SHODAN

Shodan is a search engine just like google.

Now the question is

We already have GOOGLE (search engine also known to a 5 year old) so why do we need SHODAN ?

According to the founder John Matherly shodan is a place to find stuff not available on google.

Shodan is not just a search engine, it’s a secret gateway to control the world of connected devices.

Shodan is for Internet-connected devices (Also highlighted by it’s own website check it out here) what google is for websites. Internet-connect devices are the devices which uses internet in some or the other way for example — webcams, traffic lights, servers, routers, switches etc.

While SHODAN is a search engine, it is much different than content search engines like Google or Bing. Well it does-not search for content, it search for the devices. Yes! it is true it searches devices, services running on the device, versions of the software running on device and much more information.

Why would anyone want to know about the devices ?

As a cyber security professional, a student or a bad guy (hacker) you should know that when malware is injected the devices are the first thing which are infected. It is necessary to gather as much as information about the device so that the vulnerabilities associated with the device is known before hand. Shodan is a primary resource for vulnerability assessment, penetration testing and finding the vulnerabilities of the devices due to its superpowers (we will discuss in a bit).

Shodan enables you to request and receive device data from the search engine directly.

John Matherly says that the original purpose of Shodan was for companies to find out who is using their products, where their customers are located and obtain information about their competitors.

Shodan Search Engine

The search bar is like a google search bar with a filter techiques just like google. Filters are special keywords that Shodan uses to let you narrow search results based on the meta-data of a service or device. The format for entering filters is:

filtername:value

P.S. — You have to login to shodan to use these filters.

Example —

If you login successfully and use filters such as seen below:

The search query will look at the data collected within the past 30 days.

Facets provide aggregate information about a specific field of the banner you’re interested in. Filters let you narrow down search results while facets let you get a big picture view of the results. For example, the main Shodan website uses facets to provide the statistics information on the left side of the search results:

Information on port : 77

Superpowers of SHODAN

Now lets dive into how shodan do what it is made to do.

As normal search engines uses crawlers to search, prioritize and index the webpages (what you thought that Search engines magically know what websites exist on the Internet) shodan also uses crawlers which crawls and indexes the devices.

SHODAN crawlers collect banners not the web pages.

Banner is a textual information that describes a service on a device. It’s the publicly available information. So its leagal to collect it as well.

In addition to the banner, Shodan also grabs meta-data about the device such as its geographic location, hostname, operating system and much more which helps in pen-testing and finding vulnerabilities.

The Shodan crawlers work 24/7 (very hardworking) and update the database in real-time. At any moment you query the Shodan website you’re getting the latest picture of the Internet.

Shodan Crawlers are present in countries around the world, including USA (East and West Coast), China, Iceland, France, Taiwan, Vietnam, Romania, Czech Republic. These are the countries which are also highlighted in the facets (explained above) of shodan website. Data is collected from around the world to prevent geographic bias.

For example, many system administrators in the USA block entire Chinese IP ranges. Distributing Shodan crawlers around the world ensures that any sort of country-wide blocking won’t affect data gathering.

Shodan Crawlers use a simple algorithm —

Example —

Step 1: Generate a random IPv4 address like 143.27.25.29

Step 2: Take any port which can be understood by SHODAN. It understands most of the known ports. E.g. — 143.27.25.29:8000

Banner for HTTP mentioning server as squid

Step 3: When you connect to an IP address listening on a given port, the device with the IP address (usually) responds with a banner.

Step 4: The shodan crawler at last starts the whole routine again until it indexes all the devices available on the internet.

Internet-connected devices connectivity has grown at a rate that has outpaced security capabilities. With Shodan, you can gain the insights necessary to streamline security planning.

Shodan’s moto is —

Just because something isn’t on Google, doesn’t mean it’s unfindable. Shodan scours the invisible parts of the Internet most people won’t ever see.

References:

• Devyani’s Drive
• Shodan Github
• https://leanpub.com/u/shodan