Open in app

Sign in

Write

Sign in

Shodan Revealed: How to Discover Vulnerabilities Across the Web

Reju Kole
6 min readSep 27, 2024

--

Hey, I’m Reju Kole, a dedicated cybersecurity engineer and researcher with over six years of experience in the field. My passion lies in uncovering vulnerabilities and enhancing security measures across various platforms. As an avid bug hunter, I enjoy tackling challenges on platforms like Hack The Box and TryHackMe, where I also share walkthroughs to help others in their learning journey. Currently, I’m focused on creating resources and guides to educate others about web vulnerabilities, particularly Cross-Site Scripting (XSS). Outside of my professional pursuits, I value spending quality time with family and maintaining a disciplined work ethic.

What is Shodan ?

Shodan is a search engine that specializes in discovering and indexing devices connected to the internet. Unlike traditional search engines like Google, which index web pages, Shodan focuses on the underlying hardware and services exposed on the internet. Here are some key points about Shodan:

1. What Shodan Indexes

  • IoT Devices: Shodan can find Internet of Things (IoT) devices such as cameras, smart thermostats, and other connected gadgets.
  • Servers and Services: It identifies servers running specific applications, databases, and services like web servers, FTP servers, and more.
  • Industrial Control Systems: Shodan can detect devices used in critical infrastructure, including SCADA systems, which control industrial processes.

2. How Shodan Works

  • Scanning the Internet: Shodan uses its own web crawlers to scan the internet for devices. It collects data on open ports, service banners (information about software running on devices), and associated metadata.
  • Data Collection: The information collected includes IP addresses, geographic location, device type, operating system, and any services running on the device.

3. Search Queries

  • Shodan allows users to perform specific searches using filters. Users can search by parameters like IP address, hostname, operating system, geographic location, and more. This helps in identifying specific vulnerabilities or assets.

4. Applications of Shodan

  • Security Research: Security professionals use Shodan to identify exposed devices and potential vulnerabilities in their networks.
  • Vulnerability Assessments: Organizations can conduct assessments to find insecure devices or services that should not be publicly accessible.
  • Research and Education: Shodan is a valuable tool for cybersecurity education, helping learners understand real-world implications of insecure devices and configurations.

5. Accessing Shodan

  • Shodan offers both a free and paid subscription model. The free version provides limited access, while the paid version offers more advanced search capabilities and additional features like alerts and monitoring.

6. Ethical Considerations

  • While Shodan is a powerful tool for security research, it’s essential to use it ethically and responsibly. Unauthorized access or probing of devices without permission can lead to legal issues.

Basic Keywords for Shodan Searches

When diving into Shodan, these basic keywords and filters can significantly enhance your searches and help you find what you need more efficiently:

Basic Keywords

  1. port: - Use this to search for devices with specific open ports. For example, port:80 will show you devices running HTTP.
  2. country: - This lets you filter results by country. If you want to focus on devices in the US, you’d type country:US.
  3. city: - If you're interested in a specific city, use this filter, like city:"New York".
  4. org: - This is great for narrowing down devices by organization. For instance, org:"Cisco" will bring up devices associated with Cisco.
  5. os: - Filter results by operating system, like os:"Linux" to find Linux-based devices.
  6. product: - Search for specific products or software with this filter, such as product:"Apache".
  7. hostname: - Use this to search for specific hostnames or domains, like hostname:"example.com".
  8. before: and after: - These filters allow you to search within specific date ranges, like before:2023-01-01.

Common Search Filters

  1. http.title: - Want to find specific titles in HTTP responses ? Use this filter, like http.title:"Welcome to nginx".
  2. ssl: - To filter for devices with SSL enabled, simply use ssl:true.
  3. vuln: - This lets you search for devices with known vulnerabilities. For example, you could type vuln:CVSS:7.0.
  4. tags: - If you’re looking for devices categorized under specific tags, try tags:"webcam".

Example Queries

  • To find all devices running an HTTP server in the US:
country:US port:80

To search for devices using a specific version of Apache:

product:"Apache" version:2.4

To locate open FTP servers worldwide:

port:21

To identify devices with a specific operating system:

os:"Windows 10"

By using these keywords and filters effectively, you can navigate Shodan like a pro, uncovering devices and vulnerabilities that matter to your research.

