7 Steps to Start Searching with Shodan
iSpeech
In the toolkit carried by hackers under any shade of hat, a search engine has become an essential component. Shodan, a search engine built to crawl and search Internet-connected devices, has become a go-to for researchers who want to quickly find the Internet-facing devices on an organization's network.
With skilled use, Shodan can present a researcher with the devices in an address range, the number of devices in a network, or any of a number of different results based on the criteria of the search.
There are many ways to approach Shodan, but the following seven steps will get you started in the right direction.
1. Understand Banners
The first step to using Shodan is understanding what the search engine finds. Shodan's crawlers look for (and, therefore, return information from) banners – the block of information a service returns when it is queried. Depending on which service is responding, the banner can contain software name and version, date of installation, and more. The banner can also be spoofed by more sophisticated owners, so be aware that what Shodan sees is what the service returns, not necessarily what it actually contains.
It's important to realize that banners come from services, not servers or hosts. That means a single device with a number of services, such as an HTTP service, FTP service, or SNMP service, could return a variety of different banners in response to different queries.
Those different services could also return banners containing vastly different types and amounts of information. This is important when building complex queries because it means the return set will have entries with wide variations in size and contents. Understanding the format of the returned headers means you'll be able to better interpret the data Shodan provides.
2. Get the Book
John Matherly, who developed Shodan (which he released in 2009), also wrote an e-book about it. "The Complete Guide to Shodan" is a useful reference for understanding and getting the most out of the search engine. For instance, Matherly's book explains precisely what Shodan's crawlers do and how they do it. This is important for understanding what the search engine can and cannot do.
The book also explains how to build multipart queries and, in an appendix, lists all of the filters available for searching. In Shodan, the filter is quite powerful, enabling a search to become very specific along a variety of different axes. Most of what's in the book is available from other sources as well, but the low-cost e-publication provides a handy way of having all the information in a single place within your electronic reference shelf.
[adsense size='1' ]
3. Get the Right Account
Shodan has many different tiers of service, ranging in price from free to hundreds of dollars a month. Understanding what each tier gives you and how it can be used is key.
For starters, there are at least six separate plans to choose from. Anyone can go to the search engine and enter a query, but the number of results returned will be limited. Registering with the site raises the number of results you can get. When you begin paying for the service, the number of results available and the filters you can use start to quickly rise.
The most basic paid plan is a $49 one-time payment that allows you to use most filters and returns large datasets. A rising set of developer tiers provide more queries and returns per month. And here's one that's important: The "vuln" filter allows a search to be conducted by CVE — it will return a set of devices vulnerable to a particular CVE. It's not available to just anyone, though: You must have at least a small-business developer membership ($299 per month) or an academic membership to be able to use this filter.
4. Use the API
It's possible to go to the shodan.ai website and enter a search term, get results, and feel good to go. For many security purposes, though, tying Shodan to part of the security infrastructure through API calls will dramatically increase the search engine's power and usefulness.
Through the API, Shodan results can be fed directly into security information and event management systems and other security analytics engines to bolster the data set used for network defense. Search results can be fed into the systems in a variety of different formats, from .XLS up to the "firehose" of constantly streamed live data.
Shodan provides API calls in a number of different languages and frameworks. In addition, many different API use examples are available on Github and in online forums that can serve as the basis for applications and glue apps that tie Shodan to other products. One place to get started is with the series of tools by Bishop Fox, which includes ShodanDiggity as part of the SearchDiggity kit.
5. The More Specific, The Better
Broad queries can be entertaining ("Show me the webcams!"), but useful intelligence tends to come with highly targeted searches. Learning how to make queries as specific as possible can be the key to using Shodan data for defense.
In Shodan, precisely how specific you can get — and how easily — will depend a bit on which membership you have. But if you have gone at least as far as the $49 lifetime membership, then you can use many of the existing filters. There are a lot of resources on how to best do that, including a basic project on Github and many others.
As with most search engines, the key to getting specific is by stacking terms. In doing so, you might be able to look for webcams in a specific IP address range, find a specific type of router in a particular city, or look for a specific industrial controller with particular configuration details located in a given nation. It can be valuable if you're trying to figure out the difference in what you think you've deployed versus what users have actually put on your network.
6. Bring in Another Browser
While Shodan is powerful, it's not the same as a standard search engine, such as Bing or Google. For example, if you're looking for a quote from a 19th century author, Shodan's not your tool. That's why the combination of Shodan and another browser can be especially powerful.
How would you use two browsers together? Well, if you're beginning your journey as a pen tester, it might go something like this: You've turned to Shodan to search for a particular device. Let's say you've become specific and searched for a particular manufacturer and model. And you've narrowed down the physical location and IP range to your target system. Now you use Google to search for the default user name and password for that device. Once found, you see whether the target has passed "Basic Security 101."
The real point is that there are many different types of information to be found about IoT devices, and Shodan can't find all of them. It's a powerful tool but not the only tool you should have in your kit.
[adsense size='1' ]
7. A Picture Is Worth …
When we think about search results, especially concerning the Internet of Things, we tend to think of text, but sometimes long lists of text can be overwhelming or even meaningless in their complexity. That's why Shodan offers images to provide larger context around the results found by the engine.
The two image-based results pages from Shodan are Shodan Maps and Shodan Images. The Maps results are useful when you're trying to put some sort of global context around outbreaks, vulnerabilities, or device distribution. The Images page is useful for other purposes. For instance, a browse through the images brought in from Shodan searches shows just how often login screens are available to anyone who looks for them. Researchers can also see examples of the log-in and admin screens for devices they have not previously encountered. And then, it proves yet again just how much computer UI designers love the color blue.
Gloss