complete guide to shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryavailable...
TRANSCRIPT
![Page 1: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/1.jpg)
![Page 2: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/2.jpg)
CompleteGuidetoShodan
Collect.Analyze.Visualize.MakeInternetIntelligenceWorkforYou.
JohnMatherly
Thisbookisforsaleathttp://leanpub.com/shodan
Thisversionwaspublishedon2016-02-25
*****
ThisisaLeanpubbook.LeanpubempowersauthorsandpublisherswiththeLeanPublishingprocess.LeanPublishingistheactofpublishinganin-progressebookusinglightweighttoolsandmanyiterationstogetreaderfeedback,pivotuntilyouhavetherightbookandbuildtractiononceyoudo.
*****
©2015-2016Shodan,LLC
![Page 3: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/3.jpg)
![Page 4: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/4.jpg)
TableofContents
IntroductionAllAbouttheDataSSLInDepthDataCollection
WebInterfacesSearchQueryExplainedIntroducingFiltersShodanSearchEngineShodanMapsShodanExploitsShodanImagesExercises:Website
ExternalToolsShodanCommand-LineInterfaceMaltegoAdd-OnBrowserPlug-InsExercises:Command-LineInterface
DeveloperAPIUsageLimitsIntroducingFacetsGettingStartedInitializationSearchHostLookupScanningReal-TimeStreamNetworkAlertExample:PublicMongoDBDataExercises:ShodanAPI
IndustrialControlSystemsCommonAbbreviationsProtocolsSecuringInternet-ConnectedICSUseCases
AppendixA:BannerSpecificationGeneralPropertiesHTTP(S)PropertiesLocationProperties
![Page 5: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/5.jpg)
SSLPropertiesSpecialPropertiesExample
AppendixB:ListofSearchFiltersGeneralFiltersNTPFiltersSSLFiltersTelnetFilters
AppendixC:SearchFacetsGeneralFacetsNTPFacetsSSHFacetsSSLFacetsTelnetFacets
AppendixD:ListofPorts
AppendixE:SampleSSLBanner
ExerciseSolutionsWebsiteCommand-LineInterfaceShodanAPI
![Page 6: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/6.jpg)
Introduction
ShodanisasearchengineforInternet-connecteddevices.Websearchengines,suchasGoogleandBing,aregreatforfindingwebsites.Butwhatifyou’reinterestedinfindingcomputersrunningacertainpieceofsoftware(suchasApache)?OrifyouwanttoknowwhichversionofMicrosoftIISisthemostpopular?OryouwanttoseehowmanyanonymousFTPserversthereare?Maybeanewvulnerabilitycameoutandyouwanttoseehowmanyhostsitcouldinfect?Traditionalwebsearchenginesdon’tletyouanswerthosequestions.
AllAbouttheData
BannerThebasicunitofdatathatShodangathersisthebanner.Thebanneristextualinformationthatdescribesaserviceonadevice.ForwebserversthiswouldbetheheadersthatarereturnedorforTelnetitwouldbetheloginscreen.
Thecontentofthebannervariesgreatlydependingonthetypeofservice.Forexample,hereisatypicalHTTPbanner:HTTP/1.1200OK
Server:nginx/1.1.19
Date:Sat,03Oct201506:09:24GMT
Content-Type:text/html;charset=utf-8
Content-Length:6466
Connection:keep-alive
Theabovebannershowsthatthedeviceisrunningthenginxwebserversoftwarewithaversionof1.1.19.Toshowhowdifferentthebannerscanlooklike,hereisabannerfortheSiemensS7industrialcontrolsystemprotocol:Copyright:OriginalSiemensEquipment
PLCname:S7_Turbine
Moduletype:CPU313C
Unknown(129):BootLoaderA
Module:6ES7313-5BG04-0AB0v.0.3
BasicFirmware:v.3.3.8
Modulename:CPU313C
Serialnumberofmodule:SQ-D9U083642013
Plantidentification:
BasicHardware:6ES7313-5BG04-0AB0v.0.3
TheSiemensS7protocolreturnsacompletelydifferentbanner,thistimeprovidinginformationaboutthefirmware,itsserialnumberandalotofdetaileddatatodescribethedevice.
Youhavetodecidewhattypeofserviceyou’reinterestedinwhensearchinginShodanbecausethebannersvarygreatly.
![Page 7: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/7.jpg)
Note:Shodanletsyousearchforbanners-nothosts.ThismeansthatifasingleIPexposesmanyservicestheywouldberepresentedasseparateresults.
DeviceMetadataInadditiontothebanner,Shodanalsograbsmeta-dataaboutthedevicesuchasitsgeographiclocation,hostname,operatingsystemandmore(seeAppendixA).Mostofthemeta-dataissearchableviathemainShodanwebsite,howeverafewfieldsareonlyavailabletousersofthedeveloperAPI.
IPv6AsofOctober2015,ShodangathersmillionsofbannerspermonthfordevicesaccessibleonIPv6.ThosenumbersstillpaleincomparisontothehundredsofmillionsofbannersgatheredforIPv4butitisexpectedtogrowoverthecomingyears.
![Page 8: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/8.jpg)
SSLInDepthSSLisbecominganevermoreimportantaspectofservingandconsumingcontentontheInternet,soit’sonlyfitthatShodanextendstheinformationthatitgathersforeverySSL-capableservice.ThebannersforSSLservices,suchasHTTPS,includenotjusttheSSLcertificatebutalsomuchmore.AllthecollectedSSLinformationdiscussedbelowisstoredinthesslpropertyonthebanner(seeAppendixAandAppendixE).
VulnerabilityTestingHeartbleed
IftheserviceisvulnerabletoHeartbleedthenthebannercontains2additionalproperties.opts.heartbleedcontainstherawresponsefromrunningtheHeartbleedtestagainsttheservice.NotethatforthetestthecrawlersonlygrabasmalloverflowtoconfirmtheserviceisaffectedbyHeartbleedbutitdoesn’tgrabenoughdatatoleakprivatekeys.ThecrawlersalsoaddedCVE-2014-0160totheopts.vulnslistifthedeviceisvulnerabel.However,ifthedeviceisnotvulnerablethenitadds“!CVE-2014-0160”.Ifanentryinopts.vulnsisprefixedwitha!or-thentheserviceisnotvulnerabletothegivenCVE.{
"opts":{
"heartbleed":"...174.142.92.126:8443-VULNERABLE\n",
"vulns":["CVE-2014-0160"]
}
}
Shodanalsosupportssearchingbythevulnerabilityinformation.Forexample,tosearchShodanfordevicesintheUSAthatareaffectedbyHeartbleeduse:country:USvuln:CVE-2014-0160
FREAK
IftheservicesupportsEXPORTciphersthenthecrawlersaddthe“CVE-2015-0204”itemtotheopts.vulnsproperty:"opts":{
"vulns":["CVE-2015-0204"]
}
Logjam
ThecrawlerstrytoconnecttotheSSLserviceusingephemeralDiffie-Hellmanciphersandiftheconnectionsucceedsthefollowinginformationisstored:"dhparams":{
"prime":"bbbc2dcad84674907c43fcf580e9…",
"public_key":"49858e1f32aefe4af39b28f51c…",
"bits":1024,
"generator":2,
"fingerprint":"nginx/Hardcoded1024-bitprime"
}
Version
![Page 9: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/9.jpg)
Normally,whenabrowserconnectstoanSSLserviceitwillnegotiatetheSSLversionandcipherthatshouldbeusedwiththeserver.TheywillthenagreeonacertainSSLversion,suchasTLSv1.2,andthenusethatforthecommunication.
ShodancrawlersstartouttheSSLtestingbydoinganormalrequestasoutlinedabovewheretheynegotiatewiththeserver.However,afterwardstheyalsoexplicitlytryconnectingtotheserverusingaspecificSSLversion.Inotherwords,thecrawlersattempttoconnecttotheserverusingSSLv2,SSLV3,TLSv1.0,TLSv1.1andTLSv1.2explicitlytodeterminealltheversionsthattheSSLservicesupports.Thegatheredinformationismadeavailableinthessl.versionsfield:{
"ssl":{
"versions":["TLSv1","SSLv3","-SSLv2","-TLSv1.1","-TLSv1.2"]
}
}
Iftheversionhasa-(dash)infrontoftheversion,thenthedevicedoesnotsupportthatSSLversion.Iftheversiondoesn’tbeginwitha-,thentheservicesupportsthegivenSSLversion.Forexample,theaboveserversupports:TLSv1
SSLv3
Anditdeniesversions:SSLv2
TLSv1.1
TLSv1.2
Theversioninformationcanalsobesearchedoverthewebsite/API.Forexample,thefollowingsearchquerywouldreturnallSSLservices(HTTPS,POP3withSSL,etc.)thatallowconnectionsusingSSLv2:ssl.version:sslv2
FollowtheChainThecertificatechainisthelistofSSLcertificatesfromtheroottotheend-user.ThebannerforSSLservicesincludesassl.chainpropertythatincludesalloftheSSLcertificatesofthechaininPEM-serializedcertificates.
DataCollection
FrequencyTheShodancrawlerswork24/7andupdatethedatabaseinreal-time.AtanymomentyouquerytheShodanwebsiteyou’regettingthelatestpictureoftheInternet.
DistributedCrawlersarepresentincountriesaroundtheworld,including:
USA(EastandWestCoast)
![Page 10: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/10.jpg)
ChinaIcelandFranceTaiwanVietnamRomaniaCzechRepublic
Dataiscollectedfromaroundtheworldtopreventgeographicbias.Forexample,manysystemadministratorsintheUSAblockentireChineseIPranges.DistributingShodancrawlersaroundtheworldensuresthatanysortofcountry-wideblockingwon’taffectdatagathering.
RandomizedThebasicalgorithmforthecrawlersis:
1. GeneratearandomIPv4address2. GeneratearandomporttotestfromthelistofportsthatShodanunderstands3. ChecktherandomIPv4addressontherandomportandgrababanner4. Goto1
Thismeansthatthecrawlersdon’tscanincrementalnetworkranges.ThecrawlingisperformedcompletelyrandomtoensureauniformcoverageoftheInternetandpreventbiasinthedataatanygiventime.
![Page 11: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/11.jpg)
WebInterfaces
TheeasiestwaytoaccessthedatathatShodangathersisthroughthewebinterfaces.Almostallofthemletyouenterasearchquery,soletsdiscussthatfirst:
SearchQueryExplainedBydefault,thesearchqueryonlylooksatthemainbannertextanddoesn’tsearchthemeta-data.Forexample,ifyou’researchingfor“Google”thentheresultswillonlyincluderesultswherethetext“Google”wasshowninthebanner;itwouldn’tnecessarilyreturnresultsforGoogle’snetworkrange.
