What Shodan Is and How to Use It Most Effectively

What Shodan Is and How to Use It Most Effectively
Jim Wilson
Posted: June 17, 2019

No security expert can afford to ignore the challenges of an ever-expanding Internet of Things (IoT) landscape. There are already over 10 billion connected devices active today, and that figure is expected to reach 64 billion by 2025.

While those devices benefit businesses and consumers immensely, leading to a $3 trillion IoT market, protecting all those endpoints won’t be easy. One of the primary challenges of IoT security is awareness: how do you keep track of vulnerabilities across millions of endpoints?

That’s where an online tool known as Shodan comes into play. But what is Shodan, and how does it work?

What Is Shodan Exactly?

You certainly know what Google is: it’s a search engine that finds websites. However, it only scratches the surface of what we can find on the Internet. Just because something isn’t on Google, doesn’t mean it’s unfindable.

Shodan is also a search engine, but one designed specifically for IoT devices. It scours the invisible parts of the Internet most people won’t ever see. Any connected device can show up in a search, including:

  • Servers
  • Printers
  • Webcams
  • Traffic lights
  • Security cameras
  • Control systems

What Is Shodan Exactly?

Shodan runs its scans 24/7, ensuring all its data is up to date. While most regular Internet users won’t need Shodan, cybersecurity experts, academic researchers, and government agencies are among the most active users of the engine.

How Shodan Works

The Algorithm

Shodan (Sentient Hyper-Optimized Data Access Network) is often referred to as the world’s first search engine for Internet-connected devices. In a nutshell, the algorithm Shodan uses runs like this:

  1. Generate a random IPv4 address.
  2. Collect a real-time list of connected devices online.
  3. Query a supported port.
  4. Check the IPv4 address on the port.
  5. Grab a service banner.
  6. Repeat.

Shodan has picked up support for IPv6 addresses, but you won’t see those as often as IPv4 for a while.

The Service Banner

Service banners referred to in step 5 above contain all the metadata related to a specific device. For example, Shodan can, through the service banner, scan for an IoT device:

  • Geographic location
  • Default username and passwords
  • IP address
  • Software version
  • Make and model

The Ports

These are the ports that Shodan scans for:

  • Port 554 – Real Time Streaming Protocol
  • Port 5060 – SIP
  • Port 25 – SMTP
  • Port 161 – SNMP
  • Port 23 – Telnet
  • Port 993 – IMAP
  • Port 22 – SSH
  • Port 21 – FTP
  • Ports 8443, 443, 8080, and 80 – HTTPS/HTTP

The Ports

These port scans allow Shodan to give you insights into more than just web content. With just a quick search, you can explore the wider IoT and spot key vulnerabilities in connected devices.

How is Shodan Legal?

If all of this sounds rather scary to you, you’re not alone.

Upon launch, many news reports, including one by CNN Business referred to Shodan as “the scariest search engine on the Internet.” From a consumer perspective, a search engine that provides such deep user and device-level insights should be a privacy concern, if not a legal or ethical dilemma.

However, Shodan is completely legal and does not breach the US government’s Computer Fraud and Abuse Act. On its own, the service only collects data that was already available to the public. The metadata for various IoT devices is already broadcasted online, and Shodan simply reports what it finds.

Should I Be Worried?

While it may be legal, is it safe? Rest assured; you won’t have to worry about a cybercriminal hacking your devices using Shodan assuming:

  • You change the default login credentials for all your Internet-connected devices. Shodan does report the default login information.
  • You disable port forwarding and remote management on your routers.
  • You keep all your devices up-to-date software wise.
  • You are aware of the risks when you connect a new device to the Internet.

Can Shodan Help Me Stay Safe?

Indeed, it can and should. Security professionals know better than to see Shodan as simply a tool for Blackhat hackers. When used properly and ethically, Shodan can be an invaluable tool to improve vulnerability assessment and penetration testing as the IoT continues to expand. As the CNN article linked above mentions, Shodan is “almost exclusively used for good.”

