Peltekis.dev

How to Search Effectively on Shodan.io

September 13, 2024

Shodan.io is often referred to as the “search engine for the Internet of Things (IoT).” Unlike Google, which indexes websites, Shodan indexes internet-connected devices such as servers, webcams, routers, traffic lights, industrial control systems, and more. It provides a powerful platform for security researchers, IT administrators, and enthusiasts to explore the vast and often vulnerable ecosystem of connected devices.

Why Use Shodan?

Shodan provides valuable insights into:

  • Exposed IoT devices
  • Vulnerable web servers
  • Misconfigured security systems
  • Industrial Control Systems (ICS)
  • Devices running outdated firmware
  • Open databases (e.g., MongoDB, Elasticsearch, etc.)

Whether you’re a security researcher or just curious about the state of the internet, Shodan offers a wealth of information about devices that are exposed to the public.

Getting Started

To use Shodan, you’ll first need an account. Signing up is straightforward, and while some search features are available for free, advanced features may require a paid subscription.

Head over to Shodan.io to create your account.

Once signed up, you’re ready to start exploring the vast world of connected devices.

Basic Search Syntax

Shodan searches are structured similarly to how you’d use Google or any other search engine. You can input basic queries such as:

nginx

This query will search for all devices running the Nginx web server.

Some other simple search examples include:

apache

ftp

mongodb

These will return results for devices running Apache web servers, FTP servers, and MongoDB instances, respectively.

Filtering Search Results

Shodan supports several filters that help you narrow down results. Here are some of the most commonly used filters:

1. country

This filter limits results to devices located in a specific country. For example:

nginx country:GR

This query will find Nginx servers specifically in Greece.

2. city

You can search for devices in a specific city by using the city filter:

apache city:Thessaloniki

This will return Apache servers located in Thessaloniki.

3. port

If you’re interested in devices that have a specific port open, use the port filter. For instance, if you want to find all web servers running on the default HTTP port (80), you can search:

http port:80

Or for a database server such as MongoDB:

mongodb port:27017

4. hostname

This filter lets you search for devices that have a specific string in their hostname:

ftp hostname:example.com

This query will return FTP servers whose hostname contains the string “example.com.”

5. org

The org filter is useful for finding devices owned by a specific organization. For example, to search for devices belonging to Google:

nginx org:Google

This will return Nginx servers that are owned or operated by Google.

6. os

Shodan allows you to search for devices running a specific operating system:

os:Windows 7

This will list all devices running Windows 7. You can also use broader searches, like:

os:Linux

Combining Filters

You can combine multiple filters in a single query for more refined results. For example:

nginx country:GR port:80

This query will return Nginx web servers in Greece that are listening on port 80.

Or:

ftp org:Microsoft port:21

This will return FTP servers running on port 21 and owned by Microsoft.

Advanced Search Techniques

Shodan offers a few advanced search features that help you zero in on specific vulnerabilities or security issues.

1. Searching for Vulnerabilities

Shodan’s search engine can identify vulnerabilities on devices, and it supports querying for Common Vulnerabilities and Exposures (CVEs). For example:

vuln:CVE-2020-3452

This search will show devices affected by the CVE-2020-3452 vulnerability. You can find the CVE identifier from public vulnerability databases or Shodan’s own vulnerability listings.

2. Searching for SSL Certificates

Shodan allows you to search for SSL certificates as well. For example, if you want to find devices with expired SSL certificates, you could use:

ssl.cert.expired:true

This query returns devices with expired certificates.

3. Banner Information

Each device indexed by Shodan provides “banner” information that contains details about the service running on a device. If you’re looking for specific text in a device’s banner, you can search like this:

banner:"Unauthorized access"

This would return results where the banner text contains “Unauthorized access,” which might indicate misconfigured or vulnerable services.

Saving and Exporting Search Results

Shodan allows you to save your search results for future use. To do this:

  1. Perform your search.
  2. In the search results page, click the Save button to store your search.
  3. You can also export your results as a CSV file (available for paid accounts) for further analysis.

Shodan API

If you’re interested in automating your searches or integrating Shodan’s data into your own applications, Shodan provides an API. Here’s an example of a simple Python script using the Shodan API:

import shodan

API_KEY = 'YOUR_API_KEY'
api = shodan.Shodan(API_KEY)

# Perform a search
results = api.search('nginx')

# Show results
for result in results['matches']:
    print(f"IP: {result['ip_str']} - {result['data']}")

With the API, you can programmatically search, analyze, and retrieve data from Shodan, making it a powerful tool for researchers and developers.