Matthew At Code Repair
from:http://www.exploit-db.com/wp-content/themes/exploit/docs/33859.pdf
0 x00 profile
This article can serve as a guide for penetration testers and security workers to use the Shodan search engine, while helping to understand how it works and for security audit purposes. The article also lists the steps and methods to find a large number of Internet services and devices at risk. It also introduces Shodan’s basic filtering syntax and the use of Shodan in conjunction with other tools. It is mainly applicable to the data collection phase of penetration testing.
0 x01 is introduced
Shoudan is a search engine designed to help discover major vulnerabilities in Internet systems, including routers, switches, industrial systems, etc. It is as famous in circles as Google. It works by intercepting metadata from the server to the client and currently offers relevant searches on more than 50 ports.
Equipment Shodan was able to find:
1. Server 2. Router 3. Switch 4. Printer for public IP 5. Webcams 6. Pumps at gas stations 7.Voip phones and all data acquisition and monitoring systemsCopy the code
What Shodan can do:
1. User searches for specified items 2.Shodan finds ports and intercepts data 3.Shodan sets index 4 for intercepted data. According to the resultsCopy the code
Differences between Shodan and Google:
Google's crawler/spider crawls web data and indexes web content, and then displays results in page rank. Shoudan basically finds ports, grabs intercepted information, indexes them, and displays the results. Shoudan doesn't index web content the way Google does, so it's an interceptor-based search engine.Copy the code
0x02 Basic Usage
City: Used to find devices located in the specified City. Ex. :
iis city:New York
Copy the code
County: Used to find devices in a specified country. Ex. :
iis country: United States
Copy the code
Port: specifies the specified Port. Ex. :
https port:443
Copy the code
Os: Used to find a specific operating system. Ex. :
microsoft-iis os:"windows 2003"
Copy the code
Geo: returns results based on latitude and longitude and the specified radius. There can be only two or three arguments, and the third argument is the radius, which defaults to 5km. Ex. :
Apache geo: 42.9693, 74.1224Copy the code
Net: used to find a device with a specified IP address and subnet mask. Ex. :
Iis net: 216.0.0.0/16Copy the code
Hostname: Searches for the host containing the specified domain name. Ex. :
Akamai hostname:.com
Copy the code
After and Before: Helps find the device within the specified date range. Format: DD/MM/YYYY DD-MM-YY
apache before:1/01/2014
nginx after:1/01/2014
Copy the code
Note: most parameters work after login.
0x03 Combination of Shodan and other tools
1. Maltego
Download Matlego needs: from http://www.paterva.com/web6/products/download.php.
From the static. Shodan. IO/downloads/S…
Download Shodan’s Matlego directory
Usage:
1. After installing Maltego, select 'Manage Entities' in' Manage TAB 'and then' Import '. 2. Select 'Transforms' then' Advanced 'Copy the code
3. You can now add Shodan links to https://cetas.paterva.com/TDS/runner/showseed/ShodanCopy the code
4. Finally, you can see the successful installation windowCopy the code
Note: You are required to have Shodan API keys, which can be used on Maltgo. API keys are available when you log into Shodan account.
2. Metasploit
Usage:
1. Open the Metasploit Framework in the Kail/Backtrack BoxCopy the code
2. Enter show auxiliary on the CLICopy the code
3. The use of auxiliary/gather/Shodansearch moduleCopy the code
4. Now you can use the show options command to view the parameters required by the moduleCopy the code
5. We need to specify IIS to search the IIS server and also need the API key obtained after logging in to Shodan account. Now we can use Run Command to execute commands.Copy the code
Generally, the Auxiliary/Gather /Shodan_search module queries the database for the top 50 IP addresses through the API. The limit of 50 IP addresses can be expanded to query 10,000 IP addresses by purchasing an unlimited API key
0x04 Shodan component
In the wild Look for adventurous systems, servers, platforms, and apps in ExploitDB or Metasploit.
2.Maps: This is a paid feature, and we can see Shodan’s results visually on the map. Provides three views: Satellite, Street view (shallow), and Street View (deep). More than 1000 results can be displayed on the screen simultaneously.
3.)Scanhub: Shodan Scanhubs can be used to create searches for unfamiliar networks. It supports tools like Nmap and Masscan. To use Scanhub, we first set up the tool, output an XML file and upload it to Scanhub’s library to get the results. Unfortunately, this is also a paid feature.
0x05 Some test examples
1. The Netgear device
2. Webcam
3. Bitcoin servers
4. Ruby on Rails Vulnerable Server(CVE-2013-0156 and CVE-2013-0155)
5. Windfarms:
DNS service:
0x06 Some additional Cheat sheet links
http://www.Shodanhq.com/?q=bitcoin-mining-proxy (Bitcoin proxy mining) http://www.Shodanhq.com/search?q=port%3A11 (Systat) http://www.Shodanhq.com/search?q=port%3A8089+splunkd (Splunk servers on tcp/8089) http://www.Shodanhq.com/search?q=port%3A17(Search for quote of the day) http://www.Shodanhq.com/search?q=port%3A123(Ntp monlist) http://www.Shodanhq.com/search?q=port%3A5632 (Vnc) http://www.Shodanhq.com/search?q=port%3A1434 ((MS-SQL (1434)), http://www.Shodanhq.com/search?q=OpenSSL%2F1.0.1 (the Servers running OpenSSL / 1.0.1) http://www.Shodanhq.com/search?q=port%3A79 (Finger protocol) http://www.Shodanhq.com/search?q=port%3A15 (Netstat) http://www.Shodanhq.com/?q=telemetry+gateway (Telemetry gateway) http://www.Shodanhq.com/?q=port:161+country:US+simatic (Simatic automation system o 161 running in US)