Complete Shodan Tutorial | The Search Engine for Hackers


Ethical hacking

What is Shodan?

Shodan is a search engine but very different from regular search engines like Google, Yahoo, Bing, etc., which search the web for standard websites. Shodan was explicitly designed and developed to pull information about IoT devices connected to the internet. It ranks critical information about various devices that the regular browser user would never see. Some of the things that you can find on the internet with Shodan include:

  • Cameras (e.g CCTVs,Webcams)
  • Routers and Devices
  • Baby monitors
  • Maritime satellites
  • Prison payphones
  • Traffic light systems
  • Water treatment facilities
  • Nuclear power plants, and much more

Don't freak out from the above examples and run hiding in a bunker. Yes, Shodan can provide you with publicly accessible information about a router, a server, or a nuclear plant, but that doesn't mean anybody with an active internet connection will now have full access to the device or system. However, there is also a catch! This publicly accessible information can also be very critical. For example, Hackers will indeed have access to these devices if you have a webcam or router connected to the internet and still use the default login username and password. That is why security measures like strong password, two-factor authentication, the use of Firewalls, and strict security protocols is highly recommended. You will understand this better when we start looking at some practical examples with Shodan.

 

How does Shodan Work?

To understand how Shodan works, let's first look at how regular search engines like Google and Yahoo operate. Google uses automated programs called crawlers that crawl the world wide web looking for any new or updated pages. It captures the page URLs (page addresses) and stores them in a list where it will look up for them later when a user makes a search request.

Shodan works similarly to Google. It crawls the internet using a global network of computers and servers requesting connections to every IP address that appears on the internet. It indexes all the pieces of information received from these IPs. Of course, not all IP addresses will return relevant information. Still, most of them respond with banners that contain metadata information about the devices using these IPs to connect to the internet.

Some of the information includes:

  • Device name: refers to the device's name (it's set as Hostname)—for example, Cisco router or Samsung Galaxy A32.
  • IP address: This is a unique code used to identify a device on the internet. For example, 206.189.189.202
  • Location: The country, city, or any other geographical identifier where this device is located.
  • Organization: This refers to who owns the "IP Space."
  • Ports:

Other additional information that you can find include:

  • Default login and password
  • Services and Software running on the device
  • Make and model
  • Web technologies

 

Getting Started with Shodan

There are two main ways you can use the Shodan search engine:

  • The Browser
  • The Command-line

This post will give you a detailed guide on using both methods.

 

1. Using Shodan on the Browser

That is far one of the most utilized options by security professionals. To get started, launch your favorite browser and enter the URL shodan.io.

https://www.shodan.io/

You should see a window similar to the image below. Like Google, you can type anything you want to look upon the Search Box above.

Shodan

 

Let's do a simple search like "webcams" and see what Shodan will give us.

Webcams

 

We got 181 results from different locations from the image above, with the United States having the highest number. You will also notice that the search results are not similar to that with Google or Yahoo, where you get the domains and page URLs. With Shodan, you will get an IP of that particular device.

On the left-hand side, you will see information like the top geographical location of these webcams, the top ports running on these IPs, a list of Services and Software running on the devices, etc. You can access any of these webcams by clicking on any IPs listed.

We were lucky enough to get a camera doing a live stream in our case. See the image below.

Live Stream Camera

 

After clicking on this IP, we saw that it has services running on two ports - 7777 and 9000. When we tried accessing these services on the web, [the_ip]:7777 it gave us a login interface which I believe is access to the control panel of the camera while [the_ip]:9000 enabling us to view the live stream taken by the camera.

Up to this point, you can now see how much critical information you can get with Shodan. Shodan is a powerful utility used by security professionals to ensure no essential information is put to the public internet. Another exciting search we can perform is "Default password."

Default password

 

From the image above, we can see some devices still use the default username and password like:

  • Username= "cisco"
  • Password: "cisco"
  • Username: "admin"
  • Password: "1234"

 

Using Filters

NOTE:
You will need to create an account with Shodan to use search filters.

Like Google, Shodan also enables us to use filters to get targeted results. For example, if we only wanted to get Webcams located in the United States, we can use the search filter below.

webcams country:"US"

Search Filters

 

Other basic Search filters you can use include:

  • City: Get results in a particular city.
  • Country: Get results in a specific country.
  • Hostname: Get values matching a particular hostname.
  • Geo: You can also use coordinates targeted results.
  • Net: Get results based on IP or CIDR
  • OS: Get results of devices running a particular OS.
  • Port: Get results with particular ports open.
  • After/ Before: Get the results within a specified timeframe.

Let's look at other search filters we can use:

Find Apache servers in New York

apache city: "New York"

Find Nginx servers in the US

nginx country:“DE”

Find Cisco devices on a particular subnet

cisco net:“216.219.143.0/24”

Up to this point, I believe you now have a good understanding of using Shodan on the browser. Let's now look at how we can use Shodan on the command line.

 

2. Using Shodan Command line

To get started, launch the Terminal and run the command below.

easy_install shodan

Tip: If you get an error message like easy_install: command not found, don't panic. Use the commands below to install Shodan.

sudo apt install python3-pip
sudo pip3 install shodan

Install Shodan

 

When done, you need to initialize Shodan by executing the command below.

shodan init YOUR_API_KEY

Initialize Shodan

To get started with Shodan on the command line, run the -help command as shown below.

shodan --help
or
shodan -h

Shodan Help

Unlike using the browser, the CLI method can be pretty technical. However, with regular practice, you will be able to execute commands and search queries without much hustle.

Let's look at some search queries and their syntax.

To view your external IP address:

shodan myip

Get the total number of open port 22 ports in the US.

shodan count port:22 country:US

Get all the information you need about a particular domain.

shodan domain [yourdomain]
e.g
shodan domain example.com

You can read more about using Shodan on the command line on their official blog.

 

Final Thoughts!

Up to this point, we believe you can now comfortably run Shodan on your system and check for vulnerabilities on your IoT devices. If you are h=jsut getting started, we recommend using the browser option until you are well acquainted enough to migrate to the command line. Additionally, it would be great to note that some advanced features on Shodan require a subscription fee. You can learn more about this by visiting their their Pricing page.

Do you have any queries or comments regarding this post? If yes! Please don't hesitate to leave a comment below.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment