Shodan Search Examples
This article is intended for those who either did not hear about Shodan at all, or heard, but did not understand how to use it. I did not find similar materials in Russian, I gathered some of the information here , I added the rest from personal experience. I will give examples of the use of the “most terrible Internet search engine” named Shodan. The service is developed by web-developer John Matherly (John Matherly) and is focused primarily on searching for devices connected to the Internet.
Shodan polls device ports and draws conclusions about devices and services on the basis of received response banners. The search engine is paid, the annual subscription will cost $ 20, however, you can try it in action for this: after free registration, 50 search results are available. The history of creation and the author’s biography will be found by yourself, if it is interesting, but for now let's get to the point:
Search results can be filtered using the following constructs:
In order to understand the first example, you need to remember how the basic codes of HTTP responses:
HTTP status codes :
')
In this example, we will try to find a cisco device with a web interface for access to which no authorization is required.
First, let's look at what a typical “401 Unauthorized” banner of a cisco device looks like if in the search bar we just type “cisco”:
HTTP / 1.0 401 Unauthorized
Date: Thu, 20 Oct 1994 05:18:36 GMT
Server: cisco-ios
Connection: close
Accept-Ranges: none
WWW-Authenticate: Basic realm = "level_15_access"
Please note that the line "WWW-Authenticate: Basic realm =" level_15_access " indicates the need to enter a login and password.
In turn, an authorization device in which is not required will return to us a banner with status 200 (for this, we drive “200 cisco” in the search bar, another Last-Modified string is a sure sign that it is “our client”:
HTTP / 1.0 200 OK
Date: Mon, 08 Sep 2014 22:28:16 GMT
Server: cisco-ios
Connection: close
Transfer-Encoding: chunked
Content-Type: text / html
Expires: Mon, 08 Sep 2014 22:28:16 GMT
Last-Modified: Mon, 08 Sep 2014 22:28:16 GMT
Cache-Control: no-store, no-cache, must-revalidate
Accept-Ranges: none
It is enough to follow the link ip-address: 80 and we get into the web-console device management. I downloaded the Cisco SDM for convenience.
A lot of devices with default logins and passwords are connected to the Internet, let's try to find something. To do this, we write “default + password” in the search bar. Add also port: 80 to select devices with www-authentication.
As a result, we will see a lot of banners containing the search phrase, and, as practice shows, a large percentage of devices will have a login / password like admin / password, admin / pass, etc.,
If in the case of network devices, users in most cases set more or less secure passwords, then the rest of the equipment is much worse. In this example, we will look into security cameras. At work, I often have to deal with DVRs from DVR, some of them have access to the network. We write in the search bar: DVR port: 80 country: RU city: "Saint Petersburg" And we get a list of DVRs in SPB, we found about 200 devices.
Standard accounts on such admin and user devices, passwords: admin, user, 1111, 1234, 123456, 8888 (can be found in the instructions). Already on the first page a device with a standard account:
In the Popular Searches section, you can peek at the query options, for example, search for avtech ip-camcorders from the US: linux upnp avtech country: US, add the usual port: 80 filter to it:
And again on the first page of the search comes across a device in which it is logged in using admin / admin:
Summing up, I want to remind once again to all users: please set strong passwords on ALL devices connected to the network, if you don’t have “secret” data in the DVR or smart-TV, these devices do not mean that the attackers can’t even just for fun.
http://www.scribd.com/doc/34507835/SHODAN-for-Penetration-Testers-The-Next-HOPE - Presentation with examples (eng.).
http://vimeo.com/13465839 - Video on use (English).
- John Mutherly Twitter
- official user guide (eng.)
Shodan polls device ports and draws conclusions about devices and services on the basis of received response banners. The search engine is paid, the annual subscription will cost $ 20, however, you can try it in action for this: after free registration, 50 search results are available. The history of creation and the author’s biography will be found by yourself, if it is interesting, but for now let's get to the point:
Filters
Search results can be filtered using the following constructs:
- country: country, in the format of RU, UK, US, etc., for example: nginx country: RU
- city: city, for example: nginx city: "Moscow" country: RU
- os: operating system, for example: microsoft-iis os: "windows 2003"
- port: port in the format 21, 80, 443, etc., for example: proftpd port: 21
- hostname: allows you to search by domain, for example: nginx hostname: .de
Example 1: Cisco Devices
In order to understand the first example, you need to remember how the basic codes of HTTP responses:
HTTP status codes :
- 200 OK Request succeeded;
- 301 MovedPermanently Assigned a new permanentURI;
- 302 FoundRey under a different URI;
- 401 Unauthorized Request requires authentication;
- 403 ForbiddenRequest is denied regardlessof authentication.
')
In this example, we will try to find a cisco device with a web interface for access to which no authorization is required.
First, let's look at what a typical “401 Unauthorized” banner of a cisco device looks like if in the search bar we just type “cisco”:
HTTP / 1.0 401 Unauthorized
Date: Thu, 20 Oct 1994 05:18:36 GMT
Server: cisco-ios
Connection: close
Accept-Ranges: none
WWW-Authenticate: Basic realm = "level_15_access"
Please note that the line "WWW-Authenticate: Basic realm =" level_15_access " indicates the need to enter a login and password.
In turn, an authorization device in which is not required will return to us a banner with status 200 (for this, we drive “200 cisco” in the search bar, another Last-Modified string is a sure sign that it is “our client”:
HTTP / 1.0 200 OK
Date: Mon, 08 Sep 2014 22:28:16 GMT
Server: cisco-ios
Connection: close
Transfer-Encoding: chunked
Content-Type: text / html
Expires: Mon, 08 Sep 2014 22:28:16 GMT
Last-Modified: Mon, 08 Sep 2014 22:28:16 GMT
Cache-Control: no-store, no-cache, must-revalidate
Accept-Ranges: none
It is enough to follow the link ip-address: 80 and we get into the web-console device management. I downloaded the Cisco SDM for convenience.
Example 2: Default Passwords
A lot of devices with default logins and passwords are connected to the Internet, let's try to find something. To do this, we write “default + password” in the search bar. Add also port: 80 to select devices with www-authentication.
As a result, we will see a lot of banners containing the search phrase, and, as practice shows, a large percentage of devices will have a login / password like admin / password, admin / pass, etc.,
Example 3: Security Cameras
If in the case of network devices, users in most cases set more or less secure passwords, then the rest of the equipment is much worse. In this example, we will look into security cameras. At work, I often have to deal with DVRs from DVR, some of them have access to the network. We write in the search bar: DVR port: 80 country: RU city: "Saint Petersburg" And we get a list of DVRs in SPB, we found about 200 devices.
Standard accounts on such admin and user devices, passwords: admin, user, 1111, 1234, 123456, 8888 (can be found in the instructions). Already on the first page a device with a standard account:
Example 4: Popular Searches
In the Popular Searches section, you can peek at the query options, for example, search for avtech ip-camcorders from the US: linux upnp avtech country: US, add the usual port: 80 filter to it:
And again on the first page of the search comes across a device in which it is logged in using admin / admin:
Results
Summing up, I want to remind once again to all users: please set strong passwords on ALL devices connected to the network, if you don’t have “secret” data in the DVR or smart-TV, these devices do not mean that the attackers can’t even just for fun.
Links
http://www.scribd.com/doc/34507835/SHODAN-for-Penetration-Testers-The-Next-HOPE - Presentation with examples (eng.).
http://vimeo.com/13465839 - Video on use (English).
- John Mutherly Twitter
- official user guide (eng.)
Source: https://habr.com/ru/post/237787/
All Articles