Shodan | The search engine for Hackers
In this article we will discuss one of the most required tools for many workers in the cybersecurity domain like penetration testers, bughunters and security researchers, this tool could be employed to discover internet facing servers, cameras, control systems and databases.
How Shodan Works Exactly?
In contrast to Google, which is searching the Web for simple websites, Shodan is also a search engine, but one specifically designed for IoT devices. It ranks the unseen pieces of the Internet that most users would never see. In a search, any connected device may show up including servers, traffic lights, home automation systems, cashier machines, security cameras, control systems, printers, webcams and others.
Shodan is free of charge until you need to set a custom search option or increase the number of search for targets then you need to pay 49 USD for lifetime subscription
Shodan for bad and good guys
Indeed any new digital technology could be used for making life easy, connecting people and analysing large amounts of data. However for all this cons there is a dark side too
Penetration testers, security professionals, scientific researchers and law enforcement agencies are the main users of Shodan.A security researcher mentioned that Shodan can be used as a starting point by the bad guys and he added that cybercriminals usually have access to botnets - large collections of infected computers that can do the same, but secretly.
Shodan is called the scariest search engine on the internet. Imagine that if someone opened his laptop and just put a specific keyword on the browser then he got a list of home cameras or industrial control systems or maybe a nuclear control panel just like Hollywood movies. But the fact is to defend your assets or your enterprise applications you need to see what exactly is visible for the hackers and what kind of data is exposed to the public.
Finding the target
If you do a simple search for "default password", you can find an infinite number of printers, servers and management systems with the login "admin" and the password "123456". Even more, other connected systems do not have access credentials at all - you can connect to them using any browser.
One security researcher conducted a demo in Defcon, one of the largest cybersecurity conferences, in how to find control systems for evaporative chillers, pressurized water heaters and garage doors.
He found a car wash that you can turn on and off and an ice arena in Denmark that you can defrost at the touch of a button. In one city, an entire road transport network management system was connected to the Internet, and with just one command it could be put into “test mode”. And in France, he found a hydroelectric power plant control system with two turbines, each generating 3 megawatts.
Targeting a known CVE
One of well known vulnerabilities in 2019 is Bluekeep discovered in Microsoft RDP service that allows a remote attacker to execute malicious code in remote systems.
Attackers and security researchers could use Shodan database to query the possible online vulnerable windows machine by using a keyword like “port:3389” or filter by any region like “port:3389 country:US” then they could execute any public scanner or metasploit module against the targets
In the below screenshot we can find more than 4 million available targets categorized by region, operating system and organization.
For sake of large amount of data provided by shodan its possible to use their API to integrate all the results with many application like vulnerability assessment tools or even you can write your own tool/script
As we discussed, shodan is a search engine so we can use a combination of keywords to find a specific target or network or even a smart microwave :D.
Below i added some examples for discovering some devices
cisco net:“126.96.36.199/24” - find cisco devices like routers and switches in particular subnet
nginx country:EG - finding nginx web servers located in egypt
apache city:Dubai - finding apache servers located in specific city
More advanced filter
Apache city:“San Francisco” port:“8080” product:“Apache Tomcat/Coyote JSP engine” - this is looking for the apache servers running in port number 8080 with specific apache version tomcat
Shodan is widely used not only by researchers, but also by cybercriminals. By knowing their methods, you can protect yourself and at least not be an easy target.