Journey into the depths of the web with Shodan – a search engine that opens doors to the unknown
Introduction
As they say, good afternoon! Today I would like to tell you a little secret. Few people know, but incorrect configuration of devices is also a vulnerability and most attacks are often carried out precisely due to this. Since in this article we will consider the Shodan search engine, its features should be noted.
Shodan is a tool for finding internet-connected devices.
It doesn't need DNS records to work. Instead, it independently sends requests to various network nodes, checking each port in a different IP address range.
Thanks to this, Shodan allows you to find out which devices and operating systems are most common, as well as assess the level of Internet penetration in different regions of the world.
Shodan is based on a special algorithm that collects information about each node that responded to at least one request; similar algorithms are used by the Google and Yandex search engines.
Let's consider two questions:
Features overview. It’s a bit boring, but you can’t live without it. Every user, no matter what their goals, should have an idea about this search engine.
Using the Shodan web application and the Shodan module in Metasploit to gain access to IoT devices.
Features Overview
I won’t go into a long and tedious talk about the relevance of the topic of this article, so let’s immediately get down to reviewing Shodan and the opportunities that this search engine can provide in the right hands.
The first step is to register; this step will help you get more opportunities in the future.
The basic function that regular users stop at is search.
The easiest way to search is to specify the name or brand of the device you are looking for. For example, if we enter “ipcamera”, the found devices and their advertising banners will appear on the screen. Some statistics will be displayed on the left to help you sort your devices. It's important to remember that this is not Google, so the search query is treated as a complete and unmodified expression.
I advise you to use filters for a more effective search.
Here are examples of using the most popular Shodan filters:
To see data only for a specific country, use a filter
country:. For example,country:UAwill show information only for Ukraine.To view data only for a specific city, apply a filter
city:. For example,city:Londonwill show information only for London.If you need to find a specific operating system, use the filter
os:. For example,os:linuxwill find devices running Linux.Filter
geo:designed for searching by geographic coordinates. Enter coordinates in latitude, longitude format, for examplegeo:"45.617496, 63.321806".To show results only for a specific port, use a filter
port:. For example,port:22will show devices listening on port 22.Filter
hostname:will help you search only in a specific domain zone. For example,hostname:.ruwill show devices in the domain zone.ru.To search within a given network range, use a filter
net:. For example,net:190.73.40.50/24will show devices in the given network range.If you want to find devices by the name of the program that displays the banner, use the filter
product:. For example,product:opensshwill find devices with OpenSSH.
The tool will help you visualize query results Shodan Maps. The need to use this tool is ambiguous. On the one hand, Shodan is used for targeted “work” on devices, which does not imply viewing the overall picture, but on the other hand, if you just want to look at the scale of the vulnerability, then this is what will help you.
Shodan collects all the screenshots that are available to it and you can view them thanks to Shodan Images. Most of them are images from remote access and CCTV cameras. However, out of curiosity, you can check out these screenshots.
And another one of the most useful functions of this search engine is Shodan Exploit. This tool collects vulnerabilities and exploits. It should be taken into account that in this section the requests are different; first we indicate the platform for which we want to find a vulnerability and the type of vulnerability itself platform:windows type:smb
Using Shodan to exploit vulnerabilities
If you need to find network storage with default passwords, then you should pay attention to Lenovo/EMC products. This is a former Iomega joint venture that left its imprint in the firmware code of its devices. When establishing a remote connection, such storages send a request like: “Set-Cookie: iomega=”. To find them, just enter this query into the Shodan search bar.
Many detected devices have a standard password (ADMIN/ADMIN), just like this ix4 300d.
Web-based management typically uses Java applications that do not have a digital certificate. Starting with version 1.7.51, Java RE removed the ability to run unsigned applets. However, in the settings of the modern Java panel, you can only add a site to the exclusion list, and Shodan searches by IP addresses. Therefore, only old versions of Java are suitable for managing found devices, which can be downloaded in the archived releases section.
More informative results can be obtained using filters, access to which is provided after free registration. For example, the query “title:”Network Cube “Camera”” returns a list of network cameras that did not require a password to access when Shodan discovered them. Most of them remain unprotected and accessible to everyone.
At these moments, you should not forget about your own safety. It is not completely known how this search engine works, we only have API keys and a module for python with open source code, which does not allow us to say that it is safe to use, it is quite likely that when you scan or make requests, the search engine can scan your device and add the received data about your vulnerabilities into your database.
Now let’s look at an option for more advanced users, namely the shodan module as part of metasploit.
I’ll briefly tell you what Metasploit is and why their joint use will be considered.
Metasploit is one of the most popular penetration testing frameworks. The framework comes with open source code, which means that in addition to the original modules for operation, scanning, and payload modules, we have the opportunity to add our own modules, making this tool always up-to-date.
The interest of this framework for us lies in the fact that we can use shodan as a starting point for testing, then, having found a vulnerability in the system or device we are interested in, carry out an attack using the main Metasploit modules.
Let's get to work
Launch Metasploit and install the Shodan module for it:
use auxiliarly/gather/shodan_search
To display the main parameters, run the command:
info
Open your internet browser and go to the page shodan.io. Then, in the upper right corner, click on the “Show API Key” link and copy your API key.
Return to Metasploit and enter your API key.
To view the parameters that this module uses, run the command:
show options
The description of the parameters is quite detailed, using a translator anyone can figure it out, so I don’t see the point of dwelling on this.
It will be useful to refer to official documentation to create correct queries.
Let's look at the simplest command to search for webcams:
set QUERY webcamxp
It's important to note that when using a free Shodan account in Metasploit, you cannot apply search filters such as country or city, etc.
To start the module with the corresponding request, run the command:
run
Here is an example of a camera using standard user credentials that was found using Shodan.
Conclusion
Shodan is a powerful tool for detecting vulnerabilities in systems with Internet access. The article provides simple examples of gaining access to cameras, but this search engine has much more functionality. You can search for servers, routers, routers and many other IoT devices. You should not forget about the liability to which you may be held for unauthorized actions with company resources.
You should also take into account that you may stumble upon the so-called 'honey pot', this means that when using this tool you should not forget about your own security, for example, using a VPN, or initially checking the security of your system.
