Shodan, for the uninitiated, is a search tool for finding devices connected to the IoT (or Internet of Things), as well as routers, computers, and servers on the Internet.
The mapping-enabled search engine works by looking for metadata or service banners that are returned by a connected device. Service banners are the pop-up welcome screens that often provide system information.
Pretty much anything connected to the Internet via ports can be uncovered with Shodan, including industrial control systems, IoT devices, and red light cameras.
Shodan was crawling 86 different ports as of August 2014.
Creator John Matherly recently announced in his blog that he’s added a report generator. The reports let you share search results, track results over time, and add a search-specific bookmark. An example would be a search for web cams or an industrial control.
What’s it for?
Well, for one thing, Matherly suggests using Shodan to explore the IoT.
If you’re a device maker, he suggests you specifically try to discover which of your devices are hooked-up to the Internet, where they are, and who is using them.
A secondary purpose for Shodan is to monitor network security. You can see your digital footprints by tracking the computers on your network that are visible externally.
But, for the inquisitive among us, you can also use it to simply explore the Internet when you’ve got nothing else to do. A peruse of Matherly’s blog will cough up some of the fascinating visualization work that he’s been doing.
Maps that he’s made include some intriguing stuff, like a visual representation of globally exposed routers that contain a backdoor (see above), and a visually rich world map showing pings to every public IPv4 address—which provides a good idea of where Internet use is highest. (Hint: it isn’t Africa or the Poles).
Matherly explained his process recently to Pamela Engel of Business Insider:
After pinging with stateless scanning, he then uses a GeoIP library to draw the map. GeoIP libraries translate IP addresses to latitude and longitude.
And in fact, it’s this stateless scanning that allows fast, deep interrogation of devices.
Stateless scanning works roughly by waiting for a reply without the need to hold a connection open, unlike other forms of scanning. Nmap, another network scanning tool, is a stateful scanner, for example.
One disadvantage of stateless scanning is that it is bandwidth-intensive. That brings me on to the Shodan costs:
Shodan is free to try and use, but incorporates a system of credits. For example, to perform extended searches, where you can view up to 10,000 search results instead of the usual 50, costs a one-time, two-credit fee of $10. Various other unlocks are available too.
How to search
Searches can be performed based on location, including city, country, latitude and longitude. And by hostname, operating system, IP address and text.
Text searching can include anything that might show up in the banner, including manufacturer names or even manufacturer-originating default passwords, like “1234.”
CNN Money wrote about the security implications of this kind of search last year. It quoted a penetration tester, Dan Tentler, who had used Shodan to uncover a car wash that could be turned on and off, and exposed a hockey rink that was wide open to getting itself melted—its defrost control was accessible through an interface.
And that kind of security flaw discovery is, in fact, what Shodan is good for–criminals are likely drawn to cheaper, botnet methods to perform their dastardly deeds.
In the case of public printers, say, Matherly doesn’t just provide a map of the printers, but also tells you where they are publicly exposed.
If you’re interested in knowing what sector is the worst offender, by the way, it’s universities.
Amusingly, Matherly can not only advise which printers are open, but he can also tell you which ones need toner. Many printers indicate that in their service banner.