Shodan calls itself “the search engine for internet-connected devices.” With so many devices connected to the internet featuring varying levels of security, the special capabilities of This specific search engine mean the item can provide a list of devices to test as well as also attack. In This specific tutorial, we’ll use Python to target specific software vulnerabilities as well as also extract vulnerable target IP addresses through Shodan.
Any device connected to the internet must reveal some sort of information regarding itself. This specific can be relatively limited, as clever system configurations can block most undesired requests. On some devices, one might be able to scan ports to reveal things such as the services running on a web server or the name of a webcam connected to a wireless network.
In “eps3.0_power-saver-mode.h,” the first episode of the third season of Mr. Robot series, the titular character, played by Christian Slater, uses the Shodan search engine in order to gather information about his corporate advisory, Evil Corp. Tyrell (Martin Wallström) as well as also Angela (Portia Doubleday) are at his side, watching in disbelief, as Mr. Robot, the shadow personality of Elliot (Rami Malek), does an “Apache Tomcat” search.
A search like the one used from the show can reveal essential information about a potential target. Using This specific same technique, we’ll look at exactly what can be found using Shodan’s search function as well as also how the item can be used to execute a hack.
Step 1: Using Shodan
Shodan can be accessed like most different search engines, by navigating to shodan.io in a web browser.
Rather than using traditional search terms to search the content of a publicly indexed website, when searching Shodan, we’ll generally look for the information found in device headers or different information besides the device’s HTTP web content, which is actually indexed by traditional search engines.
In Mr. Robot, the titular character searches the string below.
org:”Evil Corp” product:”Apache Tomcat”
While we could search This specific same search command, the fictional company Evil Corp. most likely will not return any results (or will the item?!). The second component of the string, the “product” filter, is actually still a functional as well as also useful search. This specific search string does require usage of filters, an option only available to registered users. A Shodan account can be registered by clicking on the “Login/Register” button at the top right of the homepage or by visiting account.shodan.io/register directly.
After a Shodan account is actually registered, many additional search capabilities will become available from the form of filters. Some of these filters are shown from the list below.
- country: filter to a specific country
- city: filter to a specific city
- geo: filter by coordinates
- hostname: look for a matching hostname
- net: limit to an IP/prefix
- os: filter based on operating system
- port: filter based on open ports
These filters can be applied using the same format as from the example used in Mr. Robot, where the filter is actually included from the search followed by a colon as well as also the search term. The format shown below can be used for any of the filters available within Shodan.
In This specific example, “filter” could be the name of the filter used, as well as also “Keyword” could be the search term which is actually sought within the filter’s category. Multiple filters can be applied, so long as they are separated by spaces.
The “Apache Tomcat” search, as shown from the show, will indeed return legitimate results when used on Shodan. We can test This specific by searching the string shown below.
After searching, we can see that will over 1.4 million results are returned. This specific search provides some interesting data regarding the locations as well as also organizations which are using Apache Tomcat, however to a hacker, these results can have a different sort of utility.
An attacker might specifically search for servers or web-connected devices using out-of-date software with known vulnerabilities in order to find devices to exploit. This specific process could be completed manually by copying results through a Shodan search in a web browser as well as also choosing addresses to attack manually. However, the process can also be automated by using scripting languages as well as also Shodan’s API, which is actually something Mr. Robot did not show.
Step 2: Retrieving a Shodan API Key
In order to use Shodan’s API to directly request as well as also receive data while bypassing the web interface, we’ll need to use our API key. This specific API key can be retrieved by navigating to the “My Account” section of the Shodan website, linked at the upper right of the homepage or simply by opening account.shodan.io.
This specific key will be inserted into the Python code used to make API calls, so the item may be useful to copy the item to your clipboard or save the item to a file.
Step 3: Calling the Shodan API with Python
In order to use Python to make requests using the Shodan API, we’ll need to have a functional Python environment as well as the Shodan Python module installed. from the examples used in This specific tutorial, Python 2.7 is actually used. Python 3 also works using the module however could require many syntax modifications to be functional with the scripts shown in This specific tutorial. On Debian-based Linux operating systems, Python 2.7 can be installed by opening a terminal emulator as well as also running the command below.
sudo apt-get update && sudo apt-get install python2.7
With Python installed, we can also install the Shodan Python module. This specific can be done using pip or by using Easy Install. Pip can also be installed using apt-get with the command below.
sudo apt-get install python-pip
After pip is actually installed, we can use pip to install the Shodan Python module.
sudo pip install shodan
If you have multiple versions of Python present on your device, as well as also potentially multiple versions of pip, you may need to specify you wish to install the module for Python 2.7 by using the command below instead, with pip2.7 specified.
sudo pip2.7 install shodan
If neither of these techniques succeed, the library can also be installed by running the command below.
Once Python as well as also the Shodan library are installed, we can begin writing a brand new Python script. On the Linux command line, we can create a brand new file as well as also begin editing the item using nano. Be sure to choose a filename different than “shodan” to ensure that will there are no conflicts between referencing the library as well as also the script itself. Below, we’ll create a file called “search.py.”
The first thing we’ll want to add to This specific file is actually a line which will load the Shodan library. We can use the import function of Python to do This specific, as seen below.
Next, we can define our Shodan API key to ensure that will the script can use the item to make API queries. Add the following lines to do so.
SHODAN_API_KEY = “insert your API key here”
api = shodan.Shodan(SHODAN_API_KEY)
Replace “insert your API key here” with your API key retrieved through Shodan’s website, leaving the quotation marks enclosing the field.
Next, we can use a try declaration to define what the script should attempt. Following This specific, we can add a command which uses the api.search unit of the Shodan API to actually request a search’s results.
results = api.search(‘apache’)
In This specific example, the search string is actually simply apache, however, This specific can be replaced with any search desired, including searches with filters such as those shown earlier from the tutorial. We can return the results of This specific search using the set of print commands shown near the end of the code below.
# Show the results
print ‘Results found: %s’ % results’total’
for result in results’matches’:
print ‘IP: %s’ % result’ip_str’
except shodan.APIError, e:
print ‘Error: %s’ % e
The script should currently appear similar to the code displayed from the image below. More information on the Shodan API as well as also This specific code can be found at its documentation page.
The script can currently be saved as well as also tested. Within nano, we can save the script with Ctrl+O, as well as also exit nano with Ctrl+X. through within the same directory, we can run the script using the command below.
Running the script should return many IP addresses as well as also some information associated with them, including HTTP status, location, as well as also different device information indexed by Shodan. This specific information is actually formatted very similarly to the data shown when searching within the web interface.
While This specific additional information may allow for additional criteria to be processed by different scripts as well as also tools, if one wished to automate the process of gathering as well as also testing attacks against IP addresses, This specific format is actually largely unnecessary.
To only return IP addresses, we can change the formatting of our Python script. First, we can remove the IP: prefix through the line shown below.
print ‘IP: %s’ % result’ip_str’
Such that will the item looks like This specific line instead:
print ‘%s’ % result’ip_str’
We can also delete the line which precedes the item, as well as also the two lines which follow the item.
print ‘Results found: %s’ % results’total’
The script should currently appear like the one shown below.
When we run This specific script, the item will instead return a list of IP addresses without any different unnecessary content.
This specific list is actually much more useful for automating attacks against the list, however we need to have an effective way to save the item. We can use shell operations in order to send the output directly to a log file. When running the script, include the >> operator followed by the name of the file you wish to send the output to.
python2 search.py >> log.txt
currently we have a text file containing a list of IPs which we can use to test various attacks, depending on what search terms we’ve used to identify particular kinds of vulnerable systems.
Step 4: Automating Tasks with Shodan Results
For an example of a command line utility which can use an IP address as an argument, we’ll use ping. Using something which actively attempts to attack or exploit the devices found by Shodan could be illegal as well as also irresponsible, so make sure to only run tools you have permission to use on a target if you’re actually exploiting anything. First, we’ll create a brand new shell script using nano the same way we did earlier.
We can begin the script with the “crunchbang” (the #! symbols) as well as also shell declaration. This specific states that will the item is actually a shell script, to be run by the bash shell.
Next, we can add a statement which allows us to do something with each line of our IP list file individually.
cat log.txt | while read line
The script should currently look like the one shown from the image below.
We can currently save This specific script with Ctrl+O, as well as also exit nano Just as before with Ctrl+X. To be able to run the script, we’ll need to mark the item as executable by our operating system by granting the item This specific privilege using chmod.
chmod +x ping.sh
currently, we can run the script through the command line.
The script should iterate through each IP from the address as well as also send a ping to each IP.
If This specific works, you’ve currently successfully retrieved Shodan results as well as also individually processed them! Ping is actually hardly an attack vector, however using a few minor modifications, a similar script could be used by an attacker for malicious purposes.
Step 5: Weaponizing the Attack
The string which initiated the “ping” within the shell script could be one easy area to manipulate the action which is actually done with the IPs retrieved through Shodan. The original Python script could also be updated for more complicated exploits or tests. The basic ping command of the “while” iteration of the shell script is actually shown below.
The $line variable in This specific command represents each line of the IP list file, log.txt. We can replace This specific ping command with any different string which could include an IP address as an argument. We could use nmap to port-scan the target IPs by using the command below, using the -sS argument to conduct a service scan.
nmap -sS $line
While each internet-connected device includes a variety of ways in which the item could be indexed by scanning services such as Shodan, one can check the security of their local network as well as also router by checking their external IP at a website like whatsmyip.org as well as also searching This specific IP on Shodan to see what sort of information is actually available.
This specific format could be expanded to practically any different attack which could be launched through a command line as well as also includes an IP. This specific sort of scanning as well as also attacking of multiple targets is actually an extremely effective method for discovering vulnerable systems without having to take the time to individually find as well as also attack them manually.
This specific methodology can be applied to all sorts of different attacks, using Shodan, Python, shell scripting, or different tools, so long as they develop the capability of finding devices as well as also attacking them without user input.
I expect that will you enjoyed This specific tutorial on Shodan! If you have any questions about This specific tutorial or Shodan usage in general, feel free to leave a comment below or reach me on Twitter @tahkion.