Complete Shodan Tutorial | The Search Engine for Hackers
INFORMATION GATHERING
What is Shodan?
Shodan distinguishes itself from conventional search engines like Google, Yahoo, and Bing by focusing on gathering information about IoT (Internet of Things) devices connected to the internet. While traditional search engines scour the web for standard websites, Shodan is purpose-built to uncover details about various devices that are not typically visible to regular browser users. Some examples of what can be found using Shodan include:
- Cameras (e.g., CCTVs, Webcams)
- Routers and other devices
- Baby monitors
- Maritime satellites
- Prison payphones
- Traffic light systems
- Water treatment facilities
- Nuclear power plants, and much more
However, it's essential not to overreact to these examples and retreat into panic. While Shodan can reveal publicly accessible information about devices such as routers, servers, or even nuclear plants, this doesn't mean that anyone with an active internet connection will automatically gain full access to these systems. Nevertheless, it's crucial to acknowledge the potential risks associated with publicly accessible information. For instance, hackers can exploit devices like webcams or routers if default login credentials are still in use. Therefore, implementing robust security measures such as strong passwords, two-factor authentication, firewalls, and strict security protocols is highly recommended. This understanding will become clearer as we explore practical examples with Shodan.
Understanding How Shodan Works:
To grasp Shodan's functioning, let's begin by examining the operation of conventional search engines like Google and Yahoo. Google utilizes automated crawlers to navigate the web, seeking out new or updated pages. These crawlers capture page URLs and store them in a list for later retrieval when users perform search queries.
Shodan operates in a similar manner to Google. It traverses the internet using a distributed network of computers and servers, establishing connections to every IP address present on the web. Shodan indexes all information received from these IP addresses. While not all IP addresses yield relevant data, many respond with banners containing metadata about the devices connected to those IPs.
Some of the information collected includes:
- Device name: Identifies the device, often set as a Hostname (e.g., Cisco router or Samsung Galaxy A32).
- IP address: A unique code used to identify a device on the internet (e.g., 206.189.189.202).
- Location: Geographic details such as country, city, or other identifiers.
- Organization: The entity that owns the IP space.
- Ports: Information about open ports on the device.
Additionally, Shodan can provide other details such as default login credentials, services and software running on the device, make and model, and web technologies in use.
Getting Started with Shodan:
There are two primary methods for utilizing the Shodan search engine:
1. Through a Web Browser
2. Via the Command-line Interface (CLI)
This guide will provide detailed instructions for both approaches.
1. Using Shodan on the Browser
That is far one of the most utilized options by security professionals. To get started, launch your favorite browser and enter the URL shodan.io.
You should see a window similar to the image below. Like Google, you can type anything you want to look upon the Search Box above.
Let's do a simple search like "webcams" and see what Shodan will give us.
We got 181 results from different locations from the image above, with the United States having the highest number. You will also notice that the search results are not similar to that with Google or Yahoo, where you get the domains and page URLs. With Shodan, you will get an IP of that particular device.
On the left-hand side, you will see information like the top geographical location of these webcams, the top ports running on these IPs, a list of Services and Software running on the devices, etc. You can access any of these webcams by clicking on any IPs listed.
We were lucky enough to get a camera doing a live stream in our case. See the image below.
After clicking on this IP, we saw that it has services running on two ports - 7777 and 9000. When we tried accessing these services on the web, [the_ip]:7777 it gave us a login interface which I believe is access to the control panel of the camera while [the_ip]:9000 enabling us to view the live stream taken by the camera.
Up to this point, you can now see how much critical information you can get with Shodan. Shodan is a powerful utility used by security professionals to ensure no essential information is put to the public internet. Another exciting search we can perform is "Default password."
From the image above, we can see some devices still use the default username and password like:
Username= "cisco"
Password: "cisco"
Username: "admin"
Password: "1234"
NOTE: You will need to create an account with Shodan to use search filters.
Like Google, Shodan also enables us to use filters to get targeted results. For example, if we only wanted to get Webcams located in the United States, we can use the search filter below.
Other basic Search filters you can use include:
City: Get results in a particular city.
Country: Get results in a specific country.
Hostname: Get values matching a particular hostname.
Geo: You can also use coordinates targeted results.
Net: Get results based on IP or CIDR
OS: Get results of devices running a particular OS.
Port: Get results with particular ports open.
After/ Before: Get the results within a specified timeframe.
Let's look at other search filters we can use:
Find Apache servers in New York
Find Nginx servers in the US
Find Cisco devices on a particular subnet
Up to this point, I believe you now have a good understanding of using Shodan on the browser. Let's now look at how we can use Shodan on the command line.
2. Using Shodan Command line
To get started, launch the Terminal and run the command below.
Tip: If you get an error message like easy_install: command not found, don't panic. Use the commands below to install Shodan
HINT:
You can get your API key by clicking on your account after logging in. Alternatively, if you are logged in, you can open another tab and type the URL https://account.shodan.io/.
When done, you need to initialize Shodan by executing the command below.
To get started with Shodan on the command line, run the -help command as shown below.
Unlike using the browser, the CLI method can be pretty technical. However, with regular practice, you will be able to execute commands and search queries without much hustle.
Let's look at some search queries and their syntax.
To view your external IP address:
Get the total number of open port 22 ports in the US.
Get all the information you need about a particular domain.
