SHODAN (Sentient Hyper-Optimized Data Access Network)

Shodan

[Sentient Hyper-Optimised Data Access Network]

 

What is Shodan?

Shodan is a search engine that lets you search for various types of servers connected to the Internet using a variety of filters. These servers can be webcams, routers, servers, etc.  Shodan collects data mostly on web servers, as well as FTP, SSH, Telnet, SNMP, IMAP, SMTP, SIP, and RTSP.

Shodan is often referred to as the “Google for hackers”.

The website began as John Matherly’s pet project, based on the fact that a large number of devices and computer systems are connected to the Internet. The name Shodan comes from the video game character SHODAN.  It was launched in 2009.

What does Shodan do?

Shodan is designed to map and gather information about Internet-connected devices and systems. Sometimes also referred to as a search engine for the Internet Of Things, this database lets millions of internet-connected devices, along with details about what the device is, where it is located, and if it is still using the default password. 

Is Shodan legal?

Yes, Shodan is legal and can be used by anyone, though hackers use it to locate and target insecure devices. Shodan is legal because it is just a “massive port scanner” and simply exposes vulnerable devices (does not actually use the information it discovers).

[+ve use: to find vulnerable systems.

-ve: attackers may use it to decode data, and can target insecure devices connected to the internet.]

With the scene of CFAA

The Computer Fraud and Abuse act can be applicable of shodan is used in a manner that violates its provisions. Users should be aware of the legal framework and ensure their activities with Shodan comply with the law.

 

How to use Shodan?

First of all, go to the Shodan Search Engine. You will be able to see the webpage as shown below.


Now, you can search on the search bar, as easy as that.

 But…

 

What is the correct way to search?

To search in Shodan, you will need to use certain “Queries”. Queries filter out the search data to a specific one that you want. These queries are as follows:

 

ip: Filters by specific IP address.

asn: Filters by specific ASN ID.

hostname: Filters by specific hostname.

port: Filters by specific port number of service.

net: Filters by specific CIDR block.

isp: Filters by devices assigned a particular address from a specified ISP.

city: Filters by specific city.

Country: Filters by specific two-digit country code.

os: Filters by particular OS.

product: Filters by particular software.

version: Filters by the specified version of the software.

 

The above are common general search filters. For more such queries check the link Shodan Cheat Sheet by sir_slammington - Download free from Cheatography - Cheatography.com: Cheat Sheets For Every Occasion

 

You will learn how to use these queries further in the blog.

 

What to do with the information gathered from Shodan?

Shodan makes it possible to detect devices that are connected to the internet at any given time, the locations of those devices, and their current users. Such devices could be in almost any type of system, including business networks, surveillance cameras, industrial control systems (ICS), and smart homes. By gathering such information, one can check for any vulnerabilities in the system of that device. Hackers even use such information to hack be it for good or bad reasons.

 

Paid and Free to access

Shodan offers both paid and free membership. Paid accounts provide additional information and access to more advanced search filters and tool.

 

How to find vulnerabilities using Shodan?

So now we know that we can find vulnerabilities and even use them to hack the system, but what are these vulnerabilities and how do we find them? The following may answer your question.

 

Given below is an example of a simple search “Webcam”. It will show us all the available IP addresses. On the left side, you can see the country and number of webcams available on the section “TOP COUNTRIES”. Below it is the section “TOP PORTS”; It will give the port number on the left side and number of ports on the right side. Taking an example port number 80 is available in the quantity of 159, it means 159 users are using the port 80 (which is the http port).

Now the result on the left side. You can click on any link and you will be redirected to the given site.

By clicking on the first link, we are redirected to the page below. Let us understand what this page is telling us. 

On the left side of the page, we are given a general information about the IP address. You can see right above general information and below the IP address, we have 3 tags. One of them is honeypot. Honeypot means this is made so as to be vulnerable, this IP address is made to be attacked. This is done for the purpose to keep the original server safe from attacks.

On the right side, we can see a number of open ports. One can search through Iana Port Number what each port means.  

Service Name and Transport Protocol Port Number Registry (iana.org)


Moving further in the page, on the left side, we can see a Vulnerabilities section. This shows the vulnerabilities present on the address. CVE-2023-3817 means this is the 3817th vulnerability found in the year 2023. 



Sometimes you may find numbers written in boxes along with vulnerabilities. The higher the number, greater is the risk. Number 10 means it is extremely vulnerable to attacks.


Now moving on to the right side, if you click on the blue box, you will be directed to the TCP section below.


So this is how you read the information shown in Shodan. This is just the tip of the iceberg, more information will be provided in upcoming blogs, so stay tuned.

 

[Shodan screenshot:

By typing “has_screenshot: true port 554” while logged into the search engine, users can

now see screenshots from vulnerable webcams around the world

Can ::=>IoT Device ,MonitoringGeolocationSearch Functionality,Device Discovery,Exploit Integration,Vulnerability Detection]

 

·       Applications:

1) Security Assessment

2) IoT Device Discovery

3) Research And Analysis

·       Keywords

·       Port:Port is a number assigned to uniquely identify a connection endpoint and to direct data to specific service

·       Server: A server is a computer or system that provides resources,data,service,or programs to other computers,known as clients,over a network.

