Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/29/2018
10:00 AM

7 Steps to Start Searching with Shodan

The right know-how can turn the search engine for Internet-connected devices into a powerful tool for security professionals.
2 of 8

1. Understand Banners
The first step to using Shodan is understanding what the search engine finds. Shodan's crawlers look for (and, therefore, return information from) banners - the block of information a service returns when it is queried. Depending on which service is responding, the banner can contain software name and version, date of installation, and more. The banner can also be spoofed by more sophisticated owners, so be aware that what Shodan sees is what the service returns, not necessarily what it actually contains.
It's important to realize that banners come from services, not servers or hosts. That means a single device with a number of services, such as an HTTP service, FTP service, or SNMP service, could return a variety of different banners in response to different queries.
Those different services could also return banners containing vastly different types and amounts of information. This is important when building complex queries because it means the return set will have entries with wide variations in size and contents. Understanding the format of the returned headers means you'll be able to better interpret the data Shodan provides.
(Image: Shodan)

1. Understand Banners

The first step to using Shodan is understanding what the search engine finds. Shodan's crawlers look for (and, therefore, return information from) banners the block of information a service returns when it is queried. Depending on which service is responding, the banner can contain software name and version, date of installation, and more. The banner can also be spoofed by more sophisticated owners, so be aware that what Shodan sees is what the service returns, not necessarily what it actually contains.

It's important to realize that banners come from services, not servers or hosts. That means a single device with a number of services, such as an HTTP service, FTP service, or SNMP service, could return a variety of different banners in response to different queries.

Those different services could also return banners containing vastly different types and amounts of information. This is important when building complex queries because it means the return set will have entries with wide variations in size and contents. Understanding the format of the returned headers means you'll be able to better interpret the data Shodan provides.

(Image: Shodan)

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Moderator
1/3/2019 | 10:13:23 AM
Techniques and filters
The internet as we know it, is vast. This means that tonnes of info are being added to the world wide web day after day. It is entirely up to us to retrieve on the most specific answer to our queries and the secret is to use filters and search techniques. We can get the internet to work for us when we know these useful methods that work towards our own advantage.
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Strategist
12/20/2018 | 11:16:25 PM
Better connectivity for everyone!
I don't think I'll ever have to worry about having to use a new interface like Shodan for a while yet. At this moment, my company's network is small enough that I'm pretty sure you can find the devices that you're looking for just by walking around! Haha! But I reckon that for the bigger enterprises that this must be really quite handy to help keep the employees at work. No doubt about that!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11668
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVE-2020-8961
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
CVE-2020-7922
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...
CVE-2018-21034
PUBLISHED: 2020-04-09
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
CVE-2020-1895
PUBLISHED: 2020-04-09
A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128.