The Ports

If anything, the vast number of unsecured devices found on the search engine is a wake-up call to individuals and businesses that we have massive digital security risks in our daily lives that need to be addressed. Security should no longer be considered an afterthought in today’s connected society.

Using Shodan to Improve Enterprise Security

Vulnerability Detection

Shodan is a primary resource for vulnerability assessment and penetration testing due to its banner grabbing capabilities. To dig deeper into potential vulnerabilities across your network of endpoints, you can take advantage of the various filters that Shodan offers. When searching in Shodan, you can filter by:

  • Geography (country, city, coordinates)
  • Hostname
  • Network (IP or /x CIDR)
  • Port
  • Operating system
  • Time frame

With these, you can easily search your network for open ports, default credentials, and unnecessary online connections that are making your network vulnerable to attacks.

Cybersecurity Awareness

But Shodan isn’t all about scanning for digital weak points in your network. When security researchers uncover new, sophisticated exploits, Shodan enables you to search for those known vulnerabilities across your connected devices to ensure that any steps you’ve taken for remediation were 100% effective.

Shodan API

If you want to make the most of Shodan, you need to go beyond the web interface. The Shodan API enables you to request and receive data from the search engine directly, automating some of your security operations. As the IoT continues to scale exponentially, you’ll need to automate as many VA/PT operations as possible to keep pace with growing security demands.

What Other Features Does Shodan Offer?

Result Mapping

In some cases, a visual is easier to read and gives more information than plain text. See hundreds of results in one screen and differentiate each by location at a glance with Shodan’s Maps feature.

Exploit Tracking

Shodan collects various digital exploits and vulnerabilities from sources like Exploit DB, CVE, and Metasploit and provides them through a web search interface.

Exploit Tracking

Status Reports

For any search query, you can take a snapshot of how the search results are distributed online at that time. The free reports Shodan generates provide a general overview of the results shown through detailed graphs and charts.

Community-Generated Searches

Not exactly sure what you’re looking for or where to start? Your first stop when picking up Shodan for the first time should probably be the shared searches directory. Here, users can mark and share certain search queries they find interesting or useful. Keep in mind that any searches you share become publicly available.

Community-Generated Searches

Integrations

You can use Shodan alongside other external tools as well, including:

  • Web browser plugins compatible with Chrome and Firefox.
  • Maltego, an open-source application for exploring large amounts of data.
  • Command-line interface, packaged with Shodan’s own set of commands.

What Is the Shodan Enterprise Data License?

For many enterprise security professionals, the ability to automate tasks with the Shodan API simply won’t be enough to maximize efficiency in vulnerability assessment or penetration testing for the IoT. For larger-scale cases, the Shodan Enterprise Data License gives you the features you need to secure your network:

  • Bulk Data Feed: Build your own database of internet-connected devices by downloading all data from Shodan.
  • On-Demand Screening: Scan networks as granular as individual IPs up to the entire global network of connected devices to gather as much data as possible.
  • Unlimited Access: Give your entire organization access to the deep insights that Shodan can provide about connected devices in both your network and beyond.

Shodan: Free vs. Paid?

Best of all, you can access Shodan’s benefits regardless of whether you are a simple freelancer, a small business, or a large enterprise. Shodan offers flexible payment options with features to scale.

  • Freelancer: Get basic but valuable coverage with a million searches and up to 5,120 IPs a month with network monitoring.
  • Small Business: For an extra cost, expand your operations to 20 million searches a month covering 65,536 IPs. You also gain access to Shodan’s vulnerability search filter.
  • Corporate: For the ultimate coverage for high-end businesses, get unlimited results with 300,000 IPs a month. Exclusive features include bulk IP lookups and other upgrades. It’s not cheap, but it’s incredibly powerful.

What’s the Takeaway?

IoT connectivity has grown at a rate that has outpaced security capabilities in an effort to support omnichannel customer experiences and digital business initiatives. Trying to force perimeter defenses to cover the wide array of IoT vulnerabilities just isn’t feasible.

With Shodan, you can gain the insights necessary to streamline security planning. If you or your business hasn’t taken advantage of this IoT search engine, now is the perfect time to start.