Almost all of us have used a search engine like Google or Bing to find material online. These search engines scan the entire internet and display almost every entry contained in these pages and rank them accordingly.
This enables us to find the information we are looking for just by typing in some keywords (Google also has a special set of keywords for us to do Google hacking).
Now, imagine a search engine that instead of displaying the content of websites, displays the devices originating from each IP address (it can display the devices from almost any ip using Telnet or netcat).
This information can be very useful in searching for vulnerable or non-vulnerable devices. As almost every device is connected to the Internet, such a search engine would allow us to find all devices of a certain type (eg Cisco routers) or a certain area (traffic lights in Thessaloniki), even SCADA systems. With so many new Internet of Things (IoT) devices entering the market every day without proper security, this information would be a treasure trove for hackers.
Such a search engine exists. It was developed by John Matherly in 2009 and is called Shodan. You can find her at www.shodan.io as shown below.
Matherly's crawler scans every IP address and tries to extract and collect the information from every device. This information usually includes the device manufacturer and some basic parameters.
The first step to using Shodan is a simple registration. You can use Shodan without registration, but the features are limited. A simple account is free, so let's sign up and try some searches
Before we start our searches, let's try some that others have created and saved on the site. Among the most popular of these are web cameras. Click “Explore” on the top menu bar and a page will open as shown in the screenshot below.
Now, let's try some of the web camera searches. At the top and center of this screen you can see the “Top Voted” searches. The first is the “Web Cams” search. It is important to note here that each type of web cam will generally have unique search parameters. Remember, we search based on the banner information, and what identifies it as a web cam is usually its unique name given by the manufacturer. What I'm trying to show is that searches for web cams or other searches on Shodan will likely require multiple searches to capture all devices, except in the unlikely event that they are made by one company and have only one product name.
Now with that caveat, let's get back to searching for webcams. Click on “Web Cam”.
When you click on it, you'll see that Shodan generates a search phrase. This phrase consists of the keywords that will appear in the device banner and identify it.
In this case that phrase is “Server SQ-WEBCAM”. This Shodan search returns over 7000 IPs that meet this criteria and the corresponding devices are shown below.
We can click on any of these entries and we will be taken to the device that is on the Internet. If we scroll down a bit, at the bottom of the first page, we end up with a device in Lithuania, as you can see below.
When we click on it, we are taken to the web cam server login screen. Since we know that the default username and password for this device is “admin” and “admin” (default usernames and passwords are available all over the internet.
Just try googling the device name and "default password" and you'll find a lot of entries), if the admin left them with the factory creds without changing them, we might be able to connect to the web video server.
We are testing these credentials and as you can see they are working! We are inside the victim's device!
As you can see above, we were able to access the web cam server admin panel with all its controls! The system administrator must have been too busy to change the default credentials and now the web cam server can be easily hacked.
Another interesting search in the field of web-cams is “webcamxp”. These particular web cameras are almost always unprotected, so when you find one, you can simply click on the IP and start viewing the images captured by those cameras. When we put the word “webcamxp” in the search bar, Shodan finds over 1000 such cameras.
Below, I have found a live image from a camera inside a small office in Latvia. Notice the PTZ controls to the right of the camera image that allow us to zoom in or out and pan the area.
Obviously, there are hundreds of different web-cam manufacturers and you should know something about their banners to look for them. Usually, their banners include the name of the product or the manufacturer. Try some.
Beyond Web Cams
Searching for internet-enabled devices is almost limitless using Shodan. As you can see below, I was able to find the connection to the control panel of a hydroelectric plant in Genoa, Italy, using Shodan. Imagine what a malicious hacker could do to the people of Genoa if he had access to this board!
Shodan Search Syntax
In addition to searching by keywords, Shodan allows us to be quite specific in our search. We can, for example, find devices based on city, country or IP address or address range using CIDR. We can be as specific as giving it GPS coordinates, hostname, operating system and port.
Below you can see the basic terms that Shodan accepts and filters. The syntax is simple in the form,
City: find devices in a specific city
country: find devices in a specific country
geo: you can pass coordinates
hostname: find values matching the hostname
NET: search based on an IP or a /x CIDR
os: search based on operating system
port: find specific ports that are open
before/after: find results within a time frame
So, for example, if I wanted to find webcamxp in Sweden, I could type in the search box,
webcamxp country: SE
Or, if I want to find webcamxp in Sweden and only use port 8080, I can make a query like,
webcamxp country: SE port: 8080
Or, we could search for webcamxp in Sweden on the telia.com host by entering,
webcamxp country: SE hostname:telia
Or, we could search for webcamxp in Sweden on subnet 220.127.116.11./16 by entering,
webcamxp country: SE net:18.104.22.168/16
As you can see, Shodan's search filters allow us to be very specific in finding devices that are connected to the Internet.
In addition, Shodan has an API that allows us to connect other applications – such as recon-ng – to Shodan to use its resources and capabilities. This API requires opening a premium account to gain access, and these accounts range from $19/month to $99/year.
3 CommentsLeave a Reply
Nice article but the tagline about translations being like women is a bit sexist don't you think?
Come on, you're not fucking either. everything bothers you. morons!
I wouldn't give such an answer either haha