NTC 1062 - Network Vulnerability
Assessment
Title : Shodanhq
TTO: Ms Hairun Nisa Daud STUDENT ID
GROUP MEMBERS: NWS19010034
NO NAME NWS19010059
NWS19010052
1. Nicholas Yong Zhen Qi NWS18070061
2. Luqman Hakim Bin Mohd Zainudin
3. Muhammad Syahmi Bin Raim
4. Muhammad Daniel Haiqal bin Zin Azran
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Table of Contents
Introduction....................................................................................................................................... 2
Objective............................................................................................................................................ 3
Basic Usage ...................................................................................................................................... 4
Using filters .................................................................................................................................... 6
Search Examples ........................................................................................................................... 7
Use cases ...................................................................................................................................... 7
Combining filters ............................................................................................................................ 8
Advanced Usage............................................................................................................................ 8
Conclusion ........................................................................................................................................ 9
References ...................................................................................................................................... 10
1|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Introduction
Shodan is a search engine for finding specific devices, and device types, that exist online.
The most popular searches are for things like webcam, linksys, cisco, netgear, SCADA,
etc. It works by scanning the entire Internet and parsing the banners that are returned by
various devices. Using that information, Shodan can tell you things like what web server
(and version) is most popular, or how many anonymous FTP servers exist in a particular
location, and what make and model the device may be.
2|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Objective
The objective of this project is to learn more about shodan in a way on how to use it and to further
our understanding about reconnaissance in chapter 2 that previously we have learnt.
3|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Basic Usage
You start by navigating to the main page, and then entering into the search field, like you
would any other search engine.
For this search, I looked for “VNC”.
4|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
From there you can pivot to a few key areas in the results. Starting on the left sidebar,
we see a good amount of summary data:
Results map
Top services (Ports)
Top organizations (ISPs)
Top operating systems
Top products (Software name)
Then in the main section we get the full results list, including:
IP address
Hostname
ISP
When the entry was added to the database
The country it’s located in
The banner itself
5|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Then, for even more information you can click details, which takes you into that host itself:
Here you see the data about the host on the left, the list of ports that were found at the top
right, and then the individual port details and banners from each port as you go down the
page. It’s a clean layout.
Using filters
As with any search engine, Shodan works well with basic, single-term searches, but the
real power comes with customized queries.
Here are the basic search filters you can use:
city: find devices in a particular city
country: find devices in a particular country
geo: you can pass it coordinates
hostname: find values that match the hostname
net: search based on an IP or /x CIDR
os: search based on operating system
port: find particular ports that are open
before/after: find results within a timeframe
6|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Search Examples
You can drop the quotes sometimes, on some queries, but you often need them. I
recommend you just use them all the time, because that always works.
Find Apache servers in San Francisco = apache city: “San Francisco”
Find Nginx servers in Germany = nginx country:“DE”
Find GWS (Google Web Server) servers = “Server: gws” hostname:“google”
Find Cisco devices on a particular subnet = cisco net:“216.219.143.0/24”
So you basically have some sort of base search term you’re looking for (shown in orange)
and then you narrow down your search using the filters like we see above.
Use cases
You can use the “Explore” button on the main Shodan site to look at common searches
and results, which are illuminating. You’ll find things like:
1. Webcams
2. SCADA
3. Traffic lights
4. Routers
5. Default passwords
6. Etc.
7|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Combining filters
To combine filters, simply keep adding them on. You can also do this by clicking filters in
the left sidebar for a given result set. So if you want to search for Nginx servers in San
Francisco, that are running on port 8080, that are also running Tomcat, you could do the
following:
Apache city:“San Francisco” port:“8080” product: “Apache Tomcat/Coyote JSP engine”
Advanced Usage
Here are a few other cool things you can do with the service.
1. Data Export: You can export your results in various formats using the top menu after
you’ve performed a search.
2. Browser Search: You can configure your browser to search Shodan when you search
from the URL bar.
3. Shodan Free Account: You should create and log in to your free account when you
search, as the interface is pretty nerfed if you don’t, e.g. not being able to see host
information, etc.
4. Premium Accounts: A premium account is a one-time payment of $45 and it gives you
increased access to the API. Full details and docs are available
at https://developer.shodan.io.
8|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
Conclusion
When used properly and ethically, Shodan can be an invaluable tool to improve
vulnerability assessment and penetration testing as the IoT (Internet of Things)
continues to expand and security should no longer be considered an afterthought in
today’s connected society.
9|Page
NTC 1062 – Network Vulnerability Assessment
E LE CTRICAL E NGINE E RING D E P ARTME NT
References
1. Daniel Miessler. (July 10, 2020). A Shodan Tutorial and Primer.
https://danielmiessler.com/study/shodan/
10 | P a g
e