·       IP Address:Internet protocol Address is a unique numerical identifier for every device or network that connects to the internet.

·       Vulnerability:A weakness in the system's security that could be exploited to compromise the system. 

·       Filters


  1. city:for particular city


   

here the results are webcams in shanghai city.



shanghai city doen not exist in usa.





  1. country:for particular country

ex:country:”[country code]”

list of country code:https://www.iban.com/country-codes



  1. geo:it filters that coordinates

ex:geo:”19° 4' 33.9240'' N and 72° 52' 38.7336'' E


  1. hostname: look for devices associated with specific hostname

ex:hostname:google.com,hostname:


  1. port:find particular port            

port:22,80


  1. net:search based on  that particular IP 

ex-net:144.21.54.10


  1. os:search based on operating system

os:”linux”


  1. title:search based on that title

title:”united states”


  1. org:search that particular organization


10) hash:search based on that banner hash  

  • Every banner contains a hash property which is the numeric hash of the data property. 
  • The hash command affects the way the current shell remembers a commands path name,eitheir by adding a path name to a list or purding the contents of the list

11) before/ after:search within a timeframe


12) has_screenshot:true:=search based on a screenshot being present

ex:has_screenshot:true rfb disabled port:80,443

[https://www.shodan.io/search?query=has_screenshot%3Atrue+rfb+disabled+port%3A80%2C443]





13) Service:this allows you to search for specific service


ex:service:”http”,service:”ftp”,service:”ssh”,

 


14) vuln:identify device affected by vulnerability vuln:”[vulnerability name]”






Combine filters:

  • Adding specific term

apache country:”DE” + os :”windows”

  


  • country:”JP” city:”kyoto”


html:"default password" + html:"admin login" : Query look for device with web pages containing phrases related to
default password or admin logins,which could indicate a potential security risk. 


  •  service:webcam country:US apache



https://www.shodan.io/host/192.185.168.123


  • ftp country:"jp"


  • os:Windows port:3389

https://www.shodan.io/host/43.138.16.57


  • product:nginx country:CA


  • city:bangkok port:80



org:”SingTel mobile” city:”singapore”



  • http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2



  • excluding specific term from search


  • service:http -apache


website that requires http connections:






VSAT SATELLITE:


a.

b.





c. (“Sailor” “VSAT”)



apache title:"index of"



org:”spacex”



title:”cisco”


FUTURE OF SHODAN


As technology continues to evolve,so does shodanNew feature improved search capabilities and expanded datasources are constantly being integrated, ensuring Shodan remains at the forefront of interest.

  • Reference:

  1. https://www.shodan.io/search/examples
  2. https://github.com/jakejarvis/awesome-shodan-queries


Contributors:

1. Komal Desodhia, 2nd year, CSE, IIIT PUNE.
2. Shaily Patel2nd year, CSE, IIIT PUNE.
3. Dr. Nitesh K BhardwajAssistant Professor, Dept. of CSE, IIIT Pune.

4. Dr. Bhupendra Singh, Assistant Professor, Dept. of CSE, IIIT Pune.

Comments

Post a Comment

Popular posts from this blog

Analysis of Volatile Memory(RAM) Using Volatility3

Image
  Introduction: Volatility3 is the most advanced and newest volatile memory forensics framework in the world. It is also Open Source, this framework is written in python. It is also the most widely used framework for extracting digital artefacts from volatile memory i.e. RAM image. The framework is intended to introduce people to the techniques for extracting digital artefacts from volatile memory(RAM) samples and provide a platform for further work into this exciting area of research. Downloading and Installation: Requirements: Python 3.5.3 or higher Pefile 2017.8.1 or later. Download volatility from   here  or run the following command in command line to clone the repository. git clone https://github.com/volatilityfoundation/volatility3.git RAM Image Creation: To create a memory dump for analysis we can use DumpIt memory tool which can be downloaded from here . Also, we can use ftkimager to create a memory dump, which can be downloaded from  here . To creat...
Read more

$Recycle.Bin Forensics: Analysis of $I (metadata file) and $R (actual content)

Image
  Forensic Insight into Windows 10 $Recycle.Bin  In Windows 10, the deleted files are temporarily located in  "C:\$Recycle.Bin>",  a sub directory under root directory. The completion of file deletion process yields two separate files placed within the $Recycle.Bin path, as follows: $I – Contains metadata specific to the deleted file (original file name path, file size, deletion timestamp, file name size and, file name). $R – Contains the actual contents of the file. The two files ($I and $R) corresponding to the deleted file are named/suffixed with a random six character value after $I and $R, resulting  into a 8–character file name. The system creates SID based folders corresponding to each user account.   In the SID sub-folder, you will find the SID of the user who deleted the file. Each time a user deletes a file from the Recycle Bin, a sub-folder is created for them. As per the requirement an analyst can analyse the contents inside the SI...
Read more

Usefulness of Epoch in Digital Forensics Investigation (UNIX and MacOS perspective)

Image
 Usefulness of Epoch in Digital Forensics Investigation  (UNIX and MacOS perspective)  In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.   The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date o...
Read more