Yes, everyone knows Shodan (and who does not know, and wants to hack, should know). I’m not sure if Shodan Hacks is a good name, but I like it. It also reminds me of the Google Hacks I wrote about yesterday. Similar principle of operation only on different input data.
Google indexes pages and materials hosted on www servers. Shodan indexes all devices connected to the internet. Not only web servers, but also printers and network devices, webcams, voip phones, washing machines, refrigerators, gas station pumps, whole IoT and other strange things connected to the Internet. It’s like running nmap and doing active reconnaissance for the entire Internet. Thanks to Shodan we can check the information on the stage of intelligence gathering (OSINT), leave no traces of our intelligence, without arousing the suspicion of our target.
city: - Find devices in a particular city. Example: city:“México”
country: - Find devices in a particular country. Example: country:“MX”
geo: - Find devices by giving geographical coordinates. Example: geo:“89.256487,20.111111”
hostname: - Find devices matching the hostname. Example: server: “gws” hostname:“google”
net: - Find devices based on an IP address or /x CIDR. Example: net:22.214.171.124/16
os: - Find devices based on operating system. Example: os:“Windows IIS”
port: - Find devices based on open ports. Example: apache port:8080
before/after: - Find devices before or after between a given time. Example: apache after:01/01/2010 before:01/09/2010
Here are some examples of Shodan Dorks I used in the past (one per line). Copy paste it to the web browser and check how the queries were built.
Here is Shodan dork list with some other examples ready to use.
Citrix - Find Citrix Gateway. Example:
Wifi Passwords - Helps to find the cleartext wifi passwords in Shodan. Example:
Surveillance Cams - With username admin and password. Example:
Fuel Pumps connected to internet - No auth required to access CLI terminal. Example:
"privileged command" GET
Windows RDP Password - But may contain secondary windows auth. Example:
Mongo DB servers - It may give info about mongo db servers and dashboard. Example:
"MongoDB Server Information" port:27017 -authentication
FTP servers allowing anonymous access - Complete Anon access. Example:
"220" "230 Login successful." port:21
Jenkins - Jenkins Unrestricted Dashboard. Example:
Hacked routers - Routers which got compromised. Example:
Open ATM - May allow for ATM Access availability. Example:
Telnet Access - NO password required for telnet access. Example:
port:23 console gateway
Misconfigured Wordpress Sites - The wp-config.php if accessed can give out the database credentials. Example:
http.html:"* The wp-config.php creation script uses this file"
Hiring - Find sites hiring. Example:
Android Root Bridge - Find android root bridges with port 5555. Example:
"Android Debug Bridge" "Device" port:5555
Etherium Miners - Shows the miners running ETH. Example:
"ETH - Total speed"
Tesla Powerpack charging Status - Helps to find the charging status of tesla powerpack. Example:
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
If you have any interesting please let me know in the comments, I will add them to the list.
The Shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you’re running the latest version of the library you already have access to the CLI. The Shodan CLI has a lot of commands, check this website to see all of them. For the full list of commands just run the tool without any arguments:
shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0
Of course, there are tons of interesting programs and scripts that use Shodan database. Here are a few that I like and find useful. All these tools use Shodan API which should be configured in each tool before run. Some of the functions are limited in free Shodan version. It is worth to register and buy full account. Every Black Friday there is always big discount for this (I bought mine lifetime account for 5$!)
With Shodan Exploit, you will have all your calls on your terminal. It also allows you to make detailed searches. All you have to do without running Shodansploiti is to add shodan api.
theHarvester is a very simple to use, yet powerful and effective tool designed to be used in the early stages of a
penetration test or red team engagement. Use it for open source intelligence (OSINT) gathering to help determine a
company’s external threat landscape on the internet. The tool gathers emails, names, subdomains, IPs and URLs using
multiple public data sources that include also Shodan.
sage: __main__.py [-h] -d DOMAIN [-l LIMIT] [-S START] [-g] [-p] [-s] [-v] [-e DNS_SERVER] [-t DNS_TLD] [-n] [-c] [-f FILENAME] [-b SOURCE]
-s parameter is for Shodan
Reconnaissance Swiss Army Knife - it is frontend for many tools, to get results in one place. Wizard + CLA interface (Command Line Argument interface). Can extracts targets from STDIN (piped input) and act upon them. All the information is extracted with APIs, no direct contact is made to the target.
Detect honeypot option uses shodan.io to check if target is a honeypot
hoek@bughunter:/opt/ReconDog$ python dog
GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans. This is huge tool and one of the source it gets information is Shodan.
python2 /opt/golismero/golismero.py scan <target_IP> -o <output file name>
and with nice html output:
sudo python2 golismero.py scan https://example.com -o - -o report.html
Yep, that’s all I have about Shodan. Mostly I use it for reconnaissance or when I want to look at someone’s backyard, shop, office or parrot cage at the camera view ;)
Check other device search engines.
Manufacturer List Default Passwords
ACTi: admin/123456 or Admin/123456
Default passwords are always in each manufacturer guide. Use Google to find it.