Before exploiting a target, a pen tester needs to know something about how to get inside. Without this information, the exploiter has a slim chance of compromising the target, even if the target is vulnerable.

Information gathering isn't just important to pen testers; it is also essential for other industries. For instance, police often need to gather information on a network and its vulnerabilities before confirming that someone actually committed a crime.

In recent times, many tools have emerged to enable system administrators to determine whether their infrastructure is well-configured and not exposed to potential attack. One good example is Shodan.

Shodan [1] is a search engine that enables users to search for various types of exposed servers using filters (Figure 1). It has been called a search engine for hackers, because threat actors often use Shodan to search for exposed database servers, webcams, and other similar targets. However, the primary purpose of Shodan is to provide information to system administrators on potential vulnerabilities. According to the website [1], Shodan provides "…a comprehensive view of all exposed services to help you stay secure."

Figure 1: Shodan provides a number of tools for discovering infrastructure and searching for vulnerabilities.

A Closer Look

Shodan was founded by John Matherly in 2009 to display devices connected to the Internet. The name Shodan refers to a character in the System Shock video game series.

First and foremost, Shodan is a search engine – just like Google. Instead of searching the web for general information matching a search phrase, Shodan allows you to search for "exposed" database servers, webcams, web servers, or other devices.

Under the hood, Shodan uses various filters to search for a specific type of device by device type, location, or other criteria. The Shodan search tool is quite similar to Google Dorks, where the user can employ specific syntax to search for documents on the web.

Shodan mostly collects data on web servers (HTTP/HTTPS – ports 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), IMAP (ports 143 or port 993 for encrypted), SMTP (port 25), SIP (port 5060), and Real Time Streaming Protocol (RTSP, port 554). (RTSP is often used to access webcams and their video streams, which are frequently left unprotected.)

The Shodan website provides access to a number of different tools [2]. The search engine and some of the other basic utilities are provided free for non-commercial uses. Subscriptions options are available for commercial uses, depending on your organization and your level of use (Figure 2).

Figure 2: You'll need to sign up for a plan to use Shodan in a commercial context.

Shodan Search

Shodan search is the main search engine that makes this information available to users. The search engine keeps track of all your devices that are accessible from the Internet. Therefore, you can rely on the Shodan search engine to check if your private services are accessible from the Internet due to misconfiguration.

You have the option to create an account when using the Shodan search engine and other products; it is also possible to use some of the more basic tools without an account.

The sidebar entitled "Filters" shows the search filters offered by Shodan. You could use the following command to search for NGINX servers (Figure 3):

product : "nginx"

Figure 3: Searching for nginx servers in Shodan.

The following command will search for ISPs within a specific country (Figure 4):

isp: "DE"

Figure 4: Zeroing in on German ISPs.

To search for Windows workstations with Remote Desktop Protocol accessible on port 3389 (Figure 5), use the following command:

os:Windows port:3389

Figure 5: You can find all Windows workstations with a specific open port.

Other Shodan Tools

Shodan also provides other tools for maintaining the security of your website. Shodan Images takes screenshots of devices connected to the Internet. The Shodan developer API provides access to all services offered by Shodan. The InternetDB API displays open ports for the specified IP address. The CVEDB API offers insights into vulnerabilities.

For a detailed list of products, see the Shodan Products page [2].