Shodan: A World of Open Ports and Vulnerable Devices

[Man]

While most people use search engines to find the information they need, there is another world hidden from ordinary users. This is the world of Shodan, a search engine that indexes not web pages, but network devices, scanning for open ports and vulnerabilities.

Shodan has become an indispensable tool for security researchers and hackers, but it can also be used to protect against them. In this article, we will look at what Shodan is, how it works, and what risks and opportunities it poses for information security.

What is Shodan and how is it different from regular search engines​

Unlike, for example, Yandex or Google, which search for text on web pages, Shodan sees the devices themselves, recognizing their type, software, and open ports. Shodan scans the Internet for open ports and devices that respond to requests. It uses bots that check IP addresses for open ports and services. When a bot finds an active device, it collects information about it, such as:

• device type - camera, router, server, etc.;
• operating system - Windows, Linux, iOS, etc.;
• software version;
• which device ports are available for connection;
• additional information - device name, serial number, IP address, etc.

The collected information is indexed in the Shodan database, allowing interested parties to search for devices based on various criteria.

Shodan Risks​

The information collected by Shodan can be used by attackers for various types of hacking attacks. Access to open ports and device information gives hackers the opportunity to use different attack methods.

Andrey Zhukov.
Leading Security Analyst at the UCSB.

Shodan, Censys, BinaryEdge, ZoomEye, Fofa, internet-measurement and other public systems are an ASM system that continuously scans the entire Internet. Each of these systems has its own scanner servers, and they are clearly visible on honeypots. You can run one yourself or take a public one, for example https://honeypot.land/ . So the simplest defense against shodan and the like would be to block the corresponding pool of addresses.

But Shodan is not the only thing that can scan you. Anyone can run nmap or masscan and get the same result as from Shodan, but do it from any IP address. Therefore, I would advise activating a rule on the firewall in front of the servers that sends TCP SYN-ACK packets in response to any incoming TCP SYN. This will result in the scanning side seeing 65535 open ports, where it will be simply impossible to see productive services. This is a great security measure that is sometimes found on the perimeters of different companies. As a pentester simulating real attacks, I can say that this greatly hinders reconnaissance.

However, we can make life even worse for scanners if, instead of sending TCP SYN-ACK, we redirect all incoming connections to some stub port that sends garbage from /dev/zero in response. This will hang scanners when they start determining service versions by endlessly reading data from each port. Ultimately, this can even lead to a memory leak on the scanning side and denial of service.

Here are some of the most common risks:

1. Vulnerability scanning. Shodan allows hackers to quickly and efficiently scan devices for known vulnerabilities. For example, if a device is running an outdated version of software with known bugs, hackers can exploit them to gain unauthorized access.
2. DDoS attacks. The search engine can be used to organize DDoS (denial of service) attacks. Hackers can send a large number of requests to the device, which leads to overload and failure.
3. Spam Bombing: Information about network devices collected by Shodan can be used to send spam and malware.
4. Take control of devices. Shodan can be used to take control of devices, such as security cameras or routers. Hackers can use the captured devices for spying or other malicious purposes.
5. Data theft: Attackers can use Shodan to find devices that store sensitive data, such as databases or financial information.

It is important to remember that Shodan is a powerful tool that can be used for good or bad purposes. It is important to be aware of the risks associated with using Shodan and take steps to protect your network devices.

Not only a threat, but also a tool of protection​

Shodan, despite its reputation as a hacker tool, is also useful for security professionals. It provides invaluable information about network devices, allowing you to proactively identify problems and fix vulnerabilities.

Shodan helps security professionals quickly find devices with outdated software or open ports that could be used for attacks. It also helps monitor changes in the network and identify new devices that could pose a threat. Shodan’s analysis of information helps them understand how hackers are attacking devices, allowing them to improve their defense strategies. Shodan even creates a network map that shows all devices connected to the internet, making it easier to manage and protect your network. Shodan is also a valuable tool for cybersecurity education and research.

How to Hide Your Devices from the "All-Seeing Eye"​

To protect your network devices from Shodan scanning, there are a number of steps you need to take.

Konstantin Larin.
Head of the Cyber Intelligence Department at Bastion.

You can protect your network devices from scanning in several ways, for example:

1. Use a firewall and configure it correctly to prevent scanning in various ways (SYN/TCP/UDP/FIN/ACK scanning).
2. Periodically scan all external infrastructure for unused external addresses and ports (for example, using nmap). Close unused ports through a firewall.
3. Use IDS/IPS class solutions to detect and prevent network scanning attempts.
4. Maintain blacklists of IP addresses/domain names of popular resources that automatically scan external network resources (Shodan, Censys, ZoomEye, and others).
5. Use virtual local area networks (VLANs) to separate and isolate devices on your internal network.
6. If possible, use GeoIP filtering to prevent attempts to scan network resources by foreign services.

Unfortunately, protecting yourself from Shodan scanning is not a one-time task. You need to regularly check your security settings and update your software to ensure that your network devices are protected from threats.

Shodan and IoT​

The Internet of Things (IoT) brings convenience and new opportunities to people, but it also creates new vulnerabilities. Shodan plays a key role in analyzing IoT devices, helping security professionals understand their characteristics and risks.

