In this video we are going to identify how to use shodan.io for information gathering and explore how a white or black hat hacker may use this tool to identify vulnerabilities that exist on a network. We will explore how to use different search filters and look to identify vulnerable organisations that are listed on shodan.io
What is shodan?
Shodan is a search engine similar to Google but instead of generic searches, Shodan searches for devices that are connected to the internet. Users can perform a search using the Shodan search engine based on an IP address, device name, city, ISP, port number as well as other technical categories. Users can sign up for free accounts, but, if the tool is to be used extensively, a paid account is a must.
The creator of shodan.io, John Matherly create a tool which crawled the web for randomly generated IP addresses and eventually developed a search engine to search through his growing database of internet-connected devices.
Matherly’s intention was never to create an easy way for hackers to discover devices and infiltrate them, but as soon as Shodan was up and running, it began discovering industrial supervisory control and data acquisition (SCADA) systems, security cameras, traffic lights, and other sensitive devices that shouldn’t have been publicly accessible.
Shodan.io is used by all types of hackers, whether ethical or black hat.
How does Shodan work?
Shodan works by requesting connections to every imaginable internet protocol (IP) address on the internet and indexing the information that it gets back from those connection requests. Shodan crawls the web for devices using a global network of computers and servers that are running 24/7.
An IP address is your device’s digital signature — it’s what allows Google to tailor searches to your location, and it’s what allows all internet-connected devices to communicate with each other.
Internet-connected devices have specific “ports” that are designed to transmit certain kinds of data. Once you’ve established a device’s IP address, you can establish connections to each of its ports. There are ports for email, ports for browser activity, ports for printers and routers — 65,535 ports in all.
When a port is set to “open”, it’s available for access — this is what allows your printer to establish a connection with your computer, for example. The computer “knocks” at the open port, and the printer sends a packet of information called a “banner” that contains the information your computer needs to interact with the printer.
Shodan works by “knocking” at every imaginable port of every possible IP address, all day, every day. Some of these ports return nothing, but many of them respond with banners that contain important metadata about the devices Shodan is requesting a connection with.
Banners can provide all sorts of identifying information, but here are some of the more common fields you will see in a banner:
- Device name: What your device calls itself online. For example, Samsung Galaxy S21.
- IP address: A unique code assigned to each device, which allows the device to be identified by servers.
- Port #: Which protocol your device uses to connect to the web.
- Organization: Which business owns your “IP space”. For example, your internet service provider, or the business you work for.
- Location: Your country, city, county, or a variety of other geographic identifiers.
Some devices even include their default login and password, make and model, and software version, which can all be exploited by hackers.
What Can You Find on Shodan?
Any device connected to the internet can potentially show up in a Shodan search. Since Shodan went public in 2009, a pretty large community of hackers and researchers have been cataloging the devices they’ve been able to find and connect with on Shodan — things like:
- Internet routers.
- Security cameras.
- Maritime satellites.
- Water treatment facilities.
- Traffic light systems.
- Prison pay phones.
- Nuclear power plants.
Before you freak out and go hide in a bunker, remember that Shodan merely indexes publicly available information. Yes, it can show users a nuclear power plant’s server banner, but that doesn’t mean that anyone with an internet connection can cause a nuclear meltdown.
However, Shodan does reveal just how much of our information is publicly available. If your webcam is internet-facing, and you haven’t changed its default logins, hackers can access it without your knowledge, gaining an easy window into your home.
What Is Shodan Used For?
Shodan is most commonly used to help users identify potential security issues with their devices. Businesses and consumers both use more and more internet-connected devices every day — this is especially true due to the rise in remote working in recent years. As we become more plugged in, our chances of falling victim to a malicious attack get higher.
By identifying all of the devices connected to the internet, displaying what information those devices are sharing with the public, and making it clear how easy that information is to access, Shodan can help users to reinforce their security in a variety of ways:
- Home Security. Discover how many devices in your home are publicly accessible (chances are your printer and your baby monitor don’t need to connect with the entire internet!).
- Enterprise Security. Shodan can serve as an incredibly helpful tool for a company’s IT team by identifying every endpoint in the enterprise’s system and ensuring all of the banners are as secure as possible.
- Infrastructure Management. By using Shodan, government and private sector professionals can ensure that all of their systems, from traffic systems to power grids, are secure and that all backdoors have been closed. Shodan can also be useful for finding legacy computer systems that are redundant or unnecessary.
- Market Research. Businesses can track the distribution of their devices or software using Shodan, whether that’s Google tracking how many internet connected devices are running Android or a thermostat company trying to figure out how many of its smart thermostats are still running.
- Academic Research. Academics and cybersecurity professionals can use Shodan to analyze what kind of devices are connecting to the internet, what kind of software they’re using, and identify trends in security, device usage, and the overall makeup of the internet.
IT professionals frequently use Shodan to monitor networks for vulnerabilities — Shodan can be set up to alert users whenever a new device pops up in their network, giving security staff the opportunity to analyze and close vulnerabilities before hackers can access them.
Can Shodan Expose Your Private Data?
Yes, but it’s not likely. Shodan has made identifying IoT devices accessible to anyone with an internet connection and a web browser. And because a shocking number of devices connecting to the internet are unprotected, the potential for your webcam and other devices to be hacked without your knowledge is high.
Shodan has been repeatedly used by researchers to demonstrate vulnerabilities at the professional and home level. A quick search reveals Shodan users gaining access to webcams, automated greenhouse watering systems, traffic light systems and like in the video above, school management information systems.
It’s important to note that the banner grabbing technology that Shodan uses is publicly available, and Shodan performs the most minimal data grabbing possible. Hackers use botnets to crawl networks for vulnerabilities in the exact same way that Shodan does. But hackers search exclusively for software vulnerabilities that will allow them to invade your networks, while Shodan’s vulnerability scan is hidden behind an expensive paywall.
Shodan is simply a publicly available tool that shows us what hackers have been able to find out about our devices for years.
Where to get started?
Use the video for help, this demonstrates how you can get started using some of the basic functionalities on Shodan.io