The POWER of Shodan : Shodan unrevealed
What is Shodan?
Shodan is a search engine like no other. Dubbed the “Google for hackers”, Shodan scans the internet for devices and systems that are connected to the internet, allowing users to see information that would otherwise be hidden. While many people may not have heard of Shodan, it is a powerful tool that has been used by security professionals, researchers, and even malicious actors.
In today’s blog post, we will be going over how Shodan works and why it should be part of your OSiNT toolkit.
How does it work?
Unlike traditional search engines like Google, which crawl web pages and index them, Shodan scans for internet-connected devices and systems based on their IP address.
Shodan uses a process called “port scanning”. A port is a communication endpoint on a device or system, and different types of communication use different ports. For example, web traffic typically uses port 80 or 443. It then collects information from these devices such as the OS that is being used, their geolocation or even potential vulnerabilities (CVEs) that can be used to exploit the device. This information is then indexed, similarly to something like Google, and made searchable through the search engine.
How to find vulnerable/interesting devices using Shodan
When looking for vulnerable devices on the internet, the most important thing you have to ask yourself, is who and/or what kind of device you are trying to break into?
Disclaimer : I am not responsible for any actions that may have cause damage to companies/people. This is purely for educational purposes only and I do not encourage hacking without permit. This should only be done in an organized penetration test, or when you have permission from the person/company that is targeted
Take for instance, company XYZ. Company XYZ specializes in digital marketing. After you have performed your recon and OSiNT investigations, you have a pretty good idea of how the company operates, what kind of devices are used and for what purposes . Now that you have a nice structured map of the company, you now know what to look for.
Use Shodan to find footholds
Here is a little filter cheat sheet for Shodan:
During our reconnaissance phase, we have discovered that there are multiple FTP and SMB servers running inside our company , for important files related to marketing. Let’s see if we can break into those first, as it would lead to a lot of damage and client loss for our target.
“230” “230 Login successful” port:21 org:companyName
Let’s break down this filter. We have put in quotes “Login successful” , meaning that Shodan was able to log into the FTP Server without providing credentials. Then, we specified port 21 which is the default port configuration for FTP. Lastly, we specified our company target name, to only get FTP servers owned by that specific company. Let’s check the results, without the org filter.
This is quite scary. 61 thousand devices have a server without credentials/default credentials. That means that we could potentially hack into the majority of these companies. Let’s see if this is really the case.
Logging in via anonymous/anonymous credentials.
Let’s check other interesting search queries that could lead to potential footholds.
"Authentication: disabled" port:445
Over 250k results. That is very scary. We can log into over 250 thousand SMB servers.
There are a lot of servers that are vulnerable to the EternalBlue vulnerability. A remote code execution vulnerability that has lead to a lot of destruction. (e.g WannaCry)
There are a lot more queries out there, the idea is to be creative when you are investigating your target, so that you can obtain the best results and potentially be able to establish a foothold in the organization.
In conclusion, Shodan is a powerful tool that allows users to search for internet-connected devices and systems using a variety of filters. While it is primarily used by security professionals, it has also been used by researchers to study the security of internet-connected devices and systems. However, it can also be used by malicious actors to identify vulnerable systems that can be exploited. As more and more devices become connected to the internet, the importance of tools like Shodan will only continue to grow.
