Shodan is a search engine that lets any user find specific types of computers, SCADA -- or supervisory control...
and data acquisition systems -- hardware and applications with a network address.
One way to think of the Shodan search engine is as a modern-day vulnerability assessment tool for network professionals. Shodan scans the internet and parses the banners and other information that is returned by various devices.
Using this data, the Shodan computer search engine can determine what database and version is most popular, how many webcams exist in a particular location, and the make and model of these devices. While some might argue that sites like Shodan allow attackers to find and exploit vulnerabilities, the truth is network and security professionals need to be able to see as much as the attacker in order to build effective defenses. As a result, they, too, would benefit from learning how to use Shodan as a tool for finding vulnerabilities.
How to do a basic search in Shodan
Before learning how to use Shodan for vulnerability assessments, let's learn how to do a basic search first. Start at the Shodan website, and enter a value in the search field. For example, maybe you're running a Mongo database and want to see how many show up in a search.
Once the search is completed, on the left sidebar, you'll see summary data:
- Total results: 2,861
- Top countries: United States
- Top services: 2,205
You can search for a specific version of software, such as Mongo 3.4, a location or for other unique attributes. Scrolling down the page will display more results. Take a moment to examine the one I've highlighted here:
Notice that each of the entries in the main section offers more information about the discovered item. You're provided with a full list of results, including:
- IP address;
- Host name;
- Internet service provider (ISP);
- When the entry was added to the database;
- The country it is located in; and
- The banner itself.
Now, back to the example above, notice the database name, DB_H4CK3D. This one appears to have been hacked. Hackers search for vulnerable MongoDB servers, copy the database, delete the database and leave a note demanding a bitcoin ransom for the database to be returned. This technique has been repeated hundreds of times since early 2017. This same technique was used to hack and steal 2 million records from more than 820,000 accounts.
While the MongoDB provides an internet-connected database, by default, older versions don't enforce any kind of authentication. This is a scary thought, given that MongoDB software, with more than 20 million downloads, is one of the fastest-growing databases now in operation.
Additional details are provided by clicking on the IP address shown in the Shodan entry. When a single host is selected, information such as the list of ports that were found, the individual port details, banners, the location of the server, ISP and map of the location is displayed. An example is shown here:
How to do an advanced search in Shodan
I've just skimmed the surface as to what the Shodan computer search engine can do. Now that we know how to do a basic search, lets learn how to use Shodan to run an advanced search. It really excels with its ability to do advanced searches. Please note: You'll need to create an account to do an advanced search. Once logged in, here are some search options you can use:
- Title: Search the content scraped from the HTML tag.
- HTML: Search the full HTML content of the returned page.
- Product: Search the name of the software or product identified in the banner.
- Net: Search a given netblock -- example: 184.108.40.206/8.
- Version: Search the version of the product.
- Port: Search for a specific port or ports.
- OS: Search for a specific operating-system name.
- Country: Search for results in a given country.
- City: Search for results in a given city.
As an example, let's say your organization has multiple locations in Houston, and you're concerned that some sites may be running a vulnerable version of a networked service that has not been patched. For this advanced search, I entered: jboss 5.0 country:"US" city:"houston".
The search returned 48 sites in Houston running JBoss 5.0. I chose this example because, last year, it was discovered that 3.2 million servers were vulnerable to a flaw in older versions of JBoss that was used in SamSam ransomware attacks. Running a vulnerable version of a service could have a devastating impact on an organization.
This should give you a good idea of how to use Shodan and of the type of information that can be found with the search engine. If you are curious as to what others are looking for, take a moment to review some popular searches.
Notice the list of recent searches includes terms such as webcams, cam, SCADA, FTP and server. SCADA searches should get your attention. SCADA devices are industrial controls used to manage such things as the electrical grid, water plants, oil and gas pipelines, waste treatment plants and oil pumping stations. SCADA devices are potentially big targets for cyberterrorists and foreign hackers seeking to disrupt the electrical grid or disable other critical infrastructure. I encourage each of you to learn how to use Shodan to see how much of your network is visible.
Vulnerabilities in Siemens' SCADA devices
Top nine OSINT tools
Tips and tricks to reduce hacks