Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What is shodan

2,032 views

Published on

What is shodan.io. Shodan is not a hacking tool. It can be used by pentesters, CSIRTs, SOCs or within a vulnerability management process.

Published in: Internet
  • Be the first to comment

What is shodan

  1. 1. WHAT IS SHODAN.IO? The search engine for refrigerators 27-Jul-17 Koen Van Impe – koen.vanimpe@cudeso.be
  2. 2. What is Shodan.IO? •  A search engine •  Of devices and applications •  That crawls the internet (just like Google) •  Parses the banners returned by devices and applications •  No "vulnerability scanning", it parses what is publicly available •  And lets you search its database (just like Google) •  Filter the data for country, strings, networks •  You can use it for good or bad (just like Google) •  Manual queries •  Use the API : automation and include it in your own tools 27-Jul-17 What is Shodan.IO? 2
  3. 3. What is Shodan.IO? 27-Jul-17 What is Shodan.IO? 3
  4. 4. Free, or for a limited fee •  Basic usage is free •  Limited results •  Limited filters •  Membership for $49 •  Improved API plan •  Access to for example Shodan Images •  Download search results 27-Jul-17 What is Shodan.IO? 4
  5. 5. Don't put it on the Internet! •  Shodan does not hack your systems! •  What could possibly go wrong if we connect it to the net? •  Internet connected, unprotected -> Shodan can find it •  Many of these devices shouldn't even be online at all! •  Firewalled -> Shodan can not find it •  Search query •  Simple banner string •  Refine the results with 2-3 steps •  Goldmine! 27-Jul-17 What is Shodan.IO? 5
  6. 6. Showcase : the scary stuff •  Let's search for "a thing" •  Honeywell •  Building / housing •  "Connected Services" •  Network connector to "physical" device 27-Jul-17 What is Shodan.IO? 6
  7. 7. Search results •  Search for "Honeywell Building Network Adapter (BNA)" 27-Jul-17 What is Shodan.IO? 7
  8. 8. Refine results / 1 •  Refine for country:be 27-Jul-17 What is Shodan.IO? 8
  9. 9. Refine results / 2 •  Refine for only telnet •  Available filters •  city: •  country: •  geo: •  hostname: •  net: •  os: •  port: •  before/after: 27-Jul-17 What is Shodan.IO? 9
  10. 10. Inspect results •  Zoom in on one host •  Open network ports and services •  With banner details •  Geomap 27-Jul-17 What is Shodan.IO? 10
  11. 11. Zoom further •  Even Google insists! 27-Jul-17 What is Shodan.IO? 11
  12. 12. Read the manual •  PDF available on the Honeywell website •  Seriously??? 27-Jul-17 What is Shodan.IO? 12
  13. 13. Verify, but don't abuse 27-Jul-17 What is Shodan.IO? 13 •  2 search queries •  Shodan •  Google •  One PDF with vendor information •  One connection attempt 5' work torify telnet <ip>
  14. 14. It's not hacking! •  Every tool can be either used or abused •  It's not about vulnerabilities. It's about misconfiguration. •  Or negligence •  Google is not a hacking tool either! •  Google Dorks •  Neither is curl 27-Jul-17 What is Shodan.IO? 14
  15. 15. Prepared queries 27-Jul-17 What is Shodan.IO? 15
  16. 16. Shodan Images 27-Jul-17 What is Shodan.IO? 16
  17. 17. Shodan ICS Radar 27-Jul-17 What is Shodan.IO? 17
  18. 18. API •  Python library 27-Jul-17 What is Shodan.IO? 18
  19. 19. Why would you use the API? •  Useful for pentesters •  Passive reconnaissance •  CSIRTs or SOCs •  Monitor their constituency •  Vulnerability management •  Get alerted when your device is listed 27-Jul-17 What is Shodan.IO? 19
  20. 20. Make Shodan work for you! •  Use the API •  Scan your networks for newly detected services •  Query the Shodan API for new services in your network •  Have they been detected by your vulnerability scanner? •  What is the rating of your vulnerability on the disclosed services? •  High rating + Shodan : create trouble ticket •  Verify if firewall rules are correct •  Don't do security by obscurity by changing banner strings •  Fix the ACL 27-Jul-17 What is Shodan.IO? 20

×