News:

OVF Gru needs some Minions ;) - if you are struggling to become a VIP member and have some time to spare - please PM sts_pro to join OVF Minions army ;)

Main Menu
Support OVF on Patreon!
Remove Ads

In case you wonder what shodan is and what subscription offers

Started by Freddy, April 30, 2020, 09:48:10 PM

Previous topic - Next topic

Freddy

Hi there,

I've read a message asking how to use the non-free services of shodan, and I thought it'd be good if I gave some explanations here. I'll try to explain in very simple terms so that everybody, even with only little computer knowledge, can understand. I will simplify a few things, which means that some pieces of information will be only approximate.

If you find this post useful, don't upvote it or whatever - just answer with the dirtiest joke you know  8)

If you have any question, please ask, and I'll to my best to answer.

Who is your "lecturer"?
I'm Freddy. I'm a happy researcher in computer science, with a bit less than 400 citations, so not one of the big important guys. A few years ago, I hacked a website and got hold of more than 100k combinations of e-mail/password. I wrote scripts to test them all, and roughly 9k of them worked. And one guy was registered here - I found this address in his mails. Yes, if you're an old member, then this might be you, and no, I won't tell you ;D
Since then, I've been frequently around. I wrote some helpful programs that I made available to some of the main contributors of this forum. And I love the challenge of looking for private things in an efficient way. It's cool. So, that's Freddy.

What is Shodan ?
It's a search engine. Typical search engines, such as Google, Bing, or Lycos, allow you to look for websites. And a bit more, but not that much. Shodan allows you to look for devices connected to Internet.

For example, on Google you can look for "midget porn" (if that's your kink), while on Shodan you can look for devices of a specific brand connected to Internet.

What is an IP, a port?
To understand how Shodan works, you need to know a bit about technical stuff. Nothing complicated, don't worry.

When you are at home, you connect your phone or your computer to your router. Your router is connected to Internet. When you open a web page on your computer, or send an e-mail, the data goes through the router. From the outside of your home, by default, only the router is visible. It is visible at a specific address, called its IP address.

So, this raises the following question : if from outside, only the router is visible, how are devices inside of the home able to receive data? That is a good question, and I will over-simplify the answer. But you will get the main idea.

When you connect to a device on Internet, you have to give two pieces of information : the IP address and a "port" number. The port number can be seen as a door of your house, and behind every available door there can potentially be a device.

For example, if I am at work and I want to connect to my desktop computer at home, I will have to use the IP address of my router, and port 22. This means that my router has to know that port 22 must correspond to my computer, right? Yes, that's exactly this. In the configuration of my router, I indicated that all connections entering through the port number 22 have to be redirected to my computer.

If I had not set this, then I would not be able to connect to my computer. Any port that is not redirected to a specific machine is by default closed (this means that the door is locked).

My phone, for example, has no port forwarding set. This means that if I leave my phone at home, then from work I cannot connect to my phone. However, and I will be extremely brief here because it's unimportant for the topic, when my phone communicated to the outside (so, when it requests a web page for example), the router adds some information to the request that is sent. When the answer comes, then the router knows that it has to be sent to my phone.

Why can I connect to other people's devices then?
I have been wondering this as well. By default, all of your ports are closed, which means that the router is not instructed to redirect them to a device. The door is locked. If some are open, this means that the owner of the devices decided to open the ports.
The only explanation I can have about why so much personal data is available online, is that people want to share it with the world and decided to:
1) open a port to make the storage device accessible
2) not set a password so that everybody can have access to it

And before you ask about my computer... I set it so that you cannot connect to it without using a private encryption key. Even if you have my password, you cannot remotely connect to my computer.

What does Shodan actually do?
Well, Shodan works in a very simple way. It tries to connect to many IP addresses, and many frequently-used ports. That's a bit like walking in a street and trying to knock at all doors. Most of the time, it gets no answer because the port is closed.

However, from time to time, a port is open. Then, Shodan simply tries to communicate a bit and records what happens. And these answers produce the data that you can search for in Shodan.

A small example
Let us try a simple example. Let us ask Shodan for a list of FTP servers. This is a simple query: ftp

https://www.shodan.io/search?query=ftp

You will get a huge amount of results - almost 4 millions. Let us have a look at the first result I get. When you read this, it will probably be different, and the page will not look the same, so I attached a screenshot.

