Shodan is a great cyber tool that lets us search for and see devices that are directly connected to the internet. Not only “our” devices, just devices in general that are out there connected directly to the internet. It can be used to discover industry class assets like web servers as easily as smart home systems and the myriad of other Internet of Things (IoT) devices.
The search interface in Shodan is very easy to use and can serve up a wealth of good information. For starters, there is a wide range of things we can search for, including IP addresses, domain names, port numbers, services, protocols and product names. The image at the top of this post shows a search for the Remote Desktop Protocol (RDP) in Shodan.
RDP is used in a Microsoft application that allows users to connect from their computer (or mobile device that supports RDP) to another computer on a local network. RDP can also be used, as seen here, over the internet - though this is something we typically want to minimize and apply additional security controls to (multi-factor authentication, for example) when it is in use.
A search for apache yields results for the popular open source apache web server, and in this case I narrowed my search to an individual city:
At the other end of the device type spectrum, a search with the keyword “nest” - a popular brand in the smart home devices spaces, surfaced some Minecraft servers:
There are also search filters for city, state, country, region, organization, and many more. In fact, there is a full Shodan page devoted to filters reference.
Here’s more, from Shodan, on what it indexes and some of the best ways that the data it provides can be used:
So what does Shodan index then? The bulk of the data is taken from banners, which are metadata about a software that's running on a device. This can be information about the server software, what options the service supports, a welcome message or anything else that the client would like to know before interacting with the server.
The information gained from these services is applied to many areas:
Network Security: keep an eye on all devices at your company that are facing the Internet
Market Research: find out which products people are using in the real-world
Cyber Risk: include the online exposure of your vendors as a risk metric
Internet of Things: track the growing usage of smart devices
Tracking Ransomware: measure how many devices have been impacted by ransomware
Last week, I posted about OSINT, open source intelligence. In that post I mostly talked about OSINT related to people. Shodan is a stellar, leading tool for OSINT related to technologies. More importantly, from a cyber perspective, technologies and devices that are out there directly connected to the internet. For organizations, these external facing devices are often considered to be among the highest risk assets - and Shodan can be an essential tool in identifying our exposure level in this area.
Thanks for sharing. Will definitely tinker with Shodan.