Tip

Shodan search engine for penetration tests: How-to

Shodan (Sentient Hyper-Optimized Data Access Network), developed by John Matherly, is an online search engine for penetration testers. Shodan is different from other search engines, as it tries to grab the banner by obtaining data from the ports, rather than crawl a Website to display content.

Like Google and Yahoo, Shodan also uses Boolean operators. There are other filter options as well to make the search easy and more specific. Shodan shows 50 results for registered users; you have to subscribe for the paid service to get more results.

Shodan for vulnerability assessment (VA)/penetration testing (PT)

Shodan can be very useful while conducting a VA or PT a particular network or host, as banner grabbing is a major step in these operations. For instance, if host xyz.com is running a server and we have to find a vulnerable service like a mail server, FTP or router, it can be identified along with the host name. In this scenario, we can use the following search string.

Requires Free Membership to View

        Usage: service name host name: host.com

        Example: proftpd host name: xyz.com

This string will display the proftpd banner if host xyz.com is running the service. It will also search for the exploit in the Shodan exploit section.

Basic filters in Shodan

Shodan has several powerful yet easy to use filters which prove handy during VA/PT exercises. The usage of filters is usually of the form filter:value.Some of the most common basic filters that you can use in Shodan are as follows. 

1.     Country: The country filter allows users to search for computers running services in a particular country. The country code is specified as a two-letter word.

            Usage: cisco country: IN (searches for Cisco devices in the particular country. In this case, it’s India).

2.     Host name: This useful option in Shodan lets you find a particular service or the service running in specified hosts or domains.

            Usage: "Server:IIS" host name: domain name

                         Host name: domain name

3.     Net: This filter is used to scan a particular IP address or subnet range. The service name can also be added along with the IP address or subnet.

            Usage: For scanning an IP address: net: 198.162.1.1(any IP)

                         For scanning a subnet: net: 198.162.1.1/24

4.     Port: This filter allows you to scan a particular service. For instance, FTP (21), HTTP (80).

            Usage: Service port number

                         Example: IIS port: 80

5.     Operating system (OS): This Shodan filter helps you to identify a service with a required OS. You can use it to find the service running on the particular OS.

            Usage: Service: OS: OS name

                        Example: IIS “OS: OSName”

6.     After/before: This option helps or returns the query, changed or unchanged before.

                       Example: apache after: 22/03/2010 before: 4/6/2010

                       Example: apache country: CH after:22/03/2010 before: 4/6/2010

If the target is a router, default passwords can be attempted to get access. For default router passwords, check here

Defeating banner grabbing

Since Shodan can also be misused, it is very important that you ensure security within your environment. Banners are left as default and are normally not changed by administrators—a practice that can be easily exploited using tools like Shodan. Security can be ensured on this front by:

Changing the HTTP server banner string

  • Rearranging HTTP headers
  • Customizing HTTP error codes

Useful Shodan resources

Get the Shodan API here

Get the Firefox add-on here.

About the author: Harikrishnan R is a freelance security researcher with an interest in Web app vulnerabilities, as well as the founder of TopSecure (an infosec startup). He has also started "Internet guardians", an initiative to protect Websites.

This was first published in March 2011

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.