How to use the Shodan search engine to diagnose vulnerabilities?

The Shodan search engine allows users to find specific types of computers, SCADA (supervisory control and data acquisition) hardware and applications with network addresses.

The Shodan search engine can be considered a modern vulnerability assessment tool for network professionals. Shodan can scan the Internet and parse the identification and other information returned by various devices.

Using this data, the Shodan computer search engine can determine which databases and versions are the most popular, how many webcams there are in a particular location, and the manufacturers and models of these devices. While it is believed that websites such as Shodan may provide hackers with easy access to vulnerabilities, it is actually necessary for network and security personnel to know as much information as attackers in order to build effective defenses. Therefore, learning how to use Shodan to find vulnerabilities can also benefit them.

[[200624]]

How to do a simple search in Shodan?

Before learning how to use Shodan for vulnerability assessment, let's first learn how to perform a simple search. First, open the Shodan website and enter a value in the search box. For example, you may be using a Mongo database and want to see what search results there are.

After the search is complete, summary data will be displayed on the left side of the page:

Total searches: 2,861

The country with the largest number of

Total number of services: 2,205

You can also search for specific versions of software (such as Mongo 3.4), locations, or other special properties. Scrolling down the page will display more search results. Let's take a moment to look at some of the main ones in detail.

Note that each item in the main area of ​​the page contains more detailed information about the specific item. These include:

IP address;

Host name;

Internet Service Provider (ISP);

The time the entry was added to the database;

The country where the entry is located;

advertise.

Now, let's go back to the example above and notice that the database name is DB_H4CK3D. This database appears to have been compromised by a hacker. The hacker searched for an exploitable MongoDB server, copied and deleted the database, and left a message asking for Bitcoin to redeem the database. This tactic has been repeated hundreds of times since the beginning of 2017. Again, this tactic has been used to compromise and steal 2 million records from more than 820,000 accounts.

Although MongoDB supports Internet-connected databases by default, older versions do not enable any authentication. This is scary because MongoDB software has more than 20 million downloads and is one of the fastest growing databases for operational data.

Click on the IP address in the Shodan search results to view more details. When you select a host, you can see information such as the list of discovered ports, details of each port, logo, server location, ISP, etc., and a map marking its location will also be displayed. The following figure is an example:

How to perform an advanced search on Shodan?

We have introduced the basic usage of Shodan computer search engine. Now, let's learn how to use Shodan for advanced search. Its advanced search function is really outstanding. Note: Users need to register an account before using advanced search. After logging in, users can use the following search options:

Title: Searches the content within the HTML title tag (<title>).

HTML: Searches all HTML content in the returned pages.

Products: Search for the name of the software or product mentioned in the website logo.

Network segment: Search for a specific network segment—for example, 4.2.2.2/8.

Version: Search for the version number of the product.

Port: Searches for the specified port or ports.

Country: Search for results in a specific country.

City: Search for results in a specific city.

For example, if an organization has multiple locations in Houston, we are concerned about some locations that may still be running unpatched, vulnerable network services. In this case, I would enter: jboss 5.0 country:"US" city:"houston" in the advanced search.

This search found 48 results in Houston running JBoss 5.0. I chose this example because last year 3.2 million servers were found to have older versions of JBoss installed that could have been vulnerable to the SamSam ransomware.

This example should give us a good idea of ​​how to use Shodan and the types of information it can search for. You may want to know what other people are searching for, so let's look at some popular search terms.

Notice that the recent search list above includes the words: webcam, camera, SCADA, FTP, and server. The SCADA search should be interesting. SCADA devices are industrial control products that manage power grids, hydroelectric power plants, oil and gas pipelines, wastewater treatment plants, and oil pumping stations. SCADA devices are also potential targets for cyberattacks, where foreign hackers may attempt to cut off power or damage other critical infrastructure. I recommend that everyone learn how to use Shodan to view the status of their network.