A recent round of media buzz has swarmed around the search engine called Shodan. If you’ve seen any stories like this or this, you’ve read that Shodan may be “the scariest search engine on the Internet.” The penetration testing search engine, it is said, reveals critical infrastructure like network servers, routers and even printers, empowering hackers to attack victims ranging from small businesses to public utilities.

Before panic ensues, let’s zoom out. Shodan is actually not new. The site was launched in 2009. According to its own slogan, Shodan is different from Google because it is designed to “find computers” rather than content. It sounds like black magic, but at its core the voodoo behind Shodan is really quite simple.

Behind the Shodan Curtain

When you connect to a server listening on a given port, the server usually responds with what is called a “banner.” The banner is a block of text with details about the service, like this:


HTTP/1.0 401 Unauthorized
Date: Thu, 08 Jan 1970 18:04:00 GMT
Server: Boa/0.93.15 (with Intersil Extensions)
Connection: close
WWW-Authenticate: Basic realm="LOGIN Enter Password (default is medion, ignore username)"
Content-Type: text/html

This is the banner of a server running Boa, a Web HTTP server designed to run on embedded platforms including Android devices. The banner identifies the version of software running and, you’ll notice, a default password.

What Shodan’s crawler does is query IP addresses around the world, looking for and saving banner responses at several common ports. The Shodan search engine lets users query keywords in these banners, filtered by metadata like port and IP address or domain name.

Any "scary" vulnerabilities revealed by Shodan come down to the information in the banners. Keep in mind that banners are just that: information, which may not always be accurate.

For example, some banners like the example above reveal a default password. But this doesn’t mean that is actually the password configured for that site; it is just the software default. A security-aware administrator would (should) have changed the password when configuring the server.

Who Should Worry about Shodan?

The types of devices most at risk from a tool like Shodan are those which unnecessarily face the public Internet and possess default configuration profiles. Shodan is not the only way for hackers to discover these devices, but it does lower the barrier to making such discovery easier.

Some of the same discoveries that can be revealed by Shodan have long been available through Google as well. Even though Google indexes content rather than server banners, hackers have long known that particular query strings can reveal mis-configured servers, printers, and webcams. These query templates are known as “Google dorks” and they long predate Shodan.

The point is, neither Google dorks nor Shodan are putting organizations are risk. Organizations put themselves at risk by leaving devices exposed.

How to Minimize Shodan Risks

Sound security practices can minimize or eliminate your risks from penetration testing tools like Shodan.

Restrict public-facing servers and devices. Many of the devices revealed through Shodan shouldn’t be facing the Internet in the first place. Do your network printers, webcams or file servers need access to the public Internet? Or just your internal LAN?

In some cases, restricting devices to your LAN is just a matter of their network configuration. Or, you may have a network firewall that can be configured to block incoming access to these devices.

Use a VPN or IP filters when you need external access. If employees or contractors need to access internal resources -- like printers, webcams or file shares -- from outside your network, restrict them by using IP filters in your firewall. Better yet, require use of a VPN. This will prevent crawlers like Shodan from finding your devices in the first place.

Always change password defaults. Whether or not your server’s banner advertises this information specifically, most devices have off-the-shelf default passwords. Attackers can find this information online, particularly if they’ve identified the make and model of your device, such as through the banner data. By simply setting a non-default password, the vast majority of machines that turn up on Shodan would still be safe.

Suppress or minimize verbose banners. Some server software will let you customize the banner it displays to incoming connections. It is remarkable how much information many banners give away by default. Attackers can use the information in a banner such as server version and installed modules to dig up known security holes and attempt to exploit them.

Remember that Shodan only indexes banners. Even if your device is public facing, Shodan users only know as much as your servers’ banners tell them.

Run Shodan against yourself. You can use Shodan’s IP filter to query your own organization’s network. For example, these Shodan search queries will pull up any server banners it has indexed for your public IP address or subnet:

net:your.ip.add.ress
net:your.ip.add.0/24

Remember that Shodan is not querying your network on demand. It is only querying its crawler database, so it may not have visited your network. This is not a substitute for a realtime penetration testing tool.

Wrapping up: Control Your Destiny

Scary hype aside, the bottom line is that Shodan can only aid attackers in finding devices which are exposed and mis-configured. It offers no magic bullet for compromising your network unless your network is poorly secured. Sound security practices will minimize the threat from attackers using Shodan to sniff around your network.

Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet.