SHODAN For PENETRATION TESTER

In this blog, we will talk about how we can use one of the most commonly used search engines during the penetration testing process – Shodan.

I. What is SHODAN?

Shodan is a computer search engine designed by web developer John Matherly. It is a little bit different from other popular search engines such as Google, Bing in which typical search engines crawl for data on web pages and then index it for searching, Shodan interrogates ports and grabs the associated banner that the service is running, then indexes the banners rather than the web content for searching.

Because of that design, It helps the user find specific nodes with specific content appeared in the banner.

II. Basic Operations

1.Search

• Search terms are input into a text box
• Quotation marks can narrow a search
• Boolean operators “+” and “-” can be used to include or exclude query terms

2.Login

• To have more results, you need to log in by either creating an account or using others 3rd party services such as Google, Twitter, Yahoo, AOL, Facebook
• Even though login is not required but country and net filters are not available unless you login as well as export function.

3.Filters

• country: filters results by two letter country code.
  • Ex: apache country:US -> find app apache servers in the US

• hostname: filters results by specified text in the hostname or domain
  • Ex: nginx hostname:.nist.gov -> find apache servers in the .nist.gov domain
• net: filter results by a specific IP range or subnet
• os: search for specific operating system (Windows, Linux,…)
• port: narrow down the search for specific services

4.Export

• It lets you export up to 1,000 results per credit in XML format
• Credits can be purchased online

III. Practical Query Examples

1. MongoDB : “MongoDB Server Information” port:27017 -authentication
2. Jenjins CI: “X-Jenkins” “Set-Cookie: JSESSIONID” http.title:”Dashboard”
3. Docker APIs : “Docker Containers:” port:2375
4. Docker Private Registries: “Docker-Distribution-Api-Version: registry” “200 OK” -gitlab
5. Android Root Bridges : “Android Debug Bridge” “Device” port:5555
6. Citrix Virtual Apps : “Citrix Applications:” port:1604
7. Exchange 2013/2016 : “X-AspNet-Version” http.title:”Outlook” -“x-owa-version”
8. Lync/Skype for Business : “X-MS-Server-Fqdn”
9. SMB (Samba) File Shares : “Authentication: disabled” port:445
10. Printers : “Serial Number:” “Built:” “Server: HP HTTP”

And many more which you can find interesting in this post “https://github.com/jakejarvis/awesome-shodan-queries#remote-desktop”

Note: To automate the process of searching, there is a CLI version of Shodan which can be installed as follows:

• Install – > pip install -U –user shodan / pip3 install -U –user shodan
• initialize -> shodan init (requires API key)
• Full instructions can be found here: “https://help.shodan.io/command-line-interface/2-search-download”

Lastly, hope that you find this blog helpfull, thank you for reading and see you all soon.

Read more our posts click here