Shodan (Sentient Hyper-Optimized Data Access Network), developed by John Matherly, is an online search engine for penetration testers. Shodan is different from other search engines, as it tries to grab the banner by obtaining data from the ports, rather than crawl a Website to display content.
Like Google and Yahoo, Shodan also uses Boolean operators. There are other filter options as well to make the search easy and more specific. Shodan shows 50 results for registered users; you have to subscribe for the paid service to get more results.
Shodan for vulnerability assessment (VA)/penetration testing (PT)
Shodan can be very useful while conducting a VA or PT a particular network or host, as banner grabbing is a major step in these operations. For instance, if host xyz.com is running a server and we have to find a vulnerable service like a mail server, FTP or router, it can be identified along with the host name. In this scenario, we can use the following search string.
Usage: service name host name: host.com
Example: proftpd host name: xyz.com
This string will display the proftpd banner if host xyz.com is running the service. It will also search for the exploit in the Shodan exploit section.
Basic filters in Shodan
Shodan has several powerful yet easy to use filters which prove handy during VA/PT exercises. The usage of filters is usually of the form filter:value.Some of the most common basic filters that you can use in Shodan are as follows.
1. Country: The country filter allows users to search for computers running services in a particular country. The country code is specified as a two-letter word.
Usage: cisco country: IN (searches for Cisco devices in the particular country. In this case, it’s India).
2. Host name: This useful option in Shodan lets you find a particular service or the service running in specified hosts or domains.
Usage: "Server:IIS" host name: domain name
Host name: domain name
3. Net: This filter is used to scan a particular IP address or subnet range. The service name can also be added along with the IP address or subnet.
Usage: For scanning an IP address: net: 220.127.116.11(any IP)
For scanning a subnet: net: 18.104.22.168/24
4. Port: This filter allows you to scan a particular service. For instance, FTP (21), HTTP (80).
Usage: Service port number
Example: IIS port: 80
5. Operating system (OS): This Shodan filter helps you to identify a service with a required OS. You can use it to find the service running on the particular OS.
Usage: Service: OS: OS name
Example: IIS “OS: OSName”
6. After/before: This option helps or returns the query, changed or unchanged before.
Example: apache after: 22/03/2010 before: 4/6/2010
Example: apache country: CH after:22/03/2010 before: 4/6/2010
If the target is a router, default passwords can be attempted to get access. For default router passwords, check here
Defeating banner grabbing
Since Shodan can also be misused, it is very important that you ensure security within your environment. Banners are left as default and are normally not changed by administrators—a practice that can be easily exploited using tools like Shodan. Security can be ensured on this front by:
Changing the HTTP server banner string
- Rearranging HTTP headers
- Customizing HTTP error codes
Useful Shodan resources
Get the Shodan API here.
Get the Firefox add-on here.
About the author: Harikrishnan R is a freelance security researcher with an interest in Web app vulnerabilities, as well as the founder of TopSecure (an infosec startup). He has also started "Internet guardians", an initiative to protect Websites.
This was first published in March 2011