A recent round of media buzz has swarmed around the search engine called Shodan. If you’ve seen any stories like this or this, you’ve read that Shodan may be “the scariest search engine on the Internet.” The penetration testing search engine, it is said, reveals critical infrastructure like network servers, routers and even printers, empowering hackers to attack victims ranging from small businesses to public utilities.
Before panic ensues, let’s zoom out. Shodan is actually not new. The site was launched in 2009. According to its own slogan, Shodan is different from Google because it is designed to “find computers” rather than content. It sounds like black magic, but at its core the voodoo behind Shodan is really quite simple.
When you connect to a server listening on a given port, the server usually responds with what is called a “banner.” The banner is a block of text with details about the service. The banner identifies the version of software running.
What Shodan’s crawler does is query IP addresses around the world, looking for and saving banner responses at several common ports. The Shodan search engine lets users query keywords in these banners, filtered by metadata like port and IP address or domain name.
Any “scary” vulnerabilities revealed by Shodan come down to the information in the banners. Keep in mind that banners are just that: information, which may not always be accurate.
For example, some banners like the example above reveal a default password. But this doesn’t mean that is actually the password configured for that site; it is just the software default. A security-aware administrator would (should) have changed the password when configuring the server.
The types of devices most at risk from a tool like Shodan are those which unnecessarily face the public Internet and possess default configuration profiles. Shodan is not the only way for hackers to discover these devices, but it does lower the barrier to making such discovery easier.
Some of the same discoveries that can be revealed by Shodan have long been available through Google as well. Even though Google indexes content rather than server banners, hackers have long known that particular query strings can reveal mis-configured servers, printers, and webcams. These query templates are known as “Google dorks” and they long predate Shodan.
The point is, neither Google dorks nor Shodan are putting organizations are risk. Organizations put themselves at risk by leaving devices exposed. Sound security practices can minimize or eliminate your risks from penetration testing tools like Shodan.
Many of the devices revealed through Shodan shouldn’t be facing the Internet in the first place. Do your network printers, webcams or file servers need access to the public Internet? Or just your internal LAN?
In some cases, restricting devices to your LAN is just a matter of their network configuration. Or, you may have a network firewall that can be configured to block incoming access to these devices.
Some server software will let you customize the banner it displays to incoming connections. It is remarkable how much information many banners give away by default. Attackers can use the information in a banner such as server version and installed modules to dig up known security holes and attempt to exploit them.
Remember that Shodan only indexes banners. Even if your device is public facing, Shodan users only know as much as your servers’ banners tell them.
You can use Shodan’s IP filter to query your own organization’s network. For example, these Shodan search queries will pull up any server banners it has indexed for your public IP address or subnet:
Remember that Shodan is not querying your network on demand. It is only querying its crawler database, so it may not have visited your network. This is not a substitute for a realtime penetration testing tool.