Shodan

August 10, 2023 · 7 minute read

Overview

Shodan is a search engine, similar to google, for internet-connected devices and services. Instead of traditional search engines that index web pages, Shodan crawls the internet and indexes information about various devices connected to the internet, such as servers, routers, webcams, smart home devices, and more. It allows users to explore exposed or misconfigured devices which could potentially be targets for cybersecurity attacks.

Shodan works by continuously crawling through the internet, scanning for IP addresses and collecting information. Shodan utilizes a technique called Banner Grabbing to extract information from open ports. These banners contain information about the device, it's software, version numbers, and more. The indexed information is then stored in the Shodan database.

DISCLAIMER: The information provided in this article is intended for EDUCATIONAL purposes only. It is NOT intended to promote, encourage, or condone any illegal or unethical activities. Any actions taken based on information provided in this article are at the sole discretion and risk of the user. By reading this article, you acknowledge and agree to these terms.

Getting Started

In order find out what services a web server is running, we first need to grab the IP address of our target. There are a multitude of ways to do this. The easiest way to do this is through nslookup. This tool works by querying the Domain Name System (DNS) to retrieve information about domain names, IP Addresses, and other records. To illustrate, an example of grabbing the IP Address of poptropica.com is shown below.


PS C:\Users\sdao7> nslookup
Default Server:  umbrella1.sc.edu
Address:  10.49.220.212

> poptropica.com
Server:  umbrella1.sc.edu
Address:  10.49.220.212

Non-authoritative answer:
Name:    poptropica.com
Addresses:  3.161.150.29
            3.161.150.59
            3.161.150.93
            3.161.150.26

When plugging the IP Address into Shodan, we get the following information:

1. Hostnames: server-3-161-150-29.atl59.r.cloudfront.net - This is the hostname of the server being reported. Poptropica is being hosted under the cloudfront.net domain which indicates that it's using Amazon CloudFront, a content delivery network (CDN) service provided by Amazon Web Services (AWS).
2. Domains: cloudfront.net - Again, this indicates that the server is part of Amazon's CloudFront service.
3. Cloud Provider: Amazon - Once again, confirms that the server is hosted on Amazon Web Services.
4. Cloud Region: GLOBAL - Signifies that the server is part of a global CDN.
5. Cloud Service: CLOUDFRONT - The server is using Amazon CloudFront to cache content.
6. Country: United States - Denotes the country in which the server is physically located, in this case, the United States.
7. City: East Point - Specifies the city in the United States where the server is located, specifically East Point.
8. Organization: Amazon Inc. - The organization responsible for this server is Amazon Inc.
9. ISP: Amazon Inc. - The Internet Service Provider (ISP) responsible for this server is also Amazon.
10. ASN: AS16509 - The Autonomous System Number for this server is AS16509.

Autonomous System Numbers

An Autonomous System Number (ASN) is a unique ID given to a range of IP addresses or group of computers that are connected together on the internet. ASNs are used in a routing protocol called BGP (Border Gateway Protocol) which helps guide traffic between different networks. ASNs help identify network and control howw data flows in and out of it. ASN's tell internet routers which group of devices data should go to.

With Shodan, we can use the ASN filter by using the syntax asn:[ASN QUERY], revealing that a total of 176,230,305 websites belong to this ASN. Being able to filter by ASN in Shodan is especially useful since we can combine this with other filters to identify vulnerable or misconfigured devices within a company. Below is the search results when searching for: AS16509

Filters

Shodan has a MASSIVE array of filters that we can utilize to our advantage. These ilters allow us to sift through the vast sea of data available, to refine our searches and retrieve highly specific results.

Some of the key Shodan filters are listed below.

Country and Location Filters: Shodan enables users to target devices based on their geographical location. From country, to cities and states, Shodan allows us to search for IoT devices in different regions.
Device Type Filters: Shodan allows us to narrow down searches to particular types of devices such as webcams, routers, servers, and more. This is useful in the where we want to search for certain vulnerable devices, for example IP cameras.
Port Filters: Devices communicate through specific ports, and some applications have default ports that they communicate on. Shodan's port filters allow users to search for devices using a particular port, helping to identify vulnerabilities associated with specific applications and services.
Operating System Filters: Shodan allows us to detect certain operating systems running on devices. This information is especially useful for pinpointing devices using outdated or vulnerable operating systems.
Vulnerability Filters: One of the most nefarious filters, this is an incredibly versatile and crucial filter that allows users to identify devices that are potentially vulnerable to specific security vulnerabilities. Note that this feature is restricted to business members to prevent malicious actors from exploiting this information.

One of the most common and vulnerable types of IoT devices present on the internet are devices using WebcamXP software. This software is typically used for surveillance, live streaming, and other real-time video capture needs. However, the majority of the time these devices are misconfigured and are extremely insecure. Using Shodan, we can search for these devices, and easily connect to them.

For example if we search for webcamxp devices...

We see that Shodan has found 172 internet-connected IP cameras running the webcamXP server. A quick run through of this list finds that many of these IP cameras are unsecured, and can be accessed by navigating to the IP address.