Filtering Results in Shodan

When using Shodan, filtering your results is crucial to finding exactly what you’re looking for. Here are some effective methods to help you refine your searches and get the most relevant data:

1. Utilize Specific Filters

Shodan offers a variety of filters that can significantly narrow down your results:

  • port: This filter lets you focus on devices that are running on specific ports. For instance, using port:22 will help you find devices with SSH services running.
  • country: Want to see what’s available in a particular country ? Use this filter like country:FR to target devices in France.
  • city: If you're interested in a specific city, you can filter results with city:"San Francisco".
  • os: This helps you search for devices based on their operating system. For example, os:"Windows" can help you locate Windows-based systems.

2. Combine Filters for Precision

Combining multiple filters can lead to highly specific results. For example, if you want to find open FTP servers in Germany, you could use:

country:DE port:21

This combination narrows your search effectively, allowing you to focus on the devices that matter.

3. Keyword Searches

Beyond filters, using keywords in your searches can help refine your results even more. For example, searching for:

product:"MongoDB" port:27017

This query will show you MongoDB instances running on the default port.

4. Explore Tags and Metadata

Shodan also categorizes devices using tags and metadata, which can be incredibly useful. You can search for specific tags like:

tags:"webcam"

This will help you find devices tagged as webcams, filtering out irrelevant results.

5. Date Filters

If you want to see when certain devices were indexed or how long they’ve been exposed, use date filters:

after:2023-01-01

This can help you track newly exposed devices or vulnerabilities.

Favicon Dorks

  1. Search for All Devices with a Specific Favicon Hash:
http.favicon.hash:<hash_value>

2. Find Websites Using the Standard Favicon File:

"favicon.ico"

3. Identify Websites Running a Specific CMS with a Known Favicon:

http.favicon.hash:<hash_value> product:"WordPress"

4. Locate Devices by Organization Using Favicons:

org:"<organization_name>" http.favicon.hash:<hash_value>

5. Discover Common Ports with Favicon Information:

port:<port_number> http.favicon.hash:<hash_value>

6. Search for Devices with Specific Protocols and Favicons:

http.favicon.hash:<hash_value> protocol:"http"

7. Find Popular CMS Sites by Favicon:

http.favicon.hash:<hash_value> product:"Joomla"

8. Identify Devices Exposing Favicons in a Specific Country:

country:<country_code> http.favicon.hash:<hash_value>

9. Look for Devices with Unsecured Favicons on HTTP:

http.favicon.hash:<hash_value> port:80

10. Search for Specific IP Cameras by Their Favicons:

http.favicon.hash:<hash_value> product:"IP Camera"

11. Find Sites Using Custom Favicons:

http.favicon.hash:<hash_value> title:"<custom_title>"

12. Search for IoT Devices with Known Favicons:

http.favicon.hash:<hash_value> product:"IoT"

13. Explore Devices with Specific Favicon Patterns:

http.favicon.hash:<hash_value> http.title:"<specific_title>"

14. Identify SSL Enabled Sites with Specific Favicons:

http.favicon.hash:<hash_value> ssl:true

15. Search for Specific Web Servers Using Favicons:

http.favicon.hash:<hash_value> server:"nginx"

Replace <hash_value>, <organization_name>, <port_number>, <country_code>, and <custom_title> with the appropriate values for your searches.

Essential Shodan Dorks for Effective Web Reconnaissance

For more resources on Shodan Dorking, visit my GitHub repository.

GitHub Repository — Advanced Shodan Dorks for Deep Reconnaissance

I hope you enjoyed this writeup! Happy Hacking :)

Subscribe to me on Medium and be sure to turn on email notifications so you never miss out on my latest walkthroughs, write-ups, and other informative posts.

Follow me on below Social Media:

  1. LinkedIn: Reju Kole

2. Instagram: reju.kole.9

3. Respect me On HackTheBox! : Hack The Box :: User Profile

4. Check My TryHackMe Profile : TryHackMe | W40X

5. Twitter | X : @Mr_W40X

6. GitHub : W40X | Reju Kole | Security Researcher

incase you need any help feel free to message me on my social media handles.

Shodan
Web
Bug Bounty
Bug Bounty Tips
Ethical Hacking

--

--

Reju Kole

Written by Reju Kole

45 Followers

Top 1% at TryHackMe Global / CompTIA PenTest+ / HTB | GURU / CVE-2022-33891 / eJPTv2 / ICCA / CompTIA Security+ (SYO-601) / CompTIA CASP+ (CAS-004)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams