Information Gathering with Shodan

Information Gathering Shodan

Shodan

Shodan, the official definition of himself Computer Search Engine (Computer Resource Search Engine), is American man John Mase Li spent nearly 10 years to build a search engine that can search almost all US industrial control and connected to the network system.

Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated servers, camera, printers, routers, and so on. Shodan month will be at about 500 million servers around the clock to gather information.

Shodan only searches for network equipment. Many devices should not be connected to the Internet. However, due to the negligence and laziness of the local network administrator, the network cable is directly connected to the same network as a normal personal computer. Such as car washing machines, temperature controllers, traffic surveillance cameras, heating systems, routers, printers, cameras, servers, etc. Users can search for these devices that should not be connected to the Internet through Shodan, and obtain critical information from most unarmed devices to gain control. Hackers can use Shodan to search for numerous servers with weak firewalls to set up backdoors and turn them into botnets for cyber attacks.

Shodan works well with basic, single-term searches. Here are the basic search filters you can use:

  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on an operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe

Below is the list of Shodan Filters by Javier Olmedo 

General Filters

Name Description Type
after Only show results after the given date (dd/mm/yyyy) string string
asn Autonomous system number string string
before Only show results before the given date (dd/mm/yyyy) string string
category Available categories: ics, malware string string
city Name of the city string string
country The 2-letter country code string string
geo Accepts between 2 and 4 parameters. If 2 parameters: latitude, longitude. If 3 parameters: latitude,longitude,range. If 4 parameters: top left latitude, top left longitude, bottom right latitude, bottom right longitude. string
hash Hash of the data property integer integer
has_ipv6 True/ False boolean boolean
has_screenshot True/ False boolean boolean
hostname A full hostname for the device string string
ip Alias for net filter string string
isp ISP managing the netblock string string
net Network range in CIDR notation (ex. 199.4.1.0/24) string string
org The organization assigned the netblock string string
os Operating system string string
port Port number for the service integer string
postal Postal code (US-only) string string
product Name of the software/ product providing the banner string string
region Name of the region/ state string string
state Alias for region string string
version Version for the product string string
vuln CVE ID for a vulnerability string string

HTTP Filters

Name Description Type
http.component Name of web technology used on the website string
http.component_category Category of web components used on the website string
http.html HTML of web banners string
http.html_hash Hash of the website HTML integer
http.status Response status code integer
http.title Title for the web banners website string

NTP Filters

Name Description Type
ntp.ip IP addresses returned by monlist string
ntp.ip_count Number of IPs returned by initial monlist integer
ntp.more True/ False; whether there are more IP addresses to be gathered from monlist boolean
ntp.port Port used by IP addresses in monlist integer

SSL Filters

Name Description Type
has_ssl True / False boolean
ssl Search all SSL data string
ssl.alpn Application layer protocols such as HTTP/2 (“h2”) string
ssl.chain_count Number of certificates in the chain integer
ssl.version Possible values: SSLv2, SSLv3, TLSv1,TLSv1.1, TLSv1.2 string
ssl.cert.alg Certificate algorithm string
ssl.cert.expired True / False boolean
ssl.cert.extension vNames of extensions in the certificate string
ssl.cert.serial Serial number as an integer or hexadecimal string integer / string
ssl.cert.pubkey.bits Number of bits in the public key integer
ssl.cert.pubkey.type Public key type string
ssl.cipher.version SSL version of the preferred cipher string
ssl.cipher.bits Number of bits in the preferred cipher integer
ssl.cipher.name Name of the preferred cipher string

Telnet Filters

Name Description Type
telnet.option Search all the options string
telnet.do The server requests the client does support these options string
telnet.dont The server requests the client to not support these options string
telnet.will The server supports these options string
telnet.wont The server doesn’t support these options string