH on a non- standard port. I decided to take a closer look at Australia, and it turns out that there are nearly the same amount of servers running OpenSSH on port 5000 as they are on the default port 22. About 68,000 devices are running on the default port, and 54,000 on port 5000. Looking at a few banners we can determine that this is the SSH fingerprint that they all share:
It appears that the Australian ISP BigPond installs/ configures networking gear that not only runs OpenSSH on port 5000 (most likely for remote management) but also has the same SSH keys installed on all of them. The devices also happen to run an old version of OpenSSH that was released on September 4th 2007. There’s no guarantee that running OpenSSH on the default port would’ve made them more security conscious, but their installation of ∼54,000 devices is 25% of the total number of OpenSSH servers on the Internet running version 4.7 (sidenote: the most popular version of OpenSSH is 5.3).
Shodan maps provides a way to explore search results visually instead of the text-based main website. It displays up to 1,000 results at a time and as you zoom in/ out Maps adjusts the search query to only show results for the area you’re looking at. All search filters that work for the main Shodan website also work on Maps
Satellite maps without lable
Shodan exploits collects vulnerabilities and exploits from CVE, Exploit DB and Metasploit to make it searchable via web interface.
The search filters available for Exploits are different than the rest of Shodan, though an attempt was made to keep them similar when possible.
Important: By default, Exploits will search the entire content of the available exploit
information including meta-data. This is unlike Shodan, which only searches the banner
text if no other filters are specified.
The following search filters are available:
author Author of the vulnerability/ exploit
platform Platform that it targets (ex: php, windows, linux)
type Exploit type (ex: remote, dos)
The search box at the top uses the same syntax as the main Shodan search engine. It is most useful to use the search box to filter by organization or netblock. However, it can also be used to filter the types of images that are shown.
Image data is gathered from 5 different sources:
• Remote Desktop (RDP)
• X Windows
Each image source comes from a different port/ service and therefor has a different banner. This means that if you only want to see images from webcams you could search for4:
To search for VNC you can search using RFB and for RTSP you simply search with RTSP. The images can also be found using the main Shodan website or Shodan Maps by using the search
The service called Honeypot or not? will attribute a Honeyscore to an IP address, a probability of being a honeypot.
Shodan Developer dashboard
Your developer dashboard shows you your credits consumption and API plan.
Keep track of the devices that you have exposed to the Internet. Setup notification launch scans and gain complete visibility into what you have connected.
The monitor dashboard let you tracks your devices, alert you if something suspicious was detected, launch scan and display what’s found on synthetic dashboard.
To begin with, add an IP, a range or a domain to monitor and choose a notice.
Then you can manage your assets, from here you can launch scans or modify trigger rules.
You can select which kind of event will trigger an alert.
Then the dashboard shows the exposed services.
Shodan ICS radar
ICS Radar is a 3D map of Industrial Control Systems (ICS) devices found by Shodan crawlers