Kai Mikhailov.
Head of Information Security at iTPROTECT.

The main method of Shodan is text analysis of headers in response to a request on standard ports. From the results of such analysis, conclusions can be drawn regarding the type of device, the version of the installed software, and the settings. It is by these features that security researchers can create special search queries, for example, to search for IoT. In this case, the attacker must know exactly what to look for; in the collections for researchers, there are examples of text strings for searching, for example, Tesla charging stations, wind farm controllers, medical systems, railway systems, SCADA and much more. The most popular search object is IP cameras, which can also be searched for through text search in the banner.

It scans the internet for open ports common to IoT devices — HTTP, HTTPS, and Telnet. It analyzes the protocols used by IoT devices, identifying their type and functions. Shodan also classifies IoT devices and analyzes their web interfaces, allowing you to identify device functions and find vulnerabilities.

Alexander Gerasimov.
CISO Awillix.

Shodan uses a comprehensive approach that includes network data, signatures, and configuration analysis to accurately detect and classify IoT devices. Here are some key methods:

1. Port scanning. Shodan sends requests to different IP ranges, checking for open ports. Based on the response, it infers what device is behind that port (for example, a webcam, a server, or an industrial controller).
2. Banner Analysis: Once connected to a device, Shodan collects information provided in device responses, called banners. Banners may contain information about the software version, device type, manufacturer, and network configuration.
3. Matching with known patterns. Shodan classifies devices using signature pattern databases, comparing the obtained data with known parameters of popular devices and services. This allows Shodan to identify IoT devices based on their unique characteristics.
4. Information leaks: Shodan also identifies devices that are misconfigured and accidentally provide access to sensitive information, such as system logs or configuration files.

All this makes Shodan an indispensable tool for IoT security professionals. It allows you to quickly find IoT devices with known vulnerabilities and create an IoT network map, which helps you understand what devices are connected to the network and how they are being used. Shodan also allows you to track changes in the IoT network and identify new devices that may pose a threat.

Russian version of Shodan: between opportunities and risks​

The idea of creating a Russian version of Shodan, a network device search engine similar to the foreign service, was recently discussed in the IT community. Experts' opinions were divided. Some see this as an opportunity to strengthen the country's cybersecurity. The Russian version of Shodan could help identify vulnerable devices in the Russian segment of the Internet and prevent hacker attacks. The data collected by such a service could be used to analyze threats and develop more effective defense strategies. In addition, the creation of a similar service could stimulate the development of the domestic IT industry and attract new specialists to it.

Artem Brudanin.
Director of Cybersecurity at RTM Group.

The idea of creating a Russian analogue definitely has potential. Firstly, it will provide more accurate and up-to-date data on network devices in Russia, while Shodan is aimed at the entire network and is not adapted to the realities of our devices, applications, and technologies. Secondly, the Russian version can be used, among other things, to monitor the external perimeter of critical infrastructure. You can see where “dangerous” ports are open, where an exploited vulnerability has not been eliminated, how many specific devices with a trending vulnerability operate in RuNet, etc. All this, of course, is an ideal option, which is unlikely to be implemented for several reasons: legal and ethical issues, the need to spend large resources (including financial ones), security risks of the new platform and data provided to third parties.

Others do not consider such a solution appropriate in modern realities. In addition, access to information about network devices can be used not only for protection, but also for attack. It is important to ensure data security and protect the service from unauthorized access. It is also necessary to develop special rules and regulations to ensure security and protect citizens from abuse.

Sergey Polunin.
Head of the Infrastructure IT Solutions Protection Group at Gazinformservice.

I don't think such a solution will have any prospects. Shodan has alternatives, but everyone continues to use it. If you create something new, you need to offer some scenario that the new solution can handle, and Shodan cannot solve the problem. The only possible scenario today is if Shodan, like many other services, restricts access for users from the Russian Federation. However, even in this case, specialists will most likely use VPN.

Thus, creating a Russian version of Shodan is a complex issue that requires careful analysis and discussion.

Andrey Shabalin.
Information Security Analyst at NGR Softlab.

When considering such an initiative, the first questions to answer are: what tasks will such a tool be used for, and who will use it. Since such tools can be used by both defenders and attackers.
If the Russian Shodan is planned to be used to increase the overall level of Runet security (monitoring the public availability of potentially critical resources), then the initiative looks more than useful, but then a logical question arises: who will be engaged in such monitoring.

The use of such scanners for intelligence and counterintelligence activities seems a little clearer. In such a scenario, the value of the information obtained is obvious (naturally, while maintaining its confidentiality). In addition, it is necessary to understand that a number of software tools with similar functionality are already used by various agencies whose activities are directly related to ensuring security, it is just that access to such tools is usually exclusive. Most likely, the same exclusivity could be expected from the Russian Shodan.

It is important to weigh all possible benefits and risks before deciding to implement it. It is also necessary to take into account the experience of foreign countries and develop special mechanisms for regulating and monitoring the use of such a service.

To sum it up​

Shodan is not just a search engine, but a powerful tool that provