Passive Data Collecting: Shodan
Data collecting is the first step of pentesting. The more data you have, easier and faster it is to be successful. Passive data collecting is collecting data about your target without directly contacting your target. Which means, from the internet. There’s lots of tools and methods to collect data about a target though Shodan has always been on the first lines.
Basically, Shodan is almost the same as Google. Though there are some features of Shodan that makes it different than Google. Shodan can scan the internet to see systems, devices and etc. on the internet and classifies them depending on their ports, operating systems, locations and service data. Then uses these informations to scan the possible vulnerabilities. With these informations, you can search based on any country you want. Not only that, with ScanHub service, Shodan can also get the outputs of some scanning devices which helps with analyzing the results visually. (You must pay to get this feature.)
With Shodan, access hidden cameras connected to the internet, SSH servers, web applications, network devices, SCADA and PLC systems and much more.
There’s specific search commands in Shodan, just like Google.
As you can see, it shows us systems with their 23rd (telnet) port open. You don’t have to search a specific port all the time, you can search for port intervals too.
port:21-25 and 80
Now we searched between 21-25 port intervals and 80th port. To see more details, click the “Details” button below the IP address.
On the map above, you can see your target’s location. On the right side, you can see open port that their system have. It shows currently working services on the system, right below it. Wait a minute, it also shows the vulnerabilities on the left side! 😀 Like I said earlier, Shodan does port, service and vulnerability scanning. That’s the exact reason why it’s such an important tool. You can get into the system by exploiting. By the way, you can also search exploits on Shodan.
|Exploit Description||description||description:”cisco content”|
|Microsoft Security Bulletin ID||msb||msb:”MS16-010”|
|Open Source Vulnerability DB ID||osvdb||osvdb:”86562”|
You can see the exploits of İsmail Taşdelen with the author parameter.
With platform parameter you can see the exploits that work in the operating system, local or from afar.
You can also access webcams that have default passwords with Shodan.
You can see the top voted searches on the explore part in the Shodan menu.
You can search in a specific country by typing their extensions in. As example: country:is (Iceland)
Searching for systems in specific cities is possible as well.
As you can see, Shodan gives us so many options. Let me give you an example along with the other parameters that I need to talk about:
country:is org:”EAMAN Customers” product:MySQL
With this, I searched for EAMAN Customers in Iceland’s devices using MySQL but I wish I didn’t find this device. I have never seen this many vulnerabilities together in a device before. 😀 And if the 3389th (Remote Desktop Protocol) port is open on it, don’t be surprised if you’re faced with the login screen right away. 🙂
Hope you liked it!