Thursday, 25 May 2017

ShoDan Searches for Pentesting

Shodan provides a public API that allows other tools to access all of Shodan's data. Integrations are available for Nmap, Metasploit, Maltego, FOCA, Chrome, Firefox and many more.


Shodan is a search engine but Instead of searching through content intentionally served up and delivered to web browsers, Shodan allows us to search for Internet-connected devices. Shodan uses distributed scanners throughout the world to randomly select target IP addresses and identify listening TCP and UDP ports. Listening ports are further enumerated to gather protocol banners, web pages, and other service data. All of this data is then added to an enormous, searchable database that describes the "what" of Internet devices.

Shodan is a search engine which does not index web sites or web contents, but vulnerable devices on the internet. To set up this index an to keep it up to date, Shodan uses at least 16 scanners with different AS numbers and different physical locations.

Shodan's search feature is powerful, allowing us to specify generic terms such as "camera" or even a specific part number such as "WVC80N" and quickly identify the devices that match.

example: camera / dlink / apache / mysql / vnc etc

From there you can pivot to a few key areas in the results. Starting on the left sidebar, we see a good amount of summary data:

Results map
Top services (Ports)
Top organizations (ISPs)
Top operating systems
Top products (Software name)

Then in the main section we get the full results list, including:

IP address
When the entry was added to the database
The country it’s located in
The banner itself

Then, for even more information you can click details, which takes you into that host itself:

[ NOTE: When in details mode for a given host, the URL changes from the search structure to the following: ]

Here you see the data about the host on the left, the list of ports that were found at the top right, and then the individual port details and banners from each port as you go down the page.

Here we can see how to use the web interface for effective device searches, as well as tips to use Shodan in your next penetration test.

 Default Search Behavior
------ ------- ----------- -----
By default, Shodan's website search feature will use a search term as an exact expression in a string match. Shodan does not do incomplete word matching (e.g. "WVC80" will not return matches against "WVC80N"), and will treat multiple words as a logical AND expression. Common words (a, and, by, the, is, on, it) are ignored.

The basic search will perform string matching against server banner information without searching through additional protocol metadata that is also gathered about the discovered devices.

The Shodan documentation doesn't disclose exactly what protocol data is used in the default search, but empirical analysis indicates that it includes at least the following:

HTTP header information
HTTPS header and certificate information
Several gaming server banners (Steam's A2S, Minecraft, and more)
FTP banners
NetBIOS server banner
SSH header and server key data
Telnet banner
SMTP banner
NTP banner
SIP/VoIP banner
DNS server configuration settings
And more!

Metadata about a service is not searched by default. This list includes:

HTML title tag content
HTML header and body content
Physical location (via IP geolocation)
Autonomous System Number (ASN)
Internet Service Provider (by name, such as "Verizon Wireless")

 Shodan Search Operators / Filters
----- -------- ----------- --------- -----
To perform more advanced searches using Shodan, we can apply search operators. Search operators are only available to registered users. It's free to create an account, which will also give you an API key for use with Shodan's command-line tool.

Once you are logged-in, you can apply additional search modifiers to focus your search. Search operators / Filters include:

title: Search the content scraped from the HTML tag
html: Search the full HTML content of the returned page
product: Search the name of the software or product identified in the banner.  filters by technology (es. MySQL, Apache, IIS, Nginx);
net: Search a given netblock (example:
version: Search the version of the product
port: Search for a specific port or ports
os: Search for a specific operating system name
country: find devices in a particular country (2-letter code)
city: find devices in a particular city
geo: you can pass it coordinates . filters by geographic coordinates;
hostname: find values that match the hostname
net: search based on an IP or /x CIDR
before/after: find results within a timeframe
org: with specific organization name

Some filters allow multiple values, such as "postal:97201,97202".

