What is SHODAN, how does it work?

What is SHODAN, how does it work?

Henry Dalziel | Pentesting Tools, SCADA News and Training | May 22, 2013

Commonly referred to as the world’s most scary search engine – SHODAN is here to stay and is getting better and better at what it is designed to do.

How does SHODAN work?
SHODAN does what Google does but spits out specific and greater amounts of data. Whereas Google is interested in pretty images and excellent blog content (like what you are reading now on the world famous Concise Courses Security blog!) SHODAN will tell the hacker (be they white or black hat) things like banner information, HTTP, SSH, FTP, and SNMP services. The most basic SHODAN search will render results by country, network, operating system(s), and port(s).

If you wanted to execute a more specific search you’d use a string like this:

port:121 country:US hyper-v

Port:121 – this narrows the search down to specific ports.
Country – obvious.
Hyper V – this identifies all web servers using Hyper V in the UK (for example) by their SNMP banner.

We here at Concise Courses love SHODAN for one primary reason: we think it is great that there are tools, like SHODAN, that expose weaknesses. Why? Because they expose holes and vulnerabilities that can then be patched. We only learn through mistakes and there is nothing wrong from learning from others mistakes. These ‘mistakes’ include things like using default passwords and not patching known ageing vulnerabilities.

We have hosted many Hacker Hotshot events regarding security ‘hacking’ tools, programs and software – and the one which we feel most similar to SHODAN is PunkSPIDER, so go check it out if your interested. Both SHODAN and PunkSPIDER can scan massive amounts of data to specifically check, discover and audit vulnerabilities in web applications and websites.

SHODAN being used to detect vulnerabilities in SCADA and ICS systems is particularly useful, or perhaps better said, is very efficient at finding vulnerabilities. A CNN article by David Goldman recently highlighted two examples of how hackers used SHODAN. The first example was how an individual was able to crack into a hockey rinks’ system (possibly SCADA/ HDI) to defrost the rink! Another was able to own a the controls for a hydroelectric plant in France! These are not exaggerations. Just this week we had a demo with SCADA security experts showing how ‘easily’ a hacker can plant malware on a SCADA system using metasploit and a USB stick.

Searching for ‘default password’ on SHODAN will result in literally millions of results – mostly from servers but also on printers. Printers are especially vulnerable that allows for security breaches to occur.

Why are many systems that are Internet facing have default or poor security?
We have established that SHODAN exposes weaknesses effectively, but why are these systems vulnerable in the first place! The reason is simple. Many of these systems, such as those controlling utilities etc., that use SCADA for example, have almost zero security, because they were only designed to be connected to a company’s own systems and not a web server – making them open to anyone with a computer, SHODAN, metasploit and, of course, bad intentions.

Leave a comment or reply below...thanks!