If it is Connected, it is trackable.
Shodan can find even your fridge!
What Can Shodan Do:
Shodan detects devices that are connected to the internet at any given time, the location of those devices and their current users. Such devices could be in almost any type of system, including business networks, surveillance cameras, industrial control system(ICS) and smart homes.
Shodan attempts to gram the system,s banner directly, which is the first key step for penetration testing as it helps identify vulnerable systems. He can even do more by supporting boolean operators and provides filters to improve the efficiency for searching. The search engine provides 50 results for free and offers paid subcriptions for more results.
How it Works
there are three ways to use shodan:
.) web interface
.) CLI
.) in your tools or scripts through API
Installing Shodan CLI and Creating network monitor
pip install shodan
Then initalize the CLI using your API key
shodan init APIKEY
Create a network alert to monitor your network ranges(ex. 198.20.0.0/16):
shodan alert create “My production networks” 198.20.0.0/16 8.20.5.0/24
Get a list of notifications trigeers that can be enabled:
shodan alert triggers
Get notified when malware or a compromised service is discovered(replace ALERTID with the one returned by the ‘shodan alert create’ command):
shodan alert enable ALERTID malware
Filter:
Filters are special keywords that shodan uses to let you narrow search results based on the meta-data of a service or device. The format of entering filters is filtername:value
For Example — Some common filter names we use while recon:
product:”apache tomcat”
country:”filter to a specific country”
city:”specific city”
geo:”through coordinates”
hostname:”looking for hostname”
net:”limit to an IP”
os:”based on operating system”
port:”searching for a specific port”
GENERAL SEARCHES WHILE RECON
org:”org name”
org:”org name” okta
org:”org name” location:
org:”org name” location:okta
org:”org name” title:400
org:”org name” title:200
org:”org name” title:403
ssl:company
org:”amazon” ssl:”company”
graphql
company.com
ssl:”company development”
hostname:”company.com” org:”comapany” ports:”23"
http.title:”hacked by”
For finding assets on a single technology
html:”Dashboard jenkins”
html:jira title:”system dashboard”
kibana content-length:217
elasticsearch port:9200
product:elastic
product:couchDB
product:”apache tomcat”
“X-Jenkins” “Set-Cookie: JSESSIONID” http.title:”Dashboard”
In shodan you can find open ADB ports which are exposed to the internet. You can find ADB ports by using this query .
“android debug bridge”
Search for Vulnerable FTP servers
“vsftpd 2.3.4” ignore quotes.
Searching for vulnerable asus routers
port:21 asus -530
port:21 asus -530 country:US // in case you want to search the results country wise.
Search for tesla powerpacks or even other tesla internal servers
http.title:”tesla powerpack system”
Searching on basis of custom headers you see in your requests and responses
X-Redirect-By: Wordpress ssl:”company”
X-Amz-Bucket-Region
X-Jenkins 200
X-Generator: Drupal 7
“Set-Cookie: mongo-express=” “200 OK”
all:”mysql server information” all:”metrics”
port:21223 -all:”partially” all:”fs.files”
For more detailed and extra information other than useful in bug bounties
Refer to
https://github.com/jakejarvis/awesome-shodan-queries
HOPE YOU LEARNED SOMETHING NEW
THANK YOU
Twitter Handle: ShMalav