Yes, everyone knows Shodan (and who does not know, and wants to hack, should know). I’m not sure if Shodan Hacks is a good name, but I like it. It also reminds me of the Google Hacks I wrote about yesterday. Similar principle of operation only on different input data.
Google indexes pages and materials hosted on www servers. Shodan indexes all devices connected to the internet. Not only web servers, but also printers and network devices, webcams, voip phones, washing machines, refrigerators, gas station pumps, whole IoT and other strange things connected to the Internet. It’s like running nmap and doing active reconnaissance for the entire Internet. Thanks to Shodan we can check the information on the stage of intelligence gathering (OSINT), leave no traces of our intelligence, without arousing the suspicion of our target.
Basic Shodan Queries
city: - Find devices in a particular city. Example: city:“México”
country: - Find devices in a particular country. Example: country:“MX”
geo: - Find devices by giving geographical coordinates. Example: geo:“89.256487,20.111111”
Hacked routers - Routers which got compromised. Example: hacked-router-help-sos
Open ATM - May allow for ATM Access availability. Example: NCR Port:"161"
Telnet Access - NO password required for telnet access. Example: port:23 console gateway
Misconfigured Wordpress Sites - The wp-config.php if accessed can give out the database credentials. Example: http.html:"* The wp-config.php creation script uses this file"
Android Root Bridge - Find android root bridges with port 5555. Example: "Android Debug Bridge" "Device" port:5555
Etherium Miners - Shows the miners running ETH. Example: "ETH - Total speed"
Tesla Powerpack charging Status - Helps to find the charging status of tesla powerpack. Example: http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
If you have any interesting please let me know in the comments, I will add them to the list.
Shodan Command-Line Interface
The Shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you’re running the latest version of the library you already have access to the CLI. The Shodan CLI has a lot of commands, check this website to see all of them. For the full list of commands just run the tool without any arguments:
1
shodan
Example:
1
shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0
Automation
Of course, there are tons of interesting programs and scripts that use Shodan database. Here are a few that I like and find useful. All these tools use Shodan API which should be configured in each tool before run. Some of the functions are limited in free Shodan version. It is worth to register and buy full account. Every Black Friday there is always big discount for this (I bought mine lifetime account for 5$!)
shodansploit
With Shodan Exploit, you will have all your calls on your terminal. It also allows you to make detailed searches. All you have to do without running Shodansploiti is to add shodan api.
[1] GET > /shodan/host/{ip} [2] GET > /shodan/host/count [3] GET > /shodan/host/search [4] GET > /shodan/host/search/tokens [5] GET > /shodan/ports [6] GET > /shodan/exploit/author [7] GET > /shodan/exploit/cve [8] GET > /shodan/exploit/msb [9] GET > /shodan/exploit/bugtraq-id [10] GET > /shodan/exploit/osvdb [11] GET > /shodan/exploit/title [12] GET > /shodan/exploit/description [13] GET > /shodan/exploit/date [14] GET > /shodan/exploit/code [15] GET > /shodan/exploit/platform [16] GET > /shodan/exploit/port [17] GET > /dns/resolve [18] GET > /dns/reverse [19] GET > /labs/honeyscore/{ip} [20] GET > /account/profile [21] GET > /tools/myip [22] GET > /tools/httpheaders [23] GET > /api-info [24] Exit
theHarvester is a very simple to use, yet powerful and effective tool designed to be used in the early stages of a penetration test or red team engagement. Use it for open source intelligence (OSINT) gathering to help determine a company’s external threat landscape on the internet. The tool gathers emails, names, subdomains, IPs and URLs using multiple public data sources that include also Shodan.
theHarvester is used to gather open source intelligence (OSINT) on a company or domain.
optional arguments: -h, --help show this help message and exit -d DOMAIN, --domain DOMAIN company name or domain to search -l LIMIT, --limit LIMIT limit the number of search results, default=500 -S START, --start START start with result number X, default=0 -g, --google-dork use Google Dorks for Google search -p, --port-scan scan the detected hosts and check for Takeovers (21,22,80,443,8080) -s, --shodan use Shodan to query discovered hosts -v, --virtual-host verify host name via DNS resolution and search for virtual hosts -e DNS_SERVER, --dns-server DNS_SERVER DNS server to use for lookup -t DNS_TLD, --dns-tld DNS_TLD perform a DNS TLD expansion discovery, default False -n, --dns-lookup enable DNS server lookup, default False -c, --dns-brute perform a DNS brute force on the domain -f FILENAME, --filename FILENAME save the results to an HTML and/or XML file -b SOURCE, --source SOURCE baidu, bing, bingapi, certspotter, crtsh, dnsdumpster, dogpile, duckduckgo, github-code, google, hunter, intelx, linkedin, linkedin_links, netcraft, otx, securityTrails, spyse(disabled for now), threatcrowd, trello, twitter, vhost, virustotal, yahoo, all
Reconnaissance Swiss Army Knife - it is frontend for many tools, to get results in one place. Wizard + CLA interface (Command Line Argument interface). Can extracts targets from STDIN (piped input) and act upon them. All the information is extracted with APIs, no direct contact is made to the target.
Detect honeypot option uses shodan.io to check if target is a honeypot
GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans. This is huge tool and one of the source it gets information is Shodan.
Yep, that’s all I have about Shodan. Mostly I use it for reconnaissance or when I want to look at someone’s backyard, shop, office or parrot cage at the camera view ;)