Shodansearchfor“Google”
Asseenabove,asearchfor“Google”returnsalotofGoogleSearchAppliancesthatorganizationshavepurchasedandconnectedtotheInternet;itdoesn’treturnGoogle’sservers.
Shodanwilltrytofindresultsmatchingallsearchterms,whichmeansthatimplicitlythereisa+orANDbetweeneachsearchterm.Forexample,thesearchqueries“apache+1.3”isequivalentto“apache1.3”.
Tosearchthemeta-datayouneedtousesearchfilters.
![Page 12: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/12.jpg)
IntroducingFiltersFiltersarespecialkeywordsthatShodanusestoletyounarrowsearchresultsbasedonthemeta-dataofaserviceordevice.Theformatforenteringfiltersis:filtername:value
Important:Thereisnospacebetweenthecolon“:”andthevalue.
Touseavaluethatcontainsaspacewithafilteryouhavetowrapthevalueindoublequotes.Forexample,tofindalldevicesontheInternetthatarelocatedinSanDiegoyouwouldsearchfor:city:"SanDiego"
Afewfiltersletyouspecifyseveralvaluesthatareseparatedbyacomma“,”.Forexample,tofinddevicesthatarerunningTelnetonports23and1023:port:23,1023
Ifafilterdoesn’tallowcommasinitsvalue(ex.port,hostname,net)thenitletsyouprovidemultiplevalues.Filterscanalsobeusedtoexcluderesultsbyprependingaminussign“-“tothefilter.Forexample,thefollowingwouldreturnalldevicesthataren’tlocatedinSanDiego:-city:"SanDiego"
Shodansupportsalotoffilters,afewpopularonesare:
FilterName Description Example
category Availablecategories:ics,malware city Nameofthecity country Fullcountryname
net OnlyshowresultsinsidetheprovidedIPrangeinCIDRformat net:190.30.40.0/24
org NarrowresultsbasedontheorganizationthatownstheIP
org:”VerizonWireless”
SeeAppendixBforafulllistofsearchfiltersthatareavailable.
ShodanSearchEngineThemaininterfaceforaccessingthedatagatheredbyShodanisviaitssearchenginelocatedathttps://www.shodan.io
![Page 13: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/13.jpg)
Bydefault,thesearchquerywilllookatthedatacollectedwithinthepast30days.Thisisachangefromtheoldwebsiteatshodanhq.com,whichsearchedtheentireShodandatabasebydefault.ThismeansthattheresultsyougetfromthewebsitearerecentandprovideanaccurateviewoftheInternetatthemoment.
Inadditiontosearching,thewebsitealsoprovidesthefollowingfunctionality:
DownloadDataAftercompletingasearchtherewillbeabuttonatthetopcalledDownloadData.ClickingonthatbuttonwillprovideyouwiththeoptionofdownloadingthesearchresultsinJSON,CSVorXMLformats.
![Page 14: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/14.jpg)
TheJSONformatgeneratesafilewhereeachlinecontainsthefullbannerandallaccompanyingmeta-datathatShodangathers.Thisisthepreferredformatasitsavesallavailableinformation.AndtheformatiscompatiblewiththeShodancommand-lineclient,meaningyoucandownloaddatafromtheShodanwebsitethenprocessitfurtherusingtheterminal.
TheCSVformatreturnsafilecontainingtheIP,port,banner,organizationandhostnamesforthebanner.Itdoesn’tcontainalltheinformationthatShodangathersduetolimitationsintheCSVfileformat.UsethisifyouonlycareaboutthebasicinformationoftheresultsandwanttoquicklyloaditintoexternaltoolssuchasExcel.
TheXMLformatistheold,deprecatedwayofsavingsearchresults.ItishardertoworkwiththanJSONandconsumesmorespace,therebymakingitsuboptimalformostsituations.
Downloadingdataconsumesexportcredits,whichareone-timeuseandpurchasedonthewebsite.Theyaren’tassociatedinanywaywiththeShodanAPIandtheydon’tautomaticallyreneweverymonth.1exportcreditcanbeusedtodownloadupto10,000results.
DatafilesgeneratedbythewebsitecanberetrievedintheDownloadssectionofthe
website,whichyoucanvisitbyclickingonthe buttonintheupperrightcorner.
GenerateReportThewebsiteletsyougenerateareportbasedoffofasearchquery.Thereportcontainsgraphs/chartsprovidingyouabigpictureviewofhowtheresultsaredistributedacross
![Page 15: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/15.jpg)
theInternet.Thisfeatureisfreeandavailabletoanyone.
WhenyougenerateareportyouareaskingShodantotakeasnapshotofthesearchresultsandprovideanaggregateoverview.Oncethereporthasbeengenerated,itdoesn’tchangeorautomaticallyupdateasnewdataisbeingcollectedbyShodan.Thisalsomeansthatyoucangenerateareportonceamonthandkeeptrackofchangesovertimebycomparing
ittoreportsofpreviousmonths.Byclickingonthe buttoninthetoprightcorneryoucangetalistingofpreviouslygeneratedreports.
SharedSearchQueriesFindingspecificdevicesrequiresknowledgeaboutthesoftwaretheyrunandhowtheyrespondtobannergrabsovertheInternet.Fortunately,itispossibletoleveragethesharedknowledgeofthecommunityusingthesearchdirectoryonShodan.Peopleareabletoreadilydescribe,tagandsharetheirsearchqueriesforotherstouse.Ifyou’reinterestedingettingstartedwithShodan,thesharedsearchesshouldbeyourfirststop.
![Page 16: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/16.jpg)
Warning:Sharedsearchqueriesarepubliclyviewable.Donotsharequeriesthataresensitiveoryoudon’twantotherstoknowabout.
Example:FindingNon-DefaultServicesAcommonreactionIgetwhentalkingaboutdevicesexposedontheInternetissomethinglikethefollowing:
Specifically,theideathatrunningtheservice(inthiscaseMinecraft)onanon-standardportisagoodwaytostayhidden.Insecuritycirclesthisisalsoknownastheconceptofsecuritybyobscurity,andit’sconsideredalargelyineffective,deprecatedidea.What’sworseisthatitmightgiveyoutheowneroftheserver/deviceafalsesenseofsecurity.Forexample,letstakealookatpeoplerunningOpenSSHonanon-standardport.Todothiswewillusethefollowingsearchquery:product:openssh-port:22
TheproductfilterisusedtoonlyshowOpenSSHserverswhile-port:22tellsShodantoexcludeallresultsthatwerecollectedfromthestandardSSHport(22).Togetabetteroverviewofthesearchresultsletsgenerateareport:
![Page 17: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/17.jpg)
Thereportalsogivesusabreakdownofthemostcommonnon-standardports:
1. 2222:323,9302. 5000:47,4393. 23:13,4824. 26:7,5695. 5555:6,8566. 9999:6,2867. 82:6,0468. 2323:3,6229. 6666:2,73510. 3333:2,644
Thesenumbersdon’tlookthatrandomtome…Rightawayyoushouldrealizethatyourrandomchoiceofnon-standardportmightnotbesounique.Port2222ispopularthesamewaythatHTTPonport8080ispopular,andit’salsothedefaultportfortheKippohoneypotthoughIdoubtthatmanypeoplearerunninghoneypots.Thenextmostpopularportis5000,whichdidn’tfollowthesamepatternastheotherportstome(repeating/symmetricnumbers).AnditwasaroundthesametimethatIrealizedthatAustraliawasthe2ndmostpopularcountrytorunOpenSSHonanon-standardport.IdecidedtotakeacloserlookatAustralia,anditturnsoutthattherearenearlythesameamountofserversrunningOpenSSHonport5000astheyareonthedefaultport22.About68,000devicesarerunningonthedefaultport,and54,000onport5000.LookingatafewbannerswecandeterminethatthisistheSSHfingerprintthattheyallshare:5b:a2:5a:9a:91:28:60:9c:92:2b:9e:bb:7f:7c:2e:06
ItappearsthattheAustralianISPBigPondinstalls/configuresnetworkinggearthatnotonlyrunsOpenSSHonport5000(mostlikelyforremotemanagement)butalsohasthesameSSHkeysinstalledonallofthem.ThedevicesalsohappentorunanoldversionofOpenSSHthatwasreleasedonSeptember4th2007.There’snoguaranteethatrunningOpenSSHonthedefaultportwould’vemadethemmoresecurityconscious,buttheirinstallationof~54,000devicesis25%ofthetotalnumberofOpenSSHserversontheInternetrunningversion4.7(sidenote:themostpopularversionofOpenSSHis5.3).
![Page 18: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/18.jpg)
ShodanMapsShodanMapsprovidesawaytoexploresearchresultsvisuallyinsteadofthetext-basedmainwebsite.Itdisplaysupto1,000resultsatatimeandasyouzoomin/outMapsadjuststhesearchquerytoonlyshowresultsfortheareayou’relookingat.
AllsearchfiltersthatworkforthemainShodanwebsitealsoworkonMaps.
MapStylesThereareavarietyofmapstylesavailabletopresentthedatatoyourpreference.Clickon
the gearbuttonnexttothesearchbuttonforalistofoptions.
Satellite
SatellitewithoutLabels
![Page 19: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/19.jpg)
Streets(Light)
Streets(Dark)
![Page 20: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/20.jpg)
Streets(Green)
Streets(Red)
![Page 21: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/21.jpg)
Pirate
![Page 22: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/22.jpg)
ShodanExploitsShodanExploitscollectsvulnerabilitiesandexploitsfromCVE,ExploitDBandMetasploittomakeitsearchableviawebinterface.
ThesearchfiltersavailableforExploitsaredifferentthantherestofShodan,thoughanattemptwasmadetokeepthemsimilarwhenpossible.
Important:Bydefault,Exploitswillsearchtheentirecontentoftheavailableexploitinformationincludingmeta-data.ThisisunlikeShodan,whichonlysearchesthebannertextifnootherfiltersarespecified.
Thefollowingsearchfiltersareavailable:
Name Descriptionauthor Authorofthevulnerability/exploitdescription Descriptionplatform Platformthatittargets(ex:php,windows,linux)type Exploittype(ex:remote,dos)
![Page 23: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/23.jpg)
ShodanImagesForaquickwaytobrowseallthescreenshotsthatShodancollectscheckoutShodanImages.Itisauser-friendlyinterfacearoundthehas_screenshotfilter.
ThesearchboxatthetopusesthesamesyntaxasthemainShodansearchengine.Itismostusefultousethesearchboxtofilterbyorganizationornetblock.However,itcanalsobeusedtofilterthetypesofimagesthatareshown.
Imagedataisgatheredfrom4differentsources:
VNCRTSPWebcamsXWindows
Eachimagesourcecomesfromadifferentport/serviceandthereforhasadifferentbanner.Thismeansthatifyouonlywanttoseeimagesfromwebcamsyoucouldsearchfor:HTTP
TosearchforVNCyoucansearchusingauthenticationdisabledandforRTSPyousimplysearchwithRTSP.
TheimagescanalsobefoundusingthemainShodanwebsiteorShodanMapsbyusingthehas_screenshot:truefilterinthesearchquery.Forexample,tofindimagesofVNC
![Page 24: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/24.jpg)
serversthathavedisabledauthenticationsearchforhas_screenshot:trueauthenticationdisabled.
![Page 25: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/25.jpg)
Exercises:WebsiteExercise1
Findthe4SICSwebsiteusingShodan.
Tip:CheckoutAppendixBforalistofsearchfilters.
Exercise2
FindtheRastalvskarnpowerplant.
Tip:ItisrunninganonymousVNCandislocatedintheSwedishcityofNora
Exercise3
HowmanyIPsinSwedenarevulnerabletoHeartbleedandstillsupportSSLv2?
HowmanyIPsarevulnerabletoHeartbleedatyourorganization?Exercise4
Findalltheindustrialcontrolsystemsinyourtown.Exercise5
WhichRATismostpopularinSweden?
![Page 26: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/26.jpg)
ExternalTools
ShodanCommand-LineInterface
GettingStartedTheshodancommand-lineinterfaceispackagedwiththeofficialPythonlibraryforShodan,whichmeansifyou’rerunningthelatestversionofthelibraryyoualreadyhaveaccesstotheCLI.Toinstallthenewtoolsimplyexecute:easy_installshodan
OncethetoolisinstalledithastobeinitializedwithyourAPIkey:shodaninitYOUR_API_KEY
Visithttps://account.shodan.iotoretrievetheAPIkeyforyouraccount.
alertThealertcommandprovidesyoutheabilitytolist,clearandremovenetworkalertsthatwerecreatedusingtheAPI.
convertConvertthecompressedJSONfilegeneratedbyShodanintoadifferentfileformat.Atthemomentitonlysupportsoutputtokml.
countReturnsthenumberofresultsforasearchquery.$shodancountmicrosoftiis6.0
5360594
downloadSearchShodananddownloadtheresultsintoafilewhereeachlineisaJSONbanner(seeAppendixA).
Bydefaultitwillonlydownload1,000results,ifyouwanttodownloadmorelookatthe--limitflag.
ThedownloadcommandiswhatyoushouldbeusingmostoftenwhengettingresultsfromShodansinceitletsyousavetheresultsandprocessthemafterwardsusingtheparsecommand.Becausepagingthroughresultsusesquerycredits,itmakessensetoalwaysstoresearchesthatyou’redoingsoyouwon’tneedtousequerycreditsforasearchyoualreadydidinthepast.
![Page 27: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/27.jpg)
hostSeeinformationaboutthehostsuchaswhereit’slocated,whatportsareopenandwhichorganizationownstheIP.$shodanhost189.201.128.250
infoObtaingeneralinformationaboutyourAPIplan,includinghowmanyqueryandscancreditsyouhaveremainingthismonth.$shodaninfo
Querycreditsavailable:5102
Scancreditsavailable:249
myipReturnsyourInternet-facingIPaddress.$shodanmyip
199.30.49.210
parseUseparsetoanalyzeafilethatwasgeneratedusingthedownloadcommand.Itletsyoufilteroutthefieldsthatyou’reinterestedin,converttheJSONtoaCSVandisfriendlyforpipe-ingtootherscripts.
ThefollowingcommandoutputstheIPaddress,portandorganizationinCSVformatforthepreviouslydownloadedMicrosoft-IISdata:
![Page 28: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/28.jpg)
$shodanparse--fieldsip_str,port,org--separator,microsoft-data.json.gz
scanThescancommandprovidesafewsub-commandsbutthemostimportantoneissubmitwhichletsyouperformnetworkscansusingShodan.$shodanscansubmit202.69.165.20
searchThiscommandletsyousearchShodanandviewtheresultsinaterminal-friendlyway.BydefaultitwilldisplaytheIP,port,hostnamesanddata.Youcanusethe–fieldsparametertoprintwhicheverbannerfieldsyou’reinterestedin.
Forexample,tosearchMicrosoftIIS6.0andprintouttheirIP,port,organizationandhostnamesusethefollowingcommand:$shodansearch--fieldsip_str,port,org,hostnamesmicrosoftiis6.0
![Page 29: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/29.jpg)
statsThestatscommandletsyouprintthefacetsforasearchquery.
Forexample,thefollowingcommandshowsthemostpopularcountrieswhereApachewebserversarelocatedin:$shodanstats--facetscountryapache
Top10ResultsforFacet:country
US8,336,729
DE4,512,172
CN1,470,434
JP1,093,699
GB832,221
NL684,432
FR667,871
CA501,630
RU324,698
BR266,788
![Page 30: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/30.jpg)
streamThestreamcommandprovidesaccesstothereal-timestreamofdatathattheShodancrawlerscollect.
Thecommandsupportsmanydifferentflags,howeverthereare2thatareimportanttomention:
–datadir
The–datadirflagletsyouspecifyadirectoryinwhichthestreameddatashouldbestored.Thefilesgeneratedinthe–datadirdirectoryhavethefollowingnamingconvention:YYYY-MM-DD.json.gz
Asamplefilenamewouldbe“2016-01-15.json.gz”.Eachdayanewfileisautomaticallygeneratedaslongasyoukeepthestreamrunning.Forexample,thefollowingcommanddownloadsallthedatafromthereal-timestreamandsavesitinadirectorycalled/var/lib/shodan/:shodanstream--datadir/var/lib/shodan/
–limit
The–limitflagspecifieshowmanyresultsthatshouldbedownloaded.Bydefault,thestreamcommandrunsforeveruntilyouexitthetool.However,ifyou’reonlyinterestedincollectingasampleofdatathenthe–limitflagensuresyougatherasmallamountofrecords.Forexample:shodanstream--limit100
![Page 31: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/31.jpg)
TheabovecommandwouldconnecttotheShodanreal-timestream,printoutthefirst100recordsthatarereceivedandthenexit.
–ports
The–portsflagacceptsacomma-separatedlistofportstoletyoustreamonlyrecordsgatheredfromthoseports.Thefollowingcommandprintsoutastreamofbannersthatwerecollectedfromservicesrunningonport80or8080:shodanstream--ports80,8080
Example:TelnetResearch
LetsassumewewanttoperformresearchintodevicesontheInternetrunningTelnet.Asastartingpointwecancombinealloftheaforementionedcommandsintothefollowing:mkdirtelnet-data
shodanstream--ports23,1023,2323--datadirtelnet-data/--limit10000
First,wecreateadirectorycalledtelnet-datatostoretheTelnetdata.Thenwerequest10,000records(–limit10000)fromthestreamoncommonTelnetports(–ports23,1023,2323)andstoretheresultsinthepreviouslycreateddirectory(–datadirtelnet-data/).
![Page 32: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/32.jpg)
MaltegoAdd-OnMaltegoisanopensourceintelligenceandforensicsapplication;itletsyouvisuallyexploreandcorrelatedatafromavarietyofsources.
TheShodanadd-onforMaltegoprovides2newentities(ServiceandExploit)and5transforms:
searchShodansearchShodanByDomainsearchShodanByNetblocktoShodanHostsearchExploits
BrowserPlug-InsTherearepluginsavailableforbothChromeandFirefoxthatletyouseewhatservicesawebsiteexposes.
![Page 33: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/33.jpg)
Exercises:Command-LineInterfaceExercise1
DownloadtheIPsvulnerabletoHeartbleedinSwedenandNorwayusingtheShodanCLI.
FilterouttheresultsforSwedenandstoretheminaseparatefile.
Note:UncompressthefileandlookattherawdatatoseetherawresponsefromtheHeartbleedtest.
Exercise2
Download1,000recentbannersusingthereal-timestreamandthenmapthemusingGoogleMaps.
Tip:shodanconvert
Exercise3
WriteascripttodownloadalistofknownmalwareIPsandblockanyoutgoingtraffictothem.
Tip:iptables-AOUTPUT-dx.x.x.x-jDROP
![Page 34: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/34.jpg)
DeveloperAPI
ShodanprovidesadeveloperAPI(https://developer.shdan.io/api)forprogrammaticaccesstotheinformationthatiscollected.Allofthewebsitesandtools,includingthemainShodanwebsite,arepoweredbytheAPI.Everythingthatcanbedoneviathewebsitecanbeaccomplishedfromwithinyourowncode.
TheAPIisdividedinto2parts:RESTAPIandStreamingAPI.TheRESTAPIprovidesmethodstosearchShodan,lookuphosts,getsummaryinformationonqueriesandavarietyofutilitymethodstomakedevelopingeasier.TheStreamingAPIprovidesaraw,real-timefeedofthedatathatShodaniscurrentlycollecting.Thereareseveralfeedsthatcanbesubscribedto,butthedatacan’tbesearchedorotherwiseinteractedwith;it’salivefeedofdatameantforlarge-scaleconsumptionofShodan’sinformation.
Note:OnlyuserswithanAPIsubscriptionareabletoaccesstheStreamingAPI.
UsageLimitsThereare3methodsoftheAPIthatgetlimiteddependingonyourAPIplan:
1. SearchingTolimitthenumberofsearchesthatcanbeperformedpermonthShodanusesquerycredits.1querycreditsisusedwhenyouperformasearchcontainingfiltersorgopastthe1stpage.Forexample,ifyousearchfor“apache”thatdoesn’tueanyquerycredits.Ifyousearchfor“apachecountry:US”thatwoulduse1querycredit.Likewise,ifyousearchedforthe2ndpageofresultsfor“apache”thatwoulduse1querycredit.Finally,asearchqueryforthe2ndpageof“apachecountry:US”wouldalsouseup1querycredit.
2. ScanningTheon-demandscanningAPIusesscancreditstolimitthenumberofhoststhatyoucanrequestShodantoscaneverymonth.ForeveryhostthatyourequestascanofShodandeducts1scancredit.
3. NetworkAlertsThenumberofIPsthatcanbemonitoredusingalertsislimitedbasedonyourAPIsubscription.Onlypaidcustomershaveaccesstothisfeature.Andyoucan’tcreatemorethan100alertsonyouraccount.
Important:Queryandscancreditsgetresetatthestartofeverymonth.
IntroducingFacetsFacetsprovideaggregateinformationaboutaspecificfieldofthebanneryou’reinterestedin.Filtersletyounarrowdownsearchresultswhilefacetsletyougetabigpictureviewoftheresults.Forexample,themainShodanwebsiteusesfacetstoprovidethestatisticsinformationontheleftsideofthesearchresults:
![Page 35: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/35.jpg)
Alonglistoffacetsareavailable(seeAppendixC)andusingtheAPIyouareincontrolofwhichfacetsyoucareabout.Forexample,searchingforport:22andfacetingonthessh.fingerprintfacetwillgiveyouabreakdownofwhichSSHfingerprintsaremostcommonlyseenontheInternet.FacetsareoftenthestartingpointforresearchintoInternet-wideissuessuchasduplicateSSHkeys,negligenthostingprovidersorcountry-widesecurityholes.
Atthemoment,facetsareonlyavailablefromtheAPIandtheShodancommand-lineinterface.
GettingStartedAlltheexampleswillbeprovidedinPythonandassumeyouhaveaccesstothecommand-line,thoughthereareShodanlibraries/clientsavailableinotherlanguagesaswell.
ToinstalltheShodanlibraryforPythonrunthefollowingcommand:easy_installshodan
Ifyoualreadyhaveitinstalledandwanttoupgradetothelatestversion:easy_install-Ushodan
InitializationThefirstthingthatalwayshastobedoneisinitializingtheShodanAPIobject:importshodan
api=shodan.Shodan('YOURAPIKEY')
WhereYOURAPIKEYistheAPIkeyforyouaccountwhichyoucanobtainfrom:
https://account.shodan.io
![Page 36: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/36.jpg)
SearchNowthatwehaveourAPIobjectallgoodtogo,we’rereadytoperformasearch:#Wraptherequestinatry/exceptblocktocatcherrors
try:
#SearchShodan
results=api.search('apache')
#Showtheresults
print'Resultsfound:%s'%results['total']
forresultinresults['matches']:
print'IP:%s'%result['ip_str']
printresult['data']
print''
exceptshodan.APIError,e:
print'Error:%s'%e
Steppingthroughthecode,wefirstcalltheShodan.search()methodontheapiobjectwhichreturnsadictionaryofresultinformation.Wethenprinthowmanyresultswerefoundintotal,andfinallyloopthroughthereturnedmatchesandprinttheirIPandbanner.Eachpageofsearchresultscontainsupto100results.
There’salotmoreinformationthatgetsreturnedbythefunction.SeebelowforashortenedexampledictionarythatShodan.searchreturns:{
'total':8669969,
'matches':[
{
'data':'HTTP/1.0200OK\r\nDate:Mon,08Nov201005:09:59GMT\r\nSer…',
'hostnames':['pl4t1n.de'],
'ip':3579573318,
'ip_str':'89.110.147.239',
'os':'FreeBSD4.4',
'port':80,
'timestamp':'2014-01-15T05:49:56.283713'
},
...
]
}
SeeAppendixAforacompletelistofpropertiesthatthebannermaycontain.
Important:Bydefault,afewofthelargefieldsinthebannersuchas“html”gettruncatedtoreducebandwidthusage.Ifyouwanttoretrievealltheinformationsimplydisableminificationusingminify=False.Forexample,thefollowingsearchqueryforanonymousVNCserviceswouldensureallinformationisreturned:results=api.search('has_screenshot:true',minify=False)
It’salsogoodpracticetowrapallAPIrequestsinatry/exceptclause,sinceanyerrorwillraiseanexception.Butforsimplicity’ssake,Iwillleavethatpartoutfromnowon.
Theabovescriptonlyoutputstheresultsfromthe1stpageofresults.Togetthe2ndpageofresultsormoresimplyusethepageparameterwhendoingthesearchrequest:results=api.search('apache',page=2)
Orifyouwanttosimplyloopoverallpossibleresultsthere’samethodtomakeyourlifeeasiercalledsearch_cursor()
![Page 37: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/37.jpg)
forbannerinapi.search_cursor('apache'):
printbanner['ip_str']#PrintouttheIPaddressforeachbanner
Important:Thesearch_cursor()methodonlyreturnsthebannersanddoesn’tletyouusefacets.Onlyuseittoloopoverresults.
HostLookupToseewhatShodanhasavailableonaspecificIPwecanusetheShodan.host()function:#Lookupthehost
host=api.host('217.140.75.46')
#Printgeneralinfo
print"""
IP:%s
Organization:%s
OperatingSystem:%s
"""%(host['ip_str'],host.get('org','n/a'),host.get('os','n/a'))
#Printallbanners
foriteminhost['data']:
print"""
Port:%s
Banner:%s
"""%(item['port'],item['data'])
Bydefault,Shodanonlyreturnsinformationonthehostthatwasrecentlycollected.IfyouwouldliketogetafullhistoryofanIPaddress,includethehistoryparameter.Forexample:host=api.host('217.140.75.46',history=True)
Theabovewouldreturnallbanners,includingforservicesthatmaynolongerbeactiveonthehost.
ScanningShodancrawlstheInternetatleastonceamonth,butifyouwanttorequestShodantoscananetworkimmediatelyyoucandosousingtheon-demandscanningcapabilitiesoftheAPI.
UnlikescanningviaatoolsuchasNmap,thescanningwithShodanisdoneasynchronously.ThismeansthatafteryousubmitarequesttoShodanyoudon’tgetbacktheresultsimmediately.Itisuptothedevelopertodecidehowtheresultsofthescanshouldbegathered:bylookinguptheIPinformation,searchingShodanorsubscribingtothereal-timestream.TheShodancommand-lineinterfacecreatesatemporarynetworkalertafterascanwasinitiatedandthenwaitsforresultstocomethroughthereal-timestream.scan=api.scan('198.20.69.0/24')
It’salsopossibletosubmitalistofnetworksatoncebyprovidingalistofaddressesinCIDRnotation:scan=api.scan(['198.20.49.30','198.20.74.0/24'])
![Page 38: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/38.jpg)
AftersubmittingascanrequesttheAPIwillreturnthefollowinginformation:{
'id':'R2XRT5HH6X67PFAB',
'count':1,
'credits_left':5119
}
Theobjectprovidesauniqueidthatyoucanusefortrackingpurposes,thetotalcountofIPsthatweresubmittedforscanningandfinallyhowmanyscancreditsareleft(credits_left).
Real-TimeStreamTheStreamingAPIisanHTTP-basedservicethatreturnsareal-timestreamofdatacollectedbyShodan.Itdoesn’tprovideanysearchorlookupcapabilities,itissimplyafeedofeverythingthatisgatheredbythecrawlers.
Forexample,hereisascriptthatoutputsastreamofbannersfromdevicesthatarevulnerabletoFREAK(CVE-2015-0204):defhas_vuln(banner,vuln):
if'vulns'inbanner['opts']andvulninbanner['opts']['vulns']:
returnTrue
returnFalse
forbannerinapi.stream.banners():
ifhas_vuln(banner,'CVE-2015-0204'):
printbanner
Tosavespaceandbandwidthmanypropertiesinthebannerareoptional.Tomakeworkingwithoptionalpropertieseasieritisbesttowrapaccesstopropertiesinafunction.Intheaboveexample,thehas_vuln()methodcheckswhethertheserviceisvulnerablefortheprovidedCVE.
Note:RegularAPIsubscriptionsonlyhaveaccessto1%ofthefeed.100%accessisavailabletodatalicensecustomersonly.
NetworkAlertAnetworkalertisareal-timefeedofdatathatisbeingcollectedbyShodanforanetworkrange.Togetstartedwithnetworkalertsrequires2steps:
CreatingaNetworkAlertTocreateanetworkalertyounedtoprovideanameandanetworkrange.Thenameshouldbedescriptivetoletyouknowwhatthealertismonitoringorwhyitwascreated.alert=api.create_alert('Productionnetwork','198.20.69.0/24')
Aswiththescan()methodyoucanalsoprovidealistofnetworkrangestomonitor:alert=api.create_alert('ProductionandStagingnetwork',[
'198.20.69.0/24',
'198.20.70.0/24',
])
![Page 39: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/39.jpg)
Note:OnlyalimitednumberofIPscanbemonitoredusingnetworkalertsandanaccountcan’thavemorethan100alertsactive.
AusefultrickwhencombiningnetworkalertswiththescanningAPIistosetanexpirationforthealert:alert=api.create_alert('Temporaryalert','198.20.69.0/24',expires=60)
Theabovealertwouldbeactivefor60secondsandthenexpire,atwhichpointthealertcan’tbeusedanymore.
Uponsuccessfullycreatinganalert,theAPIwillreturnthefollowingobject:{
"name":"Productionnetwork",
"created":"2015-10-17T08:13:58.924581",
"expires":0,
"expiration":null,
"filters":{
"ip":["198.20.69.0/24"]
},
"id":"EPGWQG5GEELV4799",
"size":256
}
SubscribingOnceanalerthasbeencreateditisreadytobeusedasareal-timestreamofdataforthatnetwork.forbannerinapi.stream.alert(alert['id']):
printbanner
Aswiththeregular,real-timestreamthealert()methodprovidesaniteratorwhereeachitemisabannerasit’sbeingcollectedbytheShodancrawlers.Theonlyargumentthatthealert()methodrequiresisthealertIDthatwasreturnedwhencreatingthenetworkalert.
![Page 40: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/40.jpg)
Example:PublicMongoDBDataMongoDBisapopularNoSQLdatabaseandforalongtimeitdidn’tcomewithanyauthentication.ThishasresultedinmanyinstancesofMongoDBbeingpubliclyaccessibleontheInternet.Shodangrabsabannerforthesedatabasesthatcontainsalotofinformationaboutthedatastored.Followingisanexcerptfromthebanner:MongoDBServerInformation…
{
"ok":1.0,
"tokumxAuditVersion":"unknown",
"bits":64,
"tokukvVersion":"unknown",
"tokumxVersion":"2.0.2",
"javascriptEngine":"V8",
"version":"2.4.10",
"versionArray":[
2,
4,
10,
0
],
"debug":false,
"compilerFlags":"-fPIC-fno-strict-aliasing-ggdb-Wall-Wsign-compare-Wno\
-unknown-pragmas-Winvalid-pch-pipe-Wnon-virtual-dtor-Woverloaded-virtual-Wn\
o-unused-local-typedefs-fno-builtin-memcmp-O3",
"maxBsonObjectSize":16777216,
"sysInfo":"Linuxvps-vivid-x64-042.6.32-042stab106.6#1SMPMonApr2014:\
48:47MSK2015x86_64x86_64x86_64GNU/LinuxBOOST_LIB_VERSION=1_55",
"loaderFlags":"",
"gitVersion":"unknown"
},
...
Basically,thebannerismadeupofaheaderthatsays“MongoDBServerInformation”followedby3JSONobjectsthatareseparatedbycommas.EachJSONobjectcontainsdifferentinformationaboutthedatabaseandIrecommendyoucheckoutafullbanneronShodan(it’sverylong)bysearchingfor:product:MongoDB
LetsusethebannerinformationtodeterminewhichdatabasenamesaremostpopularandhowmuchdataispubliclyexposedontheInternet!Thebasicworkflowwillbeto:
1. DownloadallMongoDBbanners2. Processthedownloadedfileandoutputalistoftop10databasenamesaswellasthe
totaldatasize
DownloadingthedataissimpleusingtheShodancommand-lineinterface:shodandownload--limit-1mongodb.json.gzproduct:mongodb
Theabovecommandsaystodownloadallresults(–limit-1)intoafilecalledmongodb.json.gzforthesearchqueryproduct:mongodb.NowwejustneedasimplePythonscripttoprocesstheShodandatafile.Toeasilyiterateoverthefilewe’regoingtousetheshodan.helpers.iterate_files()method:importshodan.helpersashelpers
importsys
![Page 41: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/41.jpg)
#Thedatafileisthe1stargumenttothecommand
datafile=sys.argv[1]
forbannerinhelpers.iterate_files(datafile):
#Nowwehavethebanner
SinceeachbannerisjustJSONwithsomeaddedheader,letsprocessthebannerintoanativePythondictionaryusingthesimplejsonlibrary:#StripouttheMongoDBheaderaddedbyShodan
data=banner['data'].replace('MongoDBServerInformation\n','').split('\n},\n'\
)[2]
#Loadthedatabaseinformation
data=simplejson.loads(data+'}')
Theonlythingthat’sleftiskeepingtrackofthetotalamountofdatathat’sexposedandthemostpopulardatabasenames:total_data=0
databases=collections.defaultdict(int)
...
#Thenintheloop
#Keeptrackofhowmuchdataispubliclyaccessible
total_data+=data['totalSize']
#Keeptrackofwhichdatabasenamesaremostcommon
fordbindata['databases']:
databases[db['name']]+=1
Pythonhasausefulcollections.defaultdictclassthatautomaticallycreatesadefaultvalueforadictionarykeyifthekeydoesn’tyetexist.AndwejustaccessthetotalSizeanddatabasespropertyoftheMongoDBbannertogathertheinformationwecareabout.Finally,wejustneedtooutputtheactualresults:print('Total:{}'.format(humanize_bytes(total_data)))
counter=1
forname,countinsorted(databases.iteritems(),key=operator.itemgetter(1),rev\
erse=True)[:10]:
print('#{}\t{}:{}'.format(counter,name,count))
counter+=1
First,weprintthetotalamountofdatathat’sexposedandwe’reusingasimplehumanize_bytes()methodtoconvertbytesintohuman-readableformatofGB/MB/etc.Second,weloopsortthedatabasescollectioninreverseorderbythenumberoftimesthatacertaindatabasenamewasseen(key=operator.itemgetter(1))andgetthetop10results([:10]).
BelowisthefullscriptthatreadsaShodandatafileandanalyzesthebanner:importcollections
importoperator
importshodan.helpersashelpers
importsys
importsimplejson
defhumanize_bytes(bytes,precision=1):
"""Returnahumanizedstringrepresentationofanumberofbytes.
Assumes`from__future__importdivision`.
![Page 42: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/42.jpg)
>>>humanize_bytes(1)
'1byte'
>>>humanize_bytes(1024)
'1.0kB'
>>>humanize_bytes(1024*123)
'123.0kB'
>>>humanize_bytes(1024*12342)
'12.1MB'
>>>humanize_bytes(1024*12342,2)
'12.05MB'
>>>humanize_bytes(1024*1234,2)
'1.21MB'
>>>humanize_bytes(1024*1234*1111,2)
'1.31GB'
>>>humanize_bytes(1024*1234*1111,1)
'1.3GB'
"""
abbrevs=(
(1<<50L,'PB'),
(1<<40L,'TB'),
(1<<30L,'GB'),
(1<<20L,'MB'),
(1<<10L,'kB'),
(1,'bytes')
)
ifbytes==1:
return'1byte'
forfactor,suffixinabbrevs:
ifbytes>=factor:
break
return'%.*f%s'%(precision,bytes/factor,suffix)
total_data=0
databases=collections.defaultdict(int)
forbannerinhelpers.iterate_files(sys.argv[1]):
try:
#StripouttheMongoDBheaderaddedbyShodan
data=banner['data'].replace('MongoDBServerInformation\n','').split(\
'\n},\n')[2]
#Loadthedatabaseinformation
data=simplejson.loads(data+'}')
#Keeptrackofhowmuchdataispubliclyaccessible
total_data+=data['totalSize']
#Keeptrackofwhichdatabasenamesaremostcommon
fordbindata['databases']:
databases[db['name']]+=1
exceptException,e:
pass
print('Total:{}'.format(humanize_bytes(total_data)))
counter=1
forname,countinsorted(databases.iteritems(),key=operator.itemgetter(1),rev\
erse=True)[:10]:
print('#{}\t{}:{}'.format(counter,name,count))
counter+=1
Here’sasampleoutputofthescript:Total:1.8PB
#1local:85845
#2admin:67648
#3test:24983
#4s:5121
#5config:4329
#6proxy:2045
#7research:2007
#8seolib_new:2001
#9traditional:1998
#10simplified:1998
![Page 43: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/43.jpg)
Exercises:ShodanAPIExercise1
WriteascripttomonitoranetworkusingShodanandsendoutnotifications.Exercise2
Writeascripttooutputthelatestimagesintoadirectory.
Tip:Imagesareencodedusingbase64.Pythoncaneasilydecodeitintobinaryusing:image_string.decode(‘base64’)
![Page 44: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/44.jpg)
IndustrialControlSystems
Inanutshell,industrialcontrolsystems(ICS)arecomputersthatcontroltheworldaroundyou.They’reresponsibleformanagingtheairconditioninginyouroffice,theturbinesatapowerplant,thelightingatthetheatreortherobotsatafactory.
Researchconductedfrom2012through2014byProjectSHINE(SHodanINtelligenceExtraction)indicatesthereareatleast2millionpubliclyaccessibledevicesrelatedtoICSontheInternet.Thefirstdatasetcontaining500,000ICSdeviceswassentin2012totheICS-CERT.TheICS-CERTdeterminedthatroughly7,200outofthe500,000werecriticalinfrastructureintheUnitedStates.Andwiththedemandforincreasedconnectivityineverythingthatnumberisexpectedtorise.Therehavebeeneffortstosecurethesedevicesbytakingthemofflineorpatchingflaws,butit’sachallengingproblemandthereisn’taneasysolution.
CommonAbbreviationsBeforegettingintotheprotocolsandhowtofindICSdevices,hereareafewcommonabbreviationsthatareusefultoknow:
BMS BuildingManagementSystemDCS DistributedControlSystemHMI HumanMachineInterfaceICS IndustrialControlSystemPLC ProgrammableLogicControllerRTU RemoteTerminalUnitSCADA SupervisoryControlandDataAcquisition(asubsetofICS)VNC VirtualNetworkComputing
ProtocolsThereare2differentwaysofidentifyingcontrolsystemsontheInternet:
Non-ICSprotocolsusedinanICSenvironment
ThemajorityoftheICSfindingsonShodanarediscoveredbysearchingforwebserversorotherpopularprotocolsthataren’tdirectlylinkedtoICSbutmaybeseenonanICSnetwork.Forexample:awebserverrunningonanHMIoraWindowscomputerrunningunauthenticatedremotedesktopwhileconnectedtoanICS.TheseprotocolsprovideyouwithavisualviewoftheICSbuttheyusuallyhavesomeformofauthenticationenabled.
![Page 45: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/45.jpg)
TheaboveisanHMIforanengineexposedviaanunauthenticatedVNCconnectionfoundonShodanImages.
ICSprotocols
Thesearetherawprotocolsthatareusedbythecontrolsystems.EveryICSprotocolhasitsownuniquebannerbutthere’sonethingtheyallhaveincommon:theydon’trequireanyauthentication.Thismeansthatifyouhaveremoteaccesstoanindustrialdeviceyouautomaticallyhavetheabilitytoarbitrarilyreadandwritetoit.However,therawICSprotocolstendtobeproprietaryandhardtodevelopwith.Thismeansthatit’seasytocheckwhetheradevicesupportsanICSprotocolusingShodanbuthardtoactuallyinteractwiththecontrolsystem.
ThefollowingbannerdescribesaSiemensS7PLC,notethatitcontainsalotofdetailedinformationaboutthedeviceincludingitsserialnumberandlocation:
![Page 46: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/46.jpg)
SecuringInternet-ConnectedICSThemajorityofICSbannersdon’tcontaininformationonwherethedeviceislocatedorwhoownsthecontrolsystem.Thismakesitexceedinglydifficulttosecurethedeviceandisoneofthemainreasonsthattheycontinuetostayonlineafteryearsofresearchintotheironlineexposure.
Ifyoudiscoveracontrolsystemthatlookscritical,belongstoagovernmentorotherwiseshouldn’tbeonlinepleasenotifytheICS-CERT
UseCases
AssessingICSfortheUSAYou’vebeentaskedwithgeneratingaquickpresentationontheexposureofindustrialcontrolsystemsfortheUSA.Togetstarted,letsfirstgetageneralideaofwhat’soutthereusingthemainShodanwebsite:
https://www.shodan.io/search?query=category%3Aics
ThisreturnsalistofalldevicesrunningICSprotocolsontheInternet.However,therearealotofwebserversandotherprotocols(SSH,FTPetc.)runningonthesameportsasindustrialcontrolsystemswhichweneedtofilterout:
https://www.shodan.io/search?query=category%3Aics+-http+-html+-ssh+-ident
NowwehaveafilteredlistofdevicesrunninginsecureICSprotocols.SincethefocusofthepresentationwillbeontheUSA,it’stimetonarrowtheresultstoonlyIPsintheUSA:
https://www.shodan.io/search?query=category%3Aics+-http+-html+-ssh+-ident+country%3Aus
Togetabigpictureviewofthedataandhavesomechartstoworkwithwecangenerateafreereport.ThisprovidesuswithabetterunderstandingofwhichICSprotocolsareseenontheInternetintheUS:
![Page 47: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/47.jpg)
Tridium’sFoxprotocol,usedbytheirNiagaraframework,isthemostpopularICSprotocolintheUSfollowedbyBACnetandModbus.ThedatashowsthatthemajorityofexposeddevicesareBMSusedinoffices,factories,stadiums,auditoriumsandvariousfacilities.
TheabovechartwassavedasanimageusingNimbusScreenCaptureonFirefox,butyoucanalsousetheAwesomeScreenshotMinusplug-inforChrome.
ThereportalsohighlightsacommonissuewithICSontheInternet:themajorityofthemareonmobilenetworks.Thismakesitespeciallydifficulttotrackdownandsecurethesedevices.
Atthispoint,thedatashowsusthefollowing:
1. Thereareatleast65,000ICSontheInternetexposingtheirraw,unauthenticatedinterfaces
2. Nearlyhalfofthem(~31,000)areintheUSalone
![Page 48: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/48.jpg)
3. BuildingsarethemostcommonlyseentypeofICS4. Mobilenetworkshostthelargestamount
FurtherReading
1. DistinguishingInternet-FacingDevicesusingPLCProgrammingInformation2. NISTSpecialPublication-GuidetoIndustrialControlSystemsSecurity3. QuantitativelyAssessingandVisualizingIndustrialSystemAttackSurfaces
![Page 49: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/49.jpg)
IdentifyingHoneypotsHoneypotshavebecomeanincreasinglypopularandusefultoolinunderstandingattackers.I’veseenmanymisconfiguredhoneypotswhilescanningtheInternet,hereareafewtipstoidentifythemormistakestoavoidwhensettingthemup.
