Information Gathering with Shodan
Shodan
Shodan, the official definition of himself Computer Search Engine (Computer Resource Search Engine), is American man John Mase Li spent nearly 10 years to build a search engine that can search almost all US industrial control and connected to the network system.
Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated servers, camera, printers, routers, and so on. Shodan month will be at about 500 million servers around the clock to gather information.
Shodan only searches for network equipment. Many devices should not be connected to the Internet. However, due to the negligence and laziness of the local network administrator, the network cable is directly connected to the same network as a normal personal computer. Such as car washing machines, temperature controllers, traffic surveillance cameras, heating systems, routers, printers, cameras, servers, etc. Users can search for these devices that should not be connected to the Internet through Shodan, and obtain critical information from most unarmed devices to gain control. Hackers can use Shodan to search for numerous servers with weak firewalls to set up backdoors and turn them into botnets for cyber attacks.
Shodan works well with basic, single-term searches. Here are the basic search filters you can use:
- city: find devices in a particular city
- country: find devices in a particular country
- geo: you can pass it coordinates
- hostname: find values that match the hostname
- net: search based on an IP or /x CIDR
- os: search based on an operating system
- port: find particular ports that are open
- before/after: find results within a timeframe
Below is the list of Shodan Filters by Javier Olmedo
General Filters
| Name | Description | Type |
|---|---|---|
| after | Only show results after the given date (dd/mm/yyyy) string | string |
| asn | Autonomous system number string | string |
| before | Only show results before the given date (dd/mm/yyyy) string | string |
| category | Available categories: ics, malware string | string |
| city | Name of the city string | string |
| country | The 2-letter country code string | string |
| geo | Accepts between 2 and 4 parameters. If 2 parameters: latitude, longitude. If 3 parameters: latitude,longitude,range. If 4 parameters: top left latitude, top left longitude, bottom right latitude, bottom right longitude. | string |
| hash | Hash of the data property integer | integer |
| has_ipv6 | True/ False boolean | boolean |
| has_screenshot | True/ False boolean | boolean |
| hostname | A full hostname for the device string | string |
| ip | Alias for net filter string | string |
| isp | ISP managing the netblock string | string |
| net | Network range in CIDR notation (ex. 199.4.1.0/24) string | string |
| org | The organization assigned the netblock string | string |
| os | Operating system string | string |
| port | Port number for the service integer | string |
| postal | Postal code (US-only) string | string |
| product | Name of the software/ product providing the banner string | string |
| region | Name of the region/ state string | string |
| state | Alias for region string | string |
| version | Version for the product string | string |
| vuln | CVE ID for a vulnerability string | string |
HTTP Filters
| Name | Description | Type |
|---|---|---|
| http.component | Name of web technology used on the website | string |
| http.component_category | Category of web components used on the website | string |
| http.html | HTML of web banners | string |
| http.html_hash | Hash of the website HTML | integer |
| http.status | Response status code | integer |
| http.title | Title for the web banners website | string |
NTP Filters
| Name | Description | Type |
|---|---|---|
| ntp.ip | IP addresses returned by monlist | string |
| ntp.ip_count | Number of IPs returned by initial monlist | integer |
| ntp.more | True/ False; whether there are more IP addresses to be gathered from monlist | boolean |
| ntp.port | Port used by IP addresses in monlist | integer |
SSL Filters
| Name | Description | Type |
|---|---|---|
| has_ssl | True / False | boolean |
| ssl | Search all SSL data | string |
| ssl.alpn | Application layer protocols such as HTTP/2 (“h2”) | string |
| ssl.chain_count | Number of certificates in the chain | integer |
| ssl.version | Possible values: SSLv2, SSLv3, TLSv1,TLSv1.1, TLSv1.2 | string |
| ssl.cert.alg | Certificate algorithm | string |
| ssl.cert.expired | True / False | boolean |
| ssl.cert.extension | vNames of extensions in the certificate | string |
| ssl.cert.serial | Serial number as an integer or hexadecimal string | integer / string |
| ssl.cert.pubkey.bits | Number of bits in the public key | integer |
| ssl.cert.pubkey.type | Public key type | string |
| ssl.cipher.version | SSL version of the preferred cipher | string |
| ssl.cipher.bits | Number of bits in the preferred cipher | integer |
| ssl.cipher.name | Name of the preferred cipher | string |
Telnet Filters
| Name | Description | Type |
|---|---|---|
| telnet.option | Search all the options | string |
| telnet.do | The server requests the client does support these options | string |
| telnet.dont | The server requests the client to not support these options | string |
| telnet.will | The server supports these options | string |
| telnet.wont | The server doesn’t support these options | string |
