A Brief Analysis of Shodan

Shodan (http://shodan.surtri.com) is an engine that searches a database of banners and headers recovered from scans conducted over port 21/TCP, 22/TCP, 23/TCP, and 80/TCP. In many ways utilizing the Shodan engine is much like a more reconnaissance specific Google Hacking engine. On the one hand the Shodan engine does not produce sensitive data that a search engine such as Google might produce (password files, spreadsheets, etc.). On the other hand, conducting reconnaissance activities on Shodan can be far more efficient than similar attempts utilizing other search engines to try to find system information.

The reason for this primarily pertains to the fact that Shodan specifically produces IP addresses/hostnames, header information, and banner grabs. Thus, Shodan is a highly functional tool for finding victims for targeted attacks with less false-positives. Furthermore, Shodan produces information that typically is not published on a site that would be indexed within a search engine like Google.

What Does This Mean?

These capabilities have several significant implications. Most notably this shifts a great deal of system-level reconnaissance to be more passive in nature. In other words, attackers can view the results of reconnaissance such as a banner grab, without actually touching a system to get that information (Shodan already hit the system). This allows attackers to passively:

1. Conduct vulnerability assessments without alerting a potential target in anyway.

2. Determine victims for a specific exploit.

What Is The Impact On Defense?

For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan. This is again due to the fact that it will not touch their systems. Instead security monitors can expect to see attacks utilizing Shodan for reconnaissance to trigger less alarms. This means that there may be no alerts before an attempted exploit against a vulnerable system. Common alerts may have previously included network or vulnerability scans or banner grabbing attempts.

In addition, hack attempts that attempt to find vulnerable systems by trying to exploit a multitude of non-vulnerable targets will also be less prevalent in an attack utilizing Shodan for reconnaissance. To clarify these attacks can be viewed much like an person who has found a key to an apartment. This person may try every single apartment within the complex in order to find the doors where the key works. The result in this type of attack is typically a large number of alerts in an IPS. However, if Shodan is utilized for reconnaissance, the attacks will become more targeted and therefore will trigger less alerts.

Potential Prevention Techniques

Unfortunately, there is not a simple way to prevent an organization from showing up in the Shodan database. Although the Shodan scan engine is likely custom written (based on the developers biographic information), the scans will likely trigger similar events to any other reconnaissance scan. It may be possible to isolate future Shodan scans as they are likely to come out of the San Diego area, possibly from an ISP such as Cox Communications (again based on the developers biographic information). Unfortunately, this would likely require trending and analysis beyond what I currently have access to.

Shodan Usage

Shodan works much like any other search engine, however one can specifically target systems via a number of methods. This syntax even includes a switch that allows a user to specify geographic location by country. (May be good for future Cyberwar)

Syntax Options:

  1. + (equivalent to an AND operation)
  2. - (equivalent to a NOT operation)
  3. * (wildcard)
  4. country:
  5. hostname:
  6. ports: (limited to 21/TCP,22/TCP,23/TCP, and 80/TCP)
  7. net: (in CIDR notation)
  8. *Note Shodan only produces 100 results for free
    1. Comments are closed.