Whatisahoneypot?
Ahoneypotisadevicethatpretendstobesomethingitactuallyisn’tforthepurposeofloggingandmonitoringnetworkactivity.Inthecaseofcontrolsystems,anICShoneypotisaregularcomputerthatpretendstobeacontrolsystemsuchasafactoryorpowerplant.Theyareusedtocollectinformationonattackers,includingwhichnetworkstheattackersaretargeting,whattoolsthey’reusingandmanyotherusefulinsightsthathelpdefendershardentheirnetwork.
Inrecentyears,honeypotshavebeenusedtomeasurethenumberofattacksthathavebeenattemptedagainstindustrialcontrolsystemsconnectedtotheInternet.However,itiscriticallyimportanttounderstandproperhoneypotdeploymentbeforetryingtogatherthedata.ManypeoplemisconfiguretheirhoneypotsandIwilloutlinehowthosemistakesmakeittrivialtodeterminewhetheradeviceisarealcontrolsystemorahoneypot.
Themostpopularandde-factohoneypotusedtosimulateindustrialcontrolsystemsisConpot.Thesoftwareiswell-writtenandextremelypowerfulwhenproperlyconfigured.MostoftheexamplesanddiscussionwillbeusingConpotbuttheprinciplesapplytoallhoneypotsoftware.
WhyDetectThem?
Thedatathathoneypotsgenerateisonlyasgoodastheirdeployment.Ifwewanttomakeinformeddecisionsaboutwhoisattackingcontrolsystemswehavetoensurethedataisbeinggatheredfromrealistichoneypots.Sophisticatedattackerswon’tbefooledbyhoneypotsthatarepoorlyconfigured.It’simportanttoraiseawarenessforcommonpitfallswhendeployinghoneypotstoimprovethequalityofdatabeingcollected.
DefaultConfigurations
Themostcommonmistakethatpeoplemakewhendeployinghoneypotsisusingthedefaultconfiguration.Alldefaultconfigurationsreturnthesamebanner,includingidenticalserialnumbers,PLCnamesandmanyotherfieldsthatyouwouldexpecttovaryfromIPtoIP.
IfirstrealizedhowcommonthisproblemissoonafterdoingthefirstInternetscanforSiemensS7:
![Page 50: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/50.jpg)
30%oftheserialnumbersintheresultswerepresentinmorethanonebanner.Itdoesn’tmeanthatalloftheduplicateserialnumbersarehoneypotsbutit’sagoodstartingpointforinvestigation.
InthecaseofS7,themostpopularserialnumberseenontheInternetis88111222whichisthedefaultserialnumberforConpot.
SearchingbytheserialnumbermakesittrivialtolocateinstancesofConpotontheInternet.Andmakesuretoalsochangetheotherpropertiesofthebanner,notjusttheserialnumber:
![Page 51: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/51.jpg)
TheaboveuserchangedtheserialnumbertoauniquevaluebutfailedtochangethePLCname(Technodrome)andtheplantidentification(MouserFactory).Everyhoneypotinstancemusthaveuniquevaluesinordertoevadehoneypotdetectiontechniques.
HistoryMatters
Thehoneypothastobedeployedproperlyfromday1otherwisethebannerhistoryforthedevicewillrevealitasahoneypot.Forexample:
TheaboveisabannerpretendingtobeaSiemensS7PLC.However,therewasanerrorinthetemplategeneratingthebannerandinsteadofshowingavalidPLCnameitshowsthetemplate’srandom.randint(0,1)method.ShodanhasindexedthisbannerandevenifthebugisfixedinthefutureausercouldlookupthehistoryforthisIPandseethatitusedtohaveaninvalidS7banner.
AsampleShodanAPIrequestforthehistoryofanIP:host=api.host('xxx.xxx.xxx.xxx',history=True)
EmulateDevices,NotServices
Keepitsimple,don’ttrytoemulatetoomanyservicesatonce.Ahoneypotshouldemulateadeviceandmostrealdevicesdon’trunMongoDB,DNP3,MySQL,SiemensS7,Kamstrup,ModBus,AutomatedTankGauge,TelnetandSSHonthesameIP.
![Page 52: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/52.jpg)
Thinkabouthowthedeviceisconfiguredinthereal-worldandthenemulateit,don’truneverypossibleservicesimplybecauseit’spossible.
Incode,youcouldusethenumberofportsasametric:#Getinformationaboutthehost
host=api.host('xxx.xxx.xxx.xxx')
#Checkthenumberofopenports
iflen(host['ports'])>10:
print('{}lookssuspicious'.format(host['ip_str']))
else:
print('{}hasfewportsopen'.format(host['ip_str']))
Location,Location,Location
Itisn’tjustthesoftwarethatneedstobeproperlyconfigured,ahoneypotalsohastobehostedonanetworkthatcouldreasonablyhaveacontrolsystem.PuttingahoneypotthatsimulatesaSiemensPLCintheAmazonclouddoesn’tmakeanysense.HereareafewofthepopularcloudhostingprovidersthatshouldbeavoidedwhendeployinganICShoneypot:
1. AmazonEC22. Rackspace3. DigitalOcean4. Vultr5. MicrosoftAzure6. GoogleCloud
Forrealisticdeployment,lookatthemostpopularISPsinShodanforpubliclyaccessibleICS.Ingeneral,itisbettertoputthehoneypotintheIPspaceofaresidentialISP.ThefollowingorganizationsarethecommonlocationsintheUSA:
Honeyscore
IdevelopedatoolcalledHoneyscorethatusesalloftheaforementionedmethodsaswellasmachinelearningtocalculateahoneyscoreanddeterminewhetheranIPisahoneypotornot.
![Page 53: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/53.jpg)
SimplyentertheIPaddressofadeviceandthetoolwillperformavarietyofcheckstoseewhetheritisahoneypot.
FurtherReading
1. Wikipediaarticleonhoneypots2. BreakingHoneypotsforFunandProfit(Video)
![Page 54: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/54.jpg)
AppendixA:BannerSpecification
Forthelatestlistoffieldsthatthebannercontainspleasevisittheonlinedocumentation.
Abannermaycontainthefollowingproperties/fields:
GeneralPropertiesName Description Exampleasn Autonomoussystemnumber AS4837data Mainbannerfortheservice HTTP/1.1200…ip IPaddressasaninteger 493427495ip_str IPaddressasastring 199.30.15.20ipv6 IPv6addressasastring 2001:4860:4860::8888port Portnumberfortheservice 80
timestamp Dateandtimetheinformationwascollected
2014-01-15T05:49:56.283713
hostnames ListofhostnamesfortheIP [“shodan.io”,“www.shodan.io”]
domains ListofdomainsfortheIP [“shodan.io”]link Networklinktype Ethernetormodemlocation Geographiclocationofthedevice seebelow
opts Supplementaldatanotcontainedinmainbanner
org OrganizationthatisassignedtheIP GoogleInc.
isp ISPthatisresponsiblefortheIPspace VerizonWireless
os Operatingsystem Linuxuptime UptimeoftheIPinminutes 50
transportTypeoftransportprotocolusedtocollectbanner;either“udp”or“tcp”
tcp
HTTP(S)PropertiesName Descriptionhtml HTMLcontentofthewebsitetitle Titleofthewebsite
LocationProperties
![Page 55: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/55.jpg)
Thefollowingpropertiesaresub-propertiesofthelocationpropertythatisatthetop-levelofthebannerrecord.
Name Descriptionarea_code Areacodeofthedevice’slocationcity Nameofthecitycountry_code 2-lettercountrycodecountry_code3 3-lettercountrycodecountry_name Fullnameofthecountrydma_code Designatedmarketareacode(US-only)latitude Latitudelongitude Longitudepostal_code Postalcoderegion_code Regioncode
SSLPropertiesIftheserviceiswrappedinSSLthenShodanperformsadditionaltestingandmakestheresultsavailableinthefollowingproperties:
Name Descriptionssl.cert ParsedSSLcertificatessl.cipher PreferredcipherfortheSSLconnection
ssl.chain ListofSSLcertificatesfromtheusercertificateuptotherootcertificate
ssl.dhparams Diffie-Hellmanparameters
ssl.versionsSupportedSSLversions;ifthevaluestartswitha“-“thentheservicedoesnotsupportthatversion(ex.“-SSLv2”meanstheservicedoesn’tsupportSSLv2)
SpecialProperties
_shodanThe_shodanpropertycontainsinformationabouthowthedatawasgatheredbyShodan.Itisdifferentthanaltheotherpropertiesbecauseitdoesn’tprovideinformationaboutthedevice.Instead,itwilltellyouwhichbannergrabberShodanwasusingtotalktotheIP.Thiscanbeimportanttounderstandforportswheremultipleservicesmightbeoperatingon.Forexample,port80ismostwell-knownforwebserversbutit’salsousedbyvariousmalwaretocircumventfirewallrules.The_shodanpropertywouldletyouknowwhetherthehttpmodulewasusedtocollectthedataorwhetheramalwaremodulewasused.