The IP address of this result is 108.187.177.39. The ports which are open are 21, 80, and 999. You also have a list of the services that are available. You can see that the first one is the FTP server. It is possible to connect to it at the following address:

ftp://108.187.177.39:21

Notice the ":21" which indicates the port number. As 21 is the default port for FTP, it could be omitted. But any other port, for FTP, has to be specified!

If you try to connect to it, you are asked for a password. Crap! This FTP is not accessible. If you look carefully at the screenshot, you can see

530 User cannot log in.

So you can know that any FTP answering with code 530 is not accessible. I'll help you, the code allowing access is 230. Try this query:

https://www.shodan.io/search?query=ftp+230

and, in theory, all results are accessible FTPs ! Unless:
a) the settings were changed since Shodan checked
b) the router got a new address (they change from time to time), and you're knocking at the old one




So... that's it?
Yes, that's the free version of Shodan. You can make a lot of different requests, you get IP addresses and ports, and you can try to connect to them.



What are the limitations?
When you do not have a paying account, then you have access to only a few of the first results. Also, you cannot use the API. Also, if you have a free, registered account, then you can use filters, for example to get results from a specific country.

Hint to have more results
Well, there is a small solution. You can for all FTPs that are, for example, in Japan
https://www.shodan.io/search?query=ftp+230+country%3A%22JP%22
and then you have access to some of the first few results.

Then you look for the ones that are somewhere else, for example Russia:
https://www.shodan.io/search?query=ftp+230+country%3A%22RU%22/code]
and you have access to some other results. And so on. You can also filter by city, to get access to even more results.

[b]Then, what's the advantage of paying?[/b]
If you learn things with what I write, then paying for a subscription is probably not the best for you yet. A subscription gives you access to more results, to filters, and to the API. Can anyone check if a free account gives access to filters as well?

Filters allow to refine the queries. For example, imagine you want to visit Berlin, but would like to know more about this city and its inhabitants before going there. Then you can look for FTPs in Berlin:
[code]https://www.shodan.io/search?query=ftp+230+city%3A%22Berlin%22

There are many different filters (city, country, geographical coordinates, port, internet service provider, ...).

The API is a system that allows a programmer to develop software that makes Shodan queries. For example, I have a system that gets thousands of IP and port for a specific kind of media server, and then my program connects to them and looks for kinky content. If you do not know how to program, then the API will be mostly useless for you.

Summary
Shodan does not look for content, but is more like a Jehova witness: it knocks at doors, again and again. You should consider paying for a subscription if you understand what you pay for, and:
- you really want more results
- you're a cracker and want to use the API


Questions from my side
- could somebody with a free account check if filters are available? Thank you Ted
- are some parts of my explanation unclear?
- do you have any question?


Answering to....

can you search by folder / file name or just open ip from country?   thank you
No, I think that you cannot do this. Shodan will only look at what devices answer, it will not go through the data. There is one exception: it shows some video feeds from unprotected webcams of some brands. But that's all.
I always find extremely funny to find a wide-open drive full of books about hacking and computer security.

Freddy

I always find extremely funny to find a wide-open drive full of books about hacking and computer security.

tedwillis

you can filter your search results in the free version if you are signed up for it.

McQuest69601

Thank you.

[sorry, removed your joke, quite a rough one ;) sts_pro]

St_Neots1990

can you search by folder / file name or just open ip from country?   thank you

Freddy

Quote from: McQuest69601 on May 01, 2020, 03:04:27 AM
Thank you.

[sorry, removed your joke, quite a rough one ;) sts_pro]

That was a good one, I lauhged, thank you  ;D
I always find extremely funny to find a wide-open drive full of books about hacking and computer security.

St_Neots1990

Quote from: St_Neots1990 on May 02, 2020, 08:57:55 PM
can you search by folder / file name or just open ip from country?   thank you

anyone able to help with this? i've googled it but its proper techie answers.  jut want to know if i can search by file name or folder name - find it gives me much better results

St_Neots1990



tedwillis

You can not as it just indexes what types of servers are online, what their login status is, and other outward stuff. It does not go into the servers themselves

St_Neots1990


That's a poor show from shodan given its a paid product and free services seachftps for example do :(   

thanks for the reply tho.... happy hunting :)

grafoadsl


tedwillis

Looks very similar and the filters are off to the side rather than having to be put in manually

Bulbazour

Quote from: grafoadsl on May 11, 2020, 07:00:20 PM
Do you see https://www.zoomeye.org ? It seem similar to shodan but no idea if same results

is it just me or is it down allready? ^^

Support OVF on Patreon!
Remove Ads