[ NOTE: You can drop the quotes sometimes, on some queries, but you often need them. I recommend you just use them all the time, because that always works. ]



product:"MySQL" country:"US"

country:"US" product:"MySQL" os:"Windows XP" version:"5.1.71-community"

city:"Bangalore" org:"google"

Find Apache servers in San Francisco: apache city:"San Francisco"

Find Nginx servers in Germany: nginx country:"DE"

Find GWS (Google Web Server) servers: "Server: gws" hostname:"google"

Find Cisco devices on a particular subnet: cisco net:""

Apache city:"San Francisco" port:"8080" product:"Apache Tomcat/Coyote JSP engine"

Juniper city:"Bangalore" org:"google"

Pulse Secure city:"Bangalore" org:"google"

city:"Bangalore" port:"8080" org:"google"

Default passwords country:IN

port:9600 response code


apache os:linux

openssh port:22

apache before:1/01/2014
nginx after:1/01/2014

By default, multiple search terms are treated as Boolean AND expressions. You can also negate a particular prefix with the "!" character at the beginning of the search operator.

For example, to search for machines running Outlook Web Access on ports other than 80 and 443, you can combine the title and port operators as follows:

title:"outlook Web Access" !port:443,80

 Applying Shodan in your Pen Test
-------- ---------- ---------------
It's easy to disregard Shodan as offering functionality to find vulnerable devices: an opportunistic attack tool. However, to do so is to overlook the benefits that Shodan can offer you and your customers in a penetration test.

Answering Questions About Similar Vulnerabilities, When putting together a report for a customer, I try to answer the inevitable question "How many others are similarly vulnerable?" Sometimes this question is in an attempt to justify a vulnerable configuration as commonplace or industry standard, or as a defensive mechanism for explaining why they continue to run Outlook Web Access on an IIS 5.0 server.

 Adding this level of detail to a penetration test report can help your customer to better understand the nature of the risk in the context of other similar configurations.

Search query: Microsoft-IIS/4.0 title:"outlook web"

 Scoping Targets by Network
--------- ---------- -------
Shodan can quickly disclose information about target devices scoped to a specific range of IP addresses. This can be useful for helping to get a quick understanding of your customer's assets and the services on those assets as known to Shodan.

For example, this author's office Internet access uses IP addresses in block through Verizon FIOS. I can ask Shodan how many people with IP addresses in my network also have their routers available for remote authentication and access. Apparently, it's far too many.

Search query: net: unauthorized
net: unauthorized city:"Bangalore" org:"google"

 Scoping Targets Without IP Ranges
---------- ---------- -------------
Sometimes the point of contact you are working with to scope your penetration test might not be aware of the company's entire web presence. By searching for identifying features of the website (such as the copyright notice), you may be able to find lesser-known sites for a given organization.
As a penetration tester, identifying targets that are owned by an organization that they don't know allows you to clearly demonstrate your value and usefulness as a security analyst.

For example, a search for html:"eBay Inc. All Rights Reserved" shows a small number of sites (eBay has excluded a lot of their web properties from Shodan) that may not be as well known:

Search query: html:"eBay Inc. All Right Reserved"

If your target is large enough to have Regional Internet Registry allocations (where the WHOIS information reflects the organization name), you can combine negative searches to exclude the known ranges with the html filter (searching for copyright or other unique strings) or the "org" filter.

Search query: title:"eBay Deals" -org:"EBAY"

Using the power of Shodan and some creative thinking, you can provide additional value to your penetration tests. Use some of these ideas in your next pen test and see if you can find some targets that were supposed be in scope.

You can use the “Explore” button on the main Shodan site to look at common searches and results, which are illuminating. You’ll find things like:

Traffic lights
Default passwords Etc.

  ------- --------- ---------
To combine filters, simply keep adding them on. You can also do this by clicking filters in the left sidebar for a given result set. So if you want to search for Nginx servers in San Francisco, that are running on port 8080, that are also running Tomcat, you could do the following:

Apache city:"San Francisco" port:"8080" product:"Apache Tomcat/Coyote JSP engine"

Here are a few other cool things you can do with the service.

Data Export: You can export your results in various formats using the top menu after you’ve performed a search. Browser Search: You can configure your browser to search Shodan when you search from the URL bar. Shodan Free Account: You should create and log in to your free account when you search, as the interface is pretty nerfed if you don’t, e.g. not being able to see host information, etc.

Premium Accounts: A premium account is a one-time payment of $45 and it gives you increased access to the API. Full details and docs are available at

No comments:

Post a Comment