Example{
"timestamp":"2014-01-16T08:37:40.081917",
"hostnames":[
"99-46-189-78.lightspeed.tukrga.sbcglobal.net"
],
![Page 56: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/56.jpg)
"org":"AT&TU-verse",
"guid":"1664007502:75a821e2-7e89-11e3-8080-808080808080",
"data":"NTP\nxxx.xxx.xxx.xxx:7546\n68.94.157.2:123\n68.94.156.17:123",
"port":123,
"isp":"AT&TU-verse",
"asn":"AS7018",
"location":{
"country_code3":"USA",
"city":"Atlanta",
"postal_code":"30328",
"longitude":-84.3972,
"country_code":"US",
"latitude":33.93350000000001,
"country_name":"UnitedStates",
"area_code":404,
"dma_code":524,
"region_code":null
},
"ip":1664007502,
"domains":[
"sbcglobal.net"
],
"ip_str":"99.46.189.78",
"os":null,
"opts":{
"raw":"\\x97\\x00\\x03*\\x00\\x03\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01G\\x06\\xa7\\x8ec.\\xbdN\\x00\\
\x00\\x00\\x01\\x1dz\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00q\\x00\\x00\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00XD^\\x9d\\x02c.\\xbdN\\\
x00\\x00\\x00\\x01\\x00{\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\
\x00\\x00q\\x00\\x00\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00YD^\\x9c\\x11c.\\xb\
dN\\x00\\x00\\x00\\x01\\x00{\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\
x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\
x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
"ntp":{
"more":false
}
}
}
![Page 57: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/57.jpg)
AppendixB:ListofSearchFilters
GeneralFiltersName Description Type
after Onlyshowresultsafterthegivendate(dd/mm/yyyy) string
asn Autonomoussystemnumber string
before Onlyshowresultsbeforethegivendate(dd/mm/yyyy) string
category Availablecategories:ics,malware stringcity Nameofthecity stringcountry 2-lettercountrycode string
geo
Acceptsbetween2and4parameters.If2parameters:latitude,longitude.If3parameters:latitude,longitude,range.If4parameters:topleftlatitude,topleftlongitude,bottomrightlatitude,bottomrightlongitude.
string
has_ipv6 True/False booleanhas_screenshot True/False booleanhostname Fullhostnameforthedevice stringhtml HTMLofwebbanners stringip Aliasfornetfilter stringisp ISPmanagingthenetblock string
net NetworkrangeinCIDRnotation(ex.199.4.1.0/24) string
org Organizationassignedthenetblock stringos Operatingsystem stringport Portnumberfortheservice integerpostal Postalcode(US-only) string
product Nameofthesoftware/productprovidingthebanner string
region Nameoftheregion/state stringstate Aliasforregion stringtitle Titleforthewebbanner’swebsite stringversion Versionfortheproduct stringvuln CVEIDforavulnerability string
NTPFilters
![Page 58: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/58.jpg)
Name Description ntp.ip IPaddressesreturnedbymonlist stringntp.ip_count NumberofIPsreturnedbyinitialmonlist integer
ntp.more True/False;whethertherearemoreIPaddressestobegatheredfrommonlist boolean
ntp.port PortusedbyIPaddressesinmonlist integer
SSLFiltersName Description Typehas_ssl True/False booleanssl SearchallSSLdata string
ssl.alpn ApplicationlayerprotocolssuchasHTTP/2(“h2”) string
ssl.chain_count Numberofcertificatesinthechain integer
ssl.version Possiblevalues:SSLv2,SSLv3,TLSv1,TLSv1.1,TLSv1.2 string
ssl.cert.alg Certificatealgorithm stringssl.cert.expired True/False booleanssl.cert.extension Namesofextensionsinthecertificate string
ssl.cert.serial Serialnumberasanintegerorhexadecimalstring
integer/string
ssl.cert.pubkey.bits Numberofbitsinthepublickey integerssl.cert.pubkey.type Publickeytype stringssl.cipher.version SSLversionofthepreferredcipher stringssl.cipher.bits Numberofbitsinthepreferredcipher integerssl.cipher.name Nameofthepreferredcipher string
TelnetFiltersName Description Typetelnet.option Searchalltheoptions string
telnet.do Theserverrequeststheclientdosupporttheseoptions string
telnet.dont Theserverrequeststheclienttonotsupporttheseoptions string
telnet.will Theserversupportstheseoptions stringtelnet.wont Theserverdoesn’tsupporttheseoptions string
![Page 59: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/59.jpg)
AppendixC:SearchFacets
GeneralFacetsName Descriptionasn Autonomoussystemnumbercity Fullnameofthecitycountry Fullnameofthecountrydomain Domain(s)forthedevicehas_screenshot Hasscreenshotavailableisp ISPmanagingthenetblocklink Typeofnetworkconnectionorg Organizationowningthenetblockos Operatingsystemport Portnumberfortheservicepostal Postalcodeproduct Nameofthesoftware/productforthebannerregion Nameoftheregion/statestate Aliasforregionuptime Timeinsecondsthatthehosthasbeenupversion Versionoftheproductvuln CVEIDforvulnerability
NTPFacetsName Descriptionntp.ip IPaddressesreturnedbymonlistntp.ip_count NumberofIPsreturnedbyinitialmonlist
ntp.more True/False;whethertherearemoreIPaddressestobegatheredfrommonlist
ntp.port PortusedbyIPaddressesinmonlist
SSHFacetsName Descriptionssh.cipher Nameofthecipherssh.fingerprint Fingerprintforthedevicessh.mac NameofMACalgorithmused(ex:hmac-sha1)ssh.type Typeofauthenticationkey(ex:ssh-rsa)
SSLFacets
![Page 60: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/60.jpg)
Name Descriptionssl.version SSLversionsupportedssl.alpn Applicationlayerprotocolsssl.chain_count Numberofcertificatesinthechainssl.cert.alg Certificatealgorithmssl.cert.expired True/False;certificateexpiredornotssl.cert.serial Certificateserialnumberasintegerssl.cert.extension Nameofcertificateextensionsssl.cert.pubkey.bits Numberofbitsinthepublickeyssl.cert.pubkey Nameofthepublickeytypessl.cipher.bits Numberofbitsinthepreferredcipherssl.cipher.name Nameofthepreferredcipherssl.cipher.version SSLversionofthepreferredcipher
TelnetFacetsName Descriptiontelnet.option Showalloptionstelnet.do Theserverrequeststheclientdosupporttheseoptions
telnet.dont Theserverrequeststheclienttonotsupporttheseoptions
telnet.will Theserversupportstheseoptionstelnet.wont Theserverdoesn’tsupporttheseoptions
![Page 61: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/61.jpg)
AppendixD:ListofPorts
Port Service(s)7 Echo11 Systat13 Daytime15 Netstat17 Quoteoftheday19 Charactergenerator21 FTP22 SSH23 Telnet25 SMTP26 SSH37 rdate49 TACACS+53 DNS67 DHCP69 TFTP,BitTorrent79 Finger80 HTTP,malware81 HTTP,malware82 HTTP,malware83 HTTP84 HTTP88 Kerberos102 SiemensS7110 POP3111 Portmapper119 NNTP123 NTP129 Passwordgeneratorprotocol137 NetBIOS143 IMAP161 SNMP175 IBMNetworkJobEntry179 BGP195 TA14-353a311 OSXServerManager
![Page 62: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/62.jpg)
389 LDAP
443 HTTPS444 TA14-353a,DellSonicWALL445 SMB465 SMTPS500 IKE(VPN)502 Modbus503 Modbus515 LinePrinterDaemon520 RIP523 IBMDB2554 RTSP587 SMTPmailsubmission623 IPMI626 OSXserialnumbered666 Telnet771 Realport789 RedlionCrimson3873 rsync902 VMWareauthentication992 Telnet(secure)993 IMAPwithSSL995 POP3withSSL1010 malware1023 Telnet1025 Kamstrup1099 JavaRMI1177 malware1200 Codesys1234 udpxy1434 MS-SQLmonitor1604 Citrix,malware1723 PPTP1833 MQTT1900 UPnP1911 NiagaraFox1962 PCworx1991 malware2000 iKettle,MikroTikbandwidthtest2082 cPanel2083 cPanel2086 WHM
![Page 63: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/63.jpg)
2087 WHM
2123 GTPv1
2152 GTPv12181 ApacheZookeeper2222 SSH,PLC5,EtherNet/IP2323 Telnet2332 Sierrawireless(Telnet)2375 Docker2376 Docker2404 IEC-1042455 CoDeSys2480 OrientDB2628 Dictionary3000 ntop3306 MySQL3386 GTPv13388 RDP3389 RDP3460 malware3541 PBXGUI3542 PBXGUI3689 DACP3780 Metasploit3787 Ventrilo4000 malware4022 udpxy4040 DeprecatedChefwebinterface4063 ZeroCGlacier24064 ZeroCGlacier2withSSL4369 EPMD4443 SymantecDataCenterSecurity4444 malware4500 IKENAT-T(VPN)4567 Modemwebinterface4911 NiagaraFoxwithSSL4949 Munin5006 MELSEC-Q5007 MELSEC-Q5008 NetMobility5009 AppleAirportAdministration5060 SIP
![Page 64: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/64.jpg)
5094 HART-IP5222 XMPP5269 XMPPServer-to-Server5353 mDNS
5357 Microsoft-HTTPAPI/2.05432 PostgreSQL5577 FluxLED5632 PCAnywhere5672 RabbitMQ5900 VNC5901 VNC5984 CouchDB6000 X116379 Redis6666 Voldemortdatabase,malware6667 IRC6881 BitTorrentDHT6969 TFTP,BitTorrent7218 Sierrawireless(Telnet)7474 Neo4jdatabase7548 CWMP(HTTPS)7777 Oracle7779 DellServiceTagAPI8010 IntelbrasDVR8060 Rokuwebinterface8069 OpenERP8087 Riak8090 InsteonHUB8099 YahooSmartTV8112 Deluge(HTTP)8139 Puppetagent8140 Puppetmaster8181 GlassFishServer(HTTPS)8333 Bitcoin8334 Bitcoinnodedashboard(HTTP)8443 HTTPS8554 RTSP8880 WebsphereSOAP8888 HTTP,Andromouse8889 SmartThingsRemoteAccess9001 TorOR9002 TorOR
![Page 65: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/65.jpg)
9051 TorControl9100 PrinterJobLanguage
9151 TorControl9160 ApacheCassandra9191 Sierrawireless(HTTP)
9443 Sierrawireless(HTTPS)9595 LANDeskManagementAgent9600 OMRON10001 AutomatedTankGauge10243 Microsoft-HTTPAPI/2.011211 Memcache17185 VxWorksWDBRPC12345 Sierrawireless(Telnet)13579 Mediaplayerclassicwebinterface14147 FilezillaFTP16010 ApacheHbase18245 GeneralElectricSRTP20000 DNP320547 ProconOS21025 Starbound21379 MatrikonOPC23023 Telnet23424 Serviio25105 InsteonHub25565 Minecraft27015 SteamA2Sserverquery,SteamRCon27017 MongoDB28017 MongoDB(HTTP)30718 LantronixSetup32400 Plex37777 DahuvaDVR44818 EtherNet/IP47808 Bacnet49152 Supermicro(HTTP)49153 WeMoLink50070 HDFSNamenode51106 Deluge(HTTP)54138 ToshibaPoS55553 Metasploit55554 Metasploit62078 AppleiDevice64738 Mumble
![Page 66: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/66.jpg)
![Page 67: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/67.jpg)
AppendixE:SampleSSLBanner{
"hostnames":[],
"title":"",
"ip":2928565374,
"isp":"iWebTechnologies",
"transport":"tcp",
"data":"HTTP/1.1200OK\r\nExpires:Sat,26Mar201611:56:36GMT\r\nExpire\
s:Fri,28May199900:00:00GMT\r\nCache-Control:max-age=2592000\r\nCache-Cont\
rol:no-store,no-cache,must-revalidate\r\nCache-Control:post-check=0,pre-che\
ck=0\r\nLast-Modified:Thu,25Feb201611:56:36GMT\r\nPragma:no-cache\r\nP3P:\
CP=\"NONCORCURaADMaOURNORUNICOMNAVSTA\"\r\nContent-type:text/html\r\n\
Transfer-Encoding:chunked\r\nDate:Thu,25Feb201611:56:36GMT\r\nServer:sw-\
cp-server\r\n\r\n",
"asn":"AS32613",
"port":8443,
"ssl":{
"chain":["-----BEGINCERTIFICATE-----\nMIIDszCCApsCBFBTb4swDQYJKoZIhvcN\
AQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw\nDwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbj\
ESMBAGA1UEChMJUGFy\nYWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1Bh\
cmFs\nbGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMB4X\nDTEyMDkx\
NDE3NTUyM1oXDTEzMDkxNDE3NTUyM1owgZ0xCzAJBgNVBAYTAlVTMREw\nDwYDVQQIEwhWaXJnaW5pYT\
EQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy\nYWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMg\
UGFuZWwxGDAWBgNVBAMTD1BhcmFs\nbGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbG\
xlbHMuY29tMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxc9Vy/qajKtFFnHxGOFPHTxm\
\nSOnsffWBTBfyXnK3h8u041VxvZDh3XkpA+ptg2fWOuIT0TTYuqw+tqiDmg8YTsHy\njcpMFBtXV2cV\
dhKXaS3YYlM7dP3gMmkGmH+ZvCgCYc7L9MIJxYJy6Zeuh67YxEMV\ngiU8mZpvc70Cg5WeW1uBCXtUAi\
jDLsVWnhsV3YuxlweEvkRpAk3EHehKbvgMnEZS\nQ30QySe0GAqC7bWzKrwsJAOUk/+Js18+3QKb/LmD\
a9cRjtFCTo6hYfPbfHj8RxQh\n4Xmnn/CtZ48wRQTqKXSO6+Zk3OuU7/jX1Gt/jxN6n77673e6uCsggT\
wut/EtNwID\nAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBb/yTy76Ykwr7DBOPAXc766n73OsZizjAt\n1k\
mx7LxgN3X/wFxD53ir+sdOqbPgJl3edrE/ZG9dNl6LhUBbUK+9s6z9QicEfSxo\n4uQpFSywbGGmXInE\
ZmyT4SsOLi/hNgy68f49LO1h6rn/p7QgIKd31g7189ZfFkFb\nRdD49s1l/Cc5Nm4XapUVvmnS91MlPk\
/OOIg1Lu1rYkuc8sIoZdPbep52H3Ga7TjG\nkmO7nUIii0goB7TQ63mU67+NWHAmQQ8CtCDCN49kJyen\
1WFjD6Je2U4q0IFQrxHw\nMy+tquo/n/sa+NV8QOj1gMVcFsLhYm7Z5ZONg0QFXSAL+Eyj/AwZ\n----\
-ENDCERTIFICATE-----\n"],
"cipher":{
"version":"TLSv1/SSLv3",
"bits":256,
"name":"DHE-RSA-AES256-GCM-SHA384"
},
"alpn":[],
"dhparams":{
"prime":"b10b8f96a080e01dde92de5eae5d54ec52c99fbcfb06a3c69a6a9dca52\
d23b616073e28675a23d189838ef1e2ee652c013ecb4aea906112324975c3cd49b83bfaccbdd7d90\
c4bd7098488e9c219a73724effd6fae5644738faa31a4ff55bccc0a151af5f0dc8b4bd45bf37df36\
5c1a65e68cfda76d4da708df1fb2bc2e4a4371",
"public_key":"2e30a6e455730b2f24bdaf5986b9f0876068d4aa7a4e15c9a1b9c\
a05a420e8fd3b496f7781a9423d3475f0bedee83f0391aaa95a738c8f0e250a8869a86d41bdb0194\
66dba5c641e4b2b4b82db4cc2d4ea8d9804ec00514f30a4b6ce170b81c3e1ce4b3d17647c8e5b8f6\
65bb7f588100bcc9a447d34d728c3709fd8a5b7753b",
"bits":1024,
"generator":"a4d1cbd5c3fd34126765a442efb99905f8104dd258ac507fd6406c\
ff14266d31266fea1e5c41564b777e690f5504f213160217b4b01b886a5e91547f9e2749f4d7fbd7\
d3b9a92ee1909d0d2263f80a76a6a24c087a091f531dbf0a0169b6a28ad662a4d18e73afa32d779d\
5918d08bc8858f4dcef97c2a24855e6eeb22b3b2e5",
"fingerprint":"RFC5114/1024-bitMODPGroupwith160-bitPrimeOrder\
Subgroup"
},
"versions":["TLSv1","-SSLv2","SSLv3","TLSv1.1","TLSv1.2"]
},
"html":"\n\t\t<html><head>\n\t\t<metacharset=\"utf-8\">\n\t\t<metahttp-eq\
uiv=\"X-UA-Compatible\"content=\"IE=edge,chrome=1\">\n\t\t<title></title>\n\t\t\
<scriptlanguage=\"javascript\"type=\"text/javascript\"src=\"/javascript/commo\
n.js?plesk_version=psa-11.0.9-110120608.16\"/></script>\n\t\t<scriptlanguage=\"\
javascript\"type=\"text/javascript\"src=\"/javascript/prototype.js?plesk_versi\
on=psa-11.0.9-110120608.16\"></script>\n\t\t<script>\n\t\t\tvaropt_no_frames=\
false;\n\t\t\tvaropt_integrated_mode=false;\n\t\t</script>\n\t\t\n\t\t</head>\
![Page 68: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/68.jpg)
<bodyonLoad=\";top.location='/login.php3?window_id=&requested_url=https%3A%\
2F%2F174.142.92.126%3A8443%2F';\"></body><noscript>Youwillberedirectedtothe\
newaddressin15seconds…Ifyouarenotautomaticallytakentothenewloca\
tion,pleaseenablejavascriptorclickthehyperlink<ahref=\"/login.php3?wind\
ow_id=&requested_url=https%3A%2F%2F174.142.92.126%3A8443%2F\"target=\"top\"\
>/login.php3?window_id=&requested_url=https%3A%2F%2F174.142.92.126%3A8443%2F\
</a>.</noscript></html><!--_____________________________________________________\
________________________________________________________________________________\
________________________________________________________________________________\
_________________________IEerrorpagesizelimitation__________________________\
________________________________________________________________________________\
________________________________________________________________________________\
____________________________________________________-->",
"location":{
"city":null,
"region_code":"QC",
"area_code":null,
"longitude":-73.5833,
"country_code3":"CAN",
"latitude":45.5,
"postal_code":"H3G",
"dma_code":null,
"country_code":"CA",
"country_name":"Canada"
},
"timestamp":"2016-02-25T11:56:52.548187",
"domains":[],
"org":"iWebTechnologies",
"os":null,
"_shodan":{
"options":{},
"module":"https",
"crawler":"122dd688b363c3b45b0e7582622da1e725444808"
},
"opts":{
"heartbleed":"2016/02/2503:56:45([]uint8){\n00000000020074636\
56e7375732e73686f64616e|..tcensus.shodan|\n000000102e696f53\
454355524954592053555256|.ioSECURITYSURV|\n000000204559fe7a\
a20dfaed9342ed18b0157d6e|EY.z…..B….}n|\n000000302908f6f\
8ce00b194b54b47acdd18aab9|)........KG…..|\n00000040db1c01\
459510e0a243fe8eac882fe875|...E….C…./.u|\n000000508b195f\
8ce08a8061563c680fe11f739e|.._….aV<h…s.|\n00000060614fd\
adb90ce84e3795f9d6ca090fffa|aO…...y_.l….|\n00000070d816\
e87607b2e55e8e3ea445612f6a2d|...v…^.>.Ea/j-|\n000000805d11\
7494033c5d|].t..<]|\n}\n\n2016/02/2503:56:45\
174.142.92.126:8443-VULNERABLE\n",
"vulns":["CVE-2014-0160"]
},
"ip_str":"174.142.92.126"
}
![Page 69: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/69.jpg)
ExerciseSolutions
WebsiteExercise1
title:4sics
Exercise2
has_screenshot:1country:secity:nora
https://www.shodan.io/host/81.233.255.165Exercise3
vuln:CVE-2014-0160country:sessl.version:sslv2
vuln:CVE-2014-0160org:"yourorganization"
Exercise4
category:icscity:"yourcityname"
Exercise5
category:malwarecountry:se
Command-LineInterfaceExercise1
shodandownload--limit-1heartbleed-resultscountry:se,novuln:CVE-2014-0160
shodanparse--filterslocation.country_code:SE-Oheartbleed-swedenheartbleed-\
results.json.gz
Note:The–filtersargumentdoescase-sensitivesearchingonpropertiesthatarestrings,hencetheSwedishcountrycodehastobeupper-case.
Exercise2
mkdirdata
shodanstream--limit1000--datadirdata/
shodanconvertdata/*kml
#UploadtheKMLfiletohttps://www.google.com/maps/d/
Exercise3
#!/bin/bash
shodandownload--limit-1malware.json.gzcategory:malware
foripin`shodanparse--fieldsip_strmalware.json.gz`
do
iptables-AOUTPUT-d$ip-jDROP
done
![Page 70: Complete Guide to Shodanorkish5.tplinkdns.com/wp-content/uploads/2018/07/... · categoryAvailable categories: ics, malware city Name of the city country Full country name net Only](https://reader033.vdocuments.site/reader033/viewer/2022060904/60a0245b133cd75c486eb25b/html5/thumbnails/70.jpg)
ShodanAPIReplaceYOUR_API_KEYwiththeAPIkeyforyouraccountasseenonyourShodanAccountwebsite.Exercise1
#!/usr/bin/envpython
#InitializeShodan
importshodan
api=shodan.Shodan("YOUR_API_KEY")
#Createanewalert
alert=api.create_alert('Myfirstalert','198.20.69.0/24')
try:
#Subscribetodataforthecreatedalert
forbannerinapi.stream.alert(alert['id']):
printbanner
except:
#Cleanupifanyerroroccurs
api.delete_alert(alert['id'])
Tip:UsetheShodancommand-lineinterface’salertcommandtolistandremovealerts.Forexample:shodanalertlist
shodanalertclear
Exercise2
mkdirimages
Runtheabovecommandtogenerateadirectorytostoretheimagesin.Thensavethefollowingcodeinafilesuchasimage-stream.py:#!/usr/bin/envpython
importshodan
output_folder='images/'
api=shodan.Shodan("YOUR_API_KEY")
forbannerinapi.stream.banners():
if'opts'inbannerand'screenshot'inbanner['opts']:
#AlltheimagesareJPGsfornow
#TODO:Usethemimetypetodeterminefileextension
#TODO:SupportIPv6results
#CreatethefilenameusingitsIPaddress
filename='{}/{}.jpg'.format(output_folder,banner['ip_str'])
#Createthefileitself
output=open(filename,'w')
#Theimagesareencodedusingbase64
output.write(banner['opts']['screenshot'].decode('base64'))