KernelBlog

Touch The Technology

Cyber Security

Passive Data Collecting: Shodan

Data collecting is the first step of pentesting. The more data you have, easier and faster it is to be successful. Passive data collecting is collecting data about your target without directly contacting your target. Which means, from the internet. There’s lots of tools and methods to collect data about a target though Shodan has always been on the first lines.

Basically, Shodan is almost the same as Google. Though there are some features of Shodan that makes it different than Google. Shodan can scan the internet to see systems, devices and etc. on the internet and classifies them depending on their ports, operating systems, locations and service data. Then uses these informations to scan the possible vulnerabilities. With these informations, you can search based on any country you want. Not only that, with ScanHub service, Shodan can also get the outputs of some scanning devices which helps with analyzing the results visually. (You must pay to get this feature.)

With Shodan, access hidden cameras connected to the internet, SSH servers, web applications, network devices, SCADA and PLC systems and much more.

Sample Image:

There’s specific search commands in Shodan, just like Google.

Port Scanning

           port:23

As you can see, it shows us systems with their 23rd (telnet) port open. You don’t have to search a specific port all the time, you can search for port intervals too.

port:21-25 and 80

Now we searched between 21-25 port intervals and 80th port. To see more details, click the “Details” button below the IP address.

On the map above, you can see your target’s location. On the right side, you can see open port that their system have. It shows currently working services on the system, right below it. Wait a minute, it also shows the vulnerabilities on the left side! 😀 Like I said earlier, Shodan does port, service and vulnerability scanning. That’s the exact reason why it’s such an important tool. You can get into the system by exploiting. By the way, you can also search exploits on Shodan.

FilterCommandExample
Authorauthorauthor:”kingcope”
Bugtraq IDbidbid:”48581”
Exploit Codecodecode:”</D:propfind>”
CVEcvecve:”CVE-2011-2064”
Exploit Descriptiondescriptiondescription:”cisco content”
Microsoft Security Bulletin IDmsbmsb:”MS16-010”
Open Source Vulnerability DB IDosvdbosvdb:”86562”
Sourcesourcesource:”CVE”
Platformplatformplatform:”linux”
Portportport:”443”
Titletitletitle:”Apache Win32”
Typetypetype:”remote”

link: exploits.shodan.io

Exploit Scanning

author:ismail tasdelen

You can see the exploits of İsmail Taşdelen with the author parameter.

platform:linux type:local

With platform parameter you can see the exploits that work in the operating system, local or from afar.

You can also access webcams that have default passwords with Shodan.

Server:SQ-WEBCAM


You can see the top voted searches on the explore part in the Shodan menu.

OS Scanning

os:windows


Country

You can search in a specific country by typing their extensions in. As example: country:is (Iceland)

City

Searching for systems in specific cities is possible as well.

As you can see, Shodan gives us so many options. Let me give you an example along with the other parameters that I need to talk about:

country:is org:”EAMAN Customers” product:MySQL

With this, I searched for EAMAN Customers in Iceland’s devices using MySQL but I wish I didn’t find this device. I have never seen this many vulnerabilities together in a device before. 😀 And if the 3389th (Remote Desktop Protocol) port is open on it, don’t be surprised if you’re faced with the login screen right away. 🙂

Hope you liked it!

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *

Melisa Ayşe Demirel
KernelBlog.org | Author - Translator