Last updated on September 18, 2020
Shodan is a search engine to find specific services such as webcams, SCADA systems, linksys…
Its operation is simple but effective: it scans the whole internet and uses the information returned by the device banners to discover the software version, the device model, etc.
Shodan is especially useful for the investigation of IoT devices, since there are millions of devices online with vulnerabilities that can be located by the information they provide in their responses.
Mode of use
First, I’ll do a simple search. I’m going to look at the different Apache servers in the world. To do this, just type “apache” into the search engine.
On the left we can see the number of results. Shodan has 23 million servers indexed that use Apache. Below we can see a ranking of countries where these devices have been found.
Following with the left column, we can see the main ports where this service has been found. Since Apache is a web server, most of them have been found on ports 80 (HTTP) and 443 (HTTPS). But we can see that many others have been found on ports 8080, 8081 and 8085.
We are also shown the devices found according to the company that owns them, and according to the operating system that hosts them. All this data is obtained from the response that the service returns in the form of a banner when Shodan has scanned it.
In the right column we find the detailed information of the search results, showing IP, domain name, ISP, when it was last scanned, its location, and the very banner from where it has obtained the information.
Then, if we click on one of the results, we can see information in detail:
In this view we can see the information about the host, all the ports it has open, and the banners of all the services it has running. In addition, it shows us a list of known vulnerabilities that have been found in the server.
It is very important to understand that Shodan does not scan the whole Internet every time we perform a search (this would be literally impossible), but it performs a periodic scan, little by little, and what it shows us are the devices that fulfilled the characteristics of our search the last time they were scanned.
Therefore, it is possible that Shodan returns a result and when we go to check it, that service is no longer running on that port, or the software version has changed.
It shows the services/devices that are in Madrid.
It shows the devices/services found in Spain.
It shows the devices/services found in Murcia (38,-1.1).
It shows devices/services with “google” domain name. For example, we can find all the Google Web Servers with the search “Server: gws” hostname: “google”
It shows the devices/services on the subnet 123.456.789.0/24.
It shows the devices/services with Windows 2003 operating system.
It shows the devices that have services running on port 22 (usually ssh).
A service can run on any port, but by convention this is the most common service/port list:
993 (IMAP + SSL)
995 (POP3 + SSL)
5632 (PC Anywhere)
28017 (MongoDB Web)
Displays all devices/services scanned in 2018.
In the filters lies the true power of shodan. We can combine all these filters to get very specific results, and get very interesting information if we are doing a pentest or a red team exercise.
We can use Shodan to search for webcams, routers, SCADA systems (that control gas stations, power stations, nuclear plants)… Even traffic lights!
Here you can find a list of the most searched terms in Shodan. By registering you can perform a certain number of searches each day. If you are interested in performing more searches or want to use the Shodan API, you will need a Pro account.
Finally, remember that giving you this information is completely legal, but what you do with it may not be.