SHODAN - Hacker's Search Engine
Sometimes, we don't have a specific target in mind, but rather we are simply looking for vulnerable and easy-to-hack targets anywhere on the planet. Wouldn't be great if we had a search engine like Google that could help us find these targets? Well, we do, and it's called Shodan!
Shodan, which stands for Sentient Hyper-Optimized Data Access Network, is the "Google for hackers."
What Is Shodan?
Some have described Shodan as a search engine for hackers, and have even called it "the world's most dangerous search engine". It was developed by John Matherly in 2009, and unlike other search engines, it looks for specific information that can be invaluable to hackers.
Shodan pulls service banners (see my tutorial on fingerprinting web servers for more on banners) from servers and devices on the web, mostly port 80, but also ports 21 (ftp), 22 (SSH), 23 (telnet), 161 (SNMP), and 5060 (SIP).
What Can Shodan Show Us?
Since almost every new device now has a web interface (maybe even your refrigerator) to ease remote management, we can access innumerable web-enabled servers, network devices, home security systems, etc.
Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems, and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface, Shodan can find it!
How to use SHODAN ?
STEP 1 : Create SHODAN ACCOUNT
First, let's start by navigating to shodanhq.com. When we do, we'll be greeted by an opening screen like that below.
Shodan requires that you register to use all of its features, but the service is free unless you need to use some of its advanced features.
STEP 2 : SEARCH ON SHODAN
STEP 3 : FIND UNPROTECTED WEBCAM'S
Among the devices we can find on SHODAN are innumerable, unprotected webcams. Here is one of many that I found on SHODAN.
STEP 4 : FIND TRAFFIC LIGHTS
There are so many devices that can be found on Shodan that the list would fill this entire article. One of the most intriguing things we can find are traffic signals and the cameras that monitor traffic at lighted intersections (some states now use these cameras to record your license plate number and send you a ticket if they detect you speeding or running a red light).
Careful here! Messing with or hacking traffic signals can cause fatalities and may be illegal. Here I show a listing of the "Red Light enforcement cameras" from Shodan.
STEP 5 : FIND ROUTERS
Shodan catalogues thousands, if not millions, of routers, many of which are unprotected. Here's a screenshot of one I found and logged into the administrator account with the username of "admin" and password of "admin".
STEP 6: FIND SCADA SYSTEMS
Among the scariest and potentially most damaging uses of Shodan is finding SCADA (supervisory control and data acquisition) devices with web interfaces. SCADA devices are those that control such things as the electrical grid, water plants, waste treatment plants, nuclear power plants, etc.
These SCADA devices are the most likely targets in a cyber-terrorism or cyber warfare scenario, where two combatants are attempting to disable the other's infrastructure. Obviously, if one combatant can disable the others electrical grid, power and water plants, etc., it won't to take long to bring their adversary to their knees.
A cursory search of SCADA devices brought me to IP address of a hydroelectric plant in Genoa, Italy.
When I clicked on this link, I was presented with this login screen of the hydroelectric plant's control system's interface.
STEP 7 : FIND DEFAULT PASSWORDS
Many of these sites and interfaces use default passwords. Fortunately for us, there are many resources on the web that list the default passwords for all devices. Here is one at www.phenoelit.org/dpl/dpl.html. There are literally hundreds of these sites on the web. Simply Google "default passwords".
As many consumers and system administrators are careless and don't change the default passwords, often you can gain access to these devices simply using these lists to find the default admin username and password.
Shodan is a different kind of search engine. Shodan pulls banners from IP addresses and then catalogues all types of devices that have a remote interface from all over the world. Many of these devices are set to accept default logins, so that once you find a device and its default login, you may be able to own it!
Just keep in mind that Shodan is not an anonymous service.