Monday, February 20, 2012

Searching for Devices Using the SHODAN Search Engine

In this post, I'm going to discuss a very useful search engine called SHODAN, as well as introduce the API it offers for development. I will also include a link to a PHP API Wrapper that I wrote that can assist in easily accessing SHODAN from a web application.


Introducing SHODAN

SHODAN, developed by achillean (John Matherly), is a computer search engine that differs from other search engines in that one doesn't necessarily search for content, but devices. For example, one can search for "apache" and SHODAN will return the IP Address and banners that give device information for every apache web server to which SHODAN has connected.

Other uses include finding information for a specific host (IP Address), finding the systems with "default password" included in their banner, and more (will give examples later).

Why is this important?

SHODAN is extremely useful to security researchers, developers, and really anyone who has a need for the information it provides. So, let's consider a real example of how SHODAN has helped a security researcher collect useful data:

In a story posted by Wired on January 24, 2012, it was revealed that security researcher Eireann Leverett created a tool that would use geolocation to map "industrial control systems" (aka SCADA systems), and then show the risk of exploitation for each machine. This research was very important with the recent concerns over the security and exposure of SCADA systems which resulted from the recent Stuxnet attack. However, before he could map the data, he had to locate the systems. As described in the article, as well as in the detailed paper written by Leverett, he was able to use SHODAN to easily search for well known SCADA devices to measure the exposure of such devices. Then, he was able to use other information obtained in the banners found using SHODAN to query exploit databases in order to measure the exploitability of each machine.

Through this kind of research (of which many other examples exist), developers, engineers, and administrators can have a much better idea of how exposed their systems are to the Internet, and take measures to better protect their critical infrastructure.

Using SHODAN

So now that we know how SHODAN can be used, and why it's important, let's look into some examples (a tutorial, if you will) on how to use the resources that it has to offer.

To simply search for information that would be found in a standard banner (such as the software version in use), one can input the query into the searchbox, and if needed, select the country on the drop-down map to limit results by country. An example of this can be seen below:


In this example, the information for all devices in the US that have "default password" in their banner will be returned to the user. A standard result can contain anything from the IP address, HTTP headers, and location to things such as the MOTD (Message of the Day) and other pertinent information. A result corresponding to an HTTP server might look like this:



One can see that this information reveals that this device is a wireless access point running a Boa webserver that is accessible to all Internet addresses, and that the default password for this device is "connect." With this information, if the administrator of this device has not changed the default password, anyone would be able to login and remotely manage the device.

While a basic search will be sufficient for most users, the real power of SHODAN lies in the filters available to help refine your search to a specific, targeted subset of the results. There are many filters available, some of which include:

  • city - Can be used to refine search to devices around a certain city. Example: default password city:memphis
  • country - Same as city, but to narrow results down by country. Countries are specified via their two letter country codes, and can be used to further specify where the city searched for is located (in case there are two cities with the same name)
  • hostname - Searches for computers that include the specified value in their hostname. Example: hostname: twitter.com
  • os - Specify which operating system the machine should have. Example: apache os:linux
  • port - Restricts search to only certain ports. Possible values are 21,22,23, and 80. Example: openssh port:22
Note: Some filters require either additional access by logging into SHODAN, or by purchasing access via add-ons.

There are other filters available, but this should give you a good idea of the power and flexibility that SHODAN has to offer. All of the filters and some extra examples can be found on the documentation page here.

Also, it is important to note that once searches are performed, if you have the proper credits then you can export the data that was returned. This is helpful in saving data offline for later extrapolation.

API Access

Now that we've discussed the basic search features, it would be putting limitations on SHODAN to not discuss the powerful API that it has to offer developers. API wrappers for SHODAN's services have been written in Python, Perl, Ruby, Node.js, and (by me) PHP.

To access the API, the first thing you need to do is create an account to use with SHODAN. The site offers several options, including creating a standalone account, or using third party services (such as Google Accounts or Facebook) to login. In order to create a standalone account specific to SHODAN, one must first click on "Register" in the top-right of the home screen, and then give the required information. 



If you would rather use a different service, you can click on "Login" on the top-right hand side of the home screen, and select whichever service you would like to use, and then follow the directions.


After you take the steps to login, you will be taken back to the home screen, where you can click on "Home" to be taken to your dashboard. From here, you can see which add-ons you have purchased, how many credits you have available to purchase add-ons, recent and popular searches, and you can also create an API key.

An API key will be necessary if you wish to access SHODAN data in your software. Since I have created an API key before writing this post, it should just be a matter of clicking the link that will create a key for you.

Now we will explore how the API can be used in development to access SHODAN. The full documentation for each API Wrapper can be found here. In most cases, the API libraries will receive the results from SHODAN in the form of JSON encoded data which is then parsed by the library and returned to the developer as an associative array, aka dictionary (Python), or hash (Perl). This easily allows for specific searching or sorting depending on the desired parameters.

Using the API can be simple. For example, in Python, to perform a search one would simply install the api and create a new script that would include the following:

from shodan import WebAPI 
API_KEY = "your api key" 
api = WebAPI(API_KEY) 
results = api.search('apache') 

Then, the results of the search will be stored in dictionary form in the results variable. There are many functions available for access from the API, so be sure to check them out!

Also, SHODAN currently has a two year anniversary deal available that let's you have an extensive amount of benefits for $19. I purchased it, and think it's worth every penny! Be sure to check it out!

As a quick side note, I noticed that while there were API Wrappers in many languages (such as Python, Perl, and Ruby), there wasn't one in PHP. So, since I needed a good  quick PHP project to work on, I wrote one. It's open source, so feel free to use it in any web apps you may be developing.

Conclusion

SHODAN is a very powerful tool that can be used in a variety of ways. Sure, people could argue that having a tool like this facilitates the efforts of hackers, but one could argue that not only could this information be sought out without SHODAN, but also that having SHODAN available will drive sysadmins towards making sure they, for example, change the default passwords on devices, promoting better security practices in general. Regardless of which stance you take, be sure to check out SHODAN and see what it has to offer.

1 comment:

  1. Very Nice Article. I was hoping for "SHODAN WALKTHROUGH" of some kind. And this looks promising. Please provide us more, If you can.

    ReplyDelete