What is Shodan? The search engine for everything on the internet

Shodan is a search engine for everything on the internet — web cams, water treatment facilities, yachts, medical devices, traffic lights, wind turbines, license plate readers, smart TVs, refrigerators, anything and everything you could possibly imagine that’s plugged into the internet (and often shouldn’t be). Google and other search engines, by comparison, index only the web.

The best way to understand what Shodan does is to read founder John Matherly’s book on the subject. The basic algorithm is short and sweet:

1. Generate a random IPv4 address 2. Generate a random port to test from the list of ports that Shodan understands 3. Check the random IPv4 address on the random port and grab a banner 4. Goto 1

That’s it. Shodan finds all the things, indexes all the things, makes searchable all the things. 

How Shodan works

Services running on open ports announce themselves, of course, with banners. A banner publicly declares to the entire internet what service it offers and how to interact with it. Shodan gives the example of an FTP banner:

220 kcg.cz FTP server (Version 6.00LS) ready.

While Shodan does not index web content, it does query ports 80 and 443. Here’s the https banner from CSOonline:

$ curl -I https://www.csoonline.comHTTP/2 200server: Apache-Coyote/1.1x-mod-pagespeed: 1.12.34.2-0content-type: text/html;charset=UTF-8via: 1.1 varnishaccept-ranges: bytesdate: Fri, 25 May 2018 14:16:18 GMTvia: 1.1 varnishage: 0x-served-by: cache-sjc3135-SJC, cache-ewr18125-EWRx-cache: HIT, MISSx-cache-hits: 2, 0x-timer: S1527257779.808892,VS0,VE70vary: Accept-Encoding,Cookiex-via-fastly: Verdadcontent-length: 72361

Other services on other ports offer service-specific information. That’s not a guarantee that the published banner is true or genuine. In most cases, it is, and in any event publishing a deliberately misleading banner is security by obscurity.

Some enterprises block Shodan from crawling their network, and Shodan honors such requests. However, attackers don’t need Shodan to find vulnerable devices connected to your network. Blocking Shodan might save you from momentary embarrassment, but it is unlikely to improve your security posture.

Is Shodan legal?

In short, yes, Shodan is legal, and it is legal to use Shodan to find vulnerable systems. It is, of course, not legal to break into any vulnerable systems you may have found using Shodan. 

Still, Shodan totally freaks people out. CNN called it the “scariest search engine on the internet” in 2013. How can you let hackers know where all the power plants are so they can blow them up? This is awful!

Shodan

This is, of course, hyperbole caused by ignorance. Attackers intent on causing harm don’t need Shodan to find targets. That’s what botnets running zmap are for. The real value of Shodan lies in helping defenders gain greater visibility into their own networks.

You can’t play defense if you don’t know what you must defend, and this is true equally at both the enterprise level and society as a whole. Shodan gives us greater visibility into the insecure, interconnected cyberphysical world in which we all now live.

How to use Shodan

The modern enterprise typically exposes more to the internet than they would like. Employees plug things into the network to get their job done, and voila! Multiply that across all of shadow IT, and you’ve got a growing attack surface to manage.

Shodan makes it easy to search a subnet or domain for connected devices, open ports, default credentials, even known vulnerabilities. Attackers can see the same thing, so batten down the hatches before they decide to attack.

Many devices publicly announce their default passwords in their banner. Many Cisco devices, for example, advertise a default username/password combo of “cisco/cisco.” Finding devices like this on your network before attackers do seems like it would be a good idea.

Shodan also lets you search for devices vulnerable to specific exploits, such as Heartbleed. In addition to helping defenders identify their own devices to secure, this aids penetration testers during the information gathering phase; using Shodan is faster and stealthier than noisily nmap’ing your client’s entire subnet.

Paid members have access to the Shodan API and can even create alerts when new devices pop up on the subnet(s) they want to monitor—a cheap and effective way to keep an eye on what your folks are plugging into the internet.

Searching open IoT and ICS

The most remarkable aspect of Shodan might be the public awareness it brings to the vast quantity of insecure, critical infrastructure that has somehow gotten plugged into the internet. Shodan’s internet cartography helps quantify the systemic security issues the internet faces, and enables journalists to write about, and policymakers to wrangle with, solutions to problems at this scale. (Full disclosure: This reporter has a paid Shodan membership and finds it a mighty useful tool for investigative journalism.)

Take things like ICS/SCADA, for example. Industrial control systems predate the internet and were designed on purpose with no security in mind. They were never intended to be plugged into a global internet, after all, and physical security controls were considered more than sufficient to prevent a malicious attacker from, say, dumping raw sewage into your fresh water supply.

That’s changed, and critical infrastructure that was never intended to be on the internet is now a few hops away from every attacker on the planet. Shodan makes it easy to find these systems and raise the alarm. Should water treatment facilities, dams, crematoriums, yachts — you name it — should these things ever be connected to the internet under any circumstances? Probably not, and Shodan makes raising awareness of the issue much easier.

Likewise, a flood of insecure IoT devices is drowning the market, everything from connected coffeemakers to sex toys to refrigerators to, again, you name it. The market has clearly failed to select for strong cybersecurity for these devices, and regulators have, with some notable exceptions, failed to step in to demand stronger cybersecurity controls. Worse, IoT manufacturers go out of business or simply abandon support of the devices they manufacture, leaving consumers stranded with insecure—and unsecurable—devices that then get slaved into botnet armies. The systemic risk this poses to the entire internet cannot be overstated.

The initial gasp of “omg” from non-technical folks on discovering Shodan is best targeted at the market and regulatory forces that enable this situation to flourish.

Is Shodan free?

Shodan is free to explore, but the number of results is capped with a free account. Advanced filters require a paid membership (USD $49/lifetime). Developers needing a real-time data stream of the whole shebang can get that too. 

Shodan’s Enterprise Edition gives you all of Shodan’s data, on-demand access to Shodan’s global infrastructure, and an unlimited license for all employees of your organization to access everything all the time.

Woo-hoo! That’s a lot. If threat intel is your thing, then Shodan Enterprise might be your jam. As their promo copy puts it, “The Shodan platform helps you monitor not just your own network but also the entire internet. Detect data leaks to the cloud, phishing websites, compromised databases and more. The Enterprise Data License gives you the tools to monitor all connected devices on the internet.”

For a big organization, or one that doesn’t want to reinvent the wheel in-house with zmap, Shodan Enterprise offers a data license to use their data for commercial use without attribution. Possible use cases include fraud prevention, market intelligence, not to mention threat intelligence.

The price tag? Well, you’ll have to contact their sales team for that. We suspect their “everything and the kitchen sink” package ain’t cheap, though.