By J.M. Porup
Shodan is the search engine for everything on the internet. While Google and other search engines index only the web, Shodan indexes pretty much everything else — web cams, water treatment facilities, yachts, medical devices, traffic lights, wind turbines, license plate readers, smart TVs, refrigerators, anything and everything you could possibly imagine that’s plugged into the internet (and often shouldn’t be).[ Learn how GreyNoise, the “search engine that looks at people scanning the internet” can help you pick bad actors out of the noise. | Get the latest from CSO by signing up for our newsletters. ]
The best way to understand what Shodan does is to read founder John Matherly’s book on the subject. The basic algorithm is short and sweet:
1. Generate a random IPv4 address
2. Generate a random port to test from the list of ports that Shodan understands
3. Check the random IPv4 address on the random port and grab a banner
4. Goto 1
That’s it. Find all the things, index all the things, make searchable all the things. It’s a thing, and it’s called Shodan.
Services running on open ports announce themselves, of course, with banners. A banner publicly declares to the entire internet what service it offers and how to interact with it. Shodan gives the example of an FTP banner:
While Shodan does not index web content, it does query ports 80 and 443. Here’s the https banner from CSOonline:
Other services on other ports offer service-specific information. That’s not a guarantee that the published banner is true or genuine. In most cases, it is, and in any event publishing a deliberately misleading banner is security by obscurity.
Some enterprises block Shodan from crawling their network, and Shodan honors such requests. However, attackers don’t need Shodan to find vulnerable devices connected to your network. Blocking Shodan might save you from momentary embarrassment, but it is unlikely to improve your security posture.
Let’s address the elephant in the room: Shodan totally freaks people out.
Shodan terrifies non-technical people who don’t understand how the internet works. CNN called it the “scariest search engine on the internet” in 2013. How can you let hackers know where all the power plants are so they can blow them up? This is awful!
Shodan reveals what’s connected to and visible from the internet, such as this facility
This is, of course, hyperbole caused by ignorance. Attackers intent on causing harm don’t need Shodan to find targets. That’s what botnets running zmap are for. The real value of Shodan lies in helping defenders gain greater visibility into their own networks.
You can’t play defense if you don’t know what you must defend, and this is true equally at both the enterprise level and society as a whole. Shodan gives us greater visibility into the insecure, interconnected cyberphysical world in which we all now live.
The modern enterprise typically exposes more to the internet than they would like. Employees plug things into the network to get their job done, and voila! Multiply that across all of shadow IT, and you’ve got a growing attack surface to manage.
Shodan makes it easy to search a subnet or domain for connected devices, open ports, default credentials, even known vulnerabilities. Attackers can see the same thing, so batten down the hatches before they decide to attack.
Many devices publicly announce their default passwords in their banner. Many Cisco devices, for example, advertise a default username/password combo of “cisco/cisco.” Finding devices like this on your network before attackers do seems like it would be a good idea.
Shodan also lets you search for devices vulnerable to specific exploits, such as Heartbleed. In addition to helping defenders identify their own devices to secure, this aids penetration testers during the information gathering phase; using Shodan is faster and stealthier than noisily nmap’ing your client’s entire subnet.
Paid members have access to the API, and can even create alerts when new devices pop up on the subnet(s) they want to monitor — a cheap and effective way to keep an eye on what your folks are plugging into the internet.
The most remarkable aspect of Shodan, however, might be the public awareness it brings to the vast quantity of insecure, critical cyberphysical infrastructure that has somehow gotten plugged into the internet. Shodan’s internet cartography helps quantify the systemic security issues the internet faces, and enables journalists to write about, and policymakers to wrangle with, solutions to problems at this scale. (Full disclosure: This reporter has a paid Shodan membership and finds it a mighty useful tool for investigative journalism.)
Take things like ICS/SCADA, for example. Industrial control systems predate the internet and were designed on purpose with no security in mind. They were never intended to be plugged into a global internet, after all, and physical security controls were considered more than sufficient to prevent a malicious attacker from, say, dumping raw sewage into your fresh water supply.
That’s changed, and critical infrastructure that was never intended to be on the internet is now a few hops away from every attacker on the planet. Shodan makes it easy to find these systems and raise the alarm. Should water treatment facilities, dams, crematoriums, yachts — you name it — should these things ever be connected to the internet under any circumstances? Probably not, and Shodan makes raising awareness of the issue much easier.
Likewise, a flood of insecure IoT devices is drowning the market, everything from connected coffeemakers to sex toys to refrigerators to, again, you name it. The market has clearly failed to select for strong cybersecurity for these devices, and regulators have, with some notable exceptions, failed to step in to demand stronger cybersecurity controls. Worse, IoT manufacturers go out of business or simply abandon support of the devices they manufacture, leaving consumers stranded with insecure — and unsecurable — devices that then get slaved into botnet armies. The systemic risk this poses to the entire internet cannot be overstated.
The initial gasp of “omg” from non-technical folks on discovering Shodan is best targeted at the market and regulatory forces that enable this situation to flourish.
Want everything and the kitchen sink? Shodan’s new Enterprise Edition gives you all of Shodan’s data, on-demand access to Shodan’s global infrastructure, and an unlimited license for all employees of your organization to access everything all the time.
Woo-hoo! That’s a lot. If threat intel is your thing, then Shodan Enterprise might be your jam. As their promo copy puts it, “The Shodan platform helps you monitor not just your own network but also the entire Internet. Detect data leaks to the cloud, phishing websites, compromised databases and more. The Enterprise Data License gives you the tools to monitor all connected devices on the Internet.”
For a big organization, or one that doesn’t want to re-invent the wheel in-house with zmap, Shodan Enterprise offers a data license to use their data for commercial use without attribution. Possible use cases include fraud prevention, market intelligence, not to mention threat intelligence.
The price tag? Well, you’ll have to contact their sales team for that. We suspect their “everything and the kitchen sink” package ain’t cheap, though.
Shodan is free to explore, but the number of results is capped with a free account. Advanced filters require a paid membership (USD $49/lifetime). Developers needing a real-time data stream of the whole shebang can get that too. Of course, the Shodan Enterprise everything-and-the-kitchen-sink package is also available for an undisclosed, presumably substantial, fee.
Defending your organization from embarrassment may have public relations value, but no security value. Shodan gives organizations visibility into their external security posture, and those of other organizations.
The internet continues to incur greater and greater security debt. Shodan lets us see the problem clearly, no matter how uncomfortable that may make some non-technical people.
More on network security:
This story, “What is Shodan? The search engine for everything on the internet” was originally published by
CSO senior security reporter J.M. Porup got his first job in IT security in 2002 as a Linux sysadmin. Got tips? email@example.com
Copyright © 2019 IDG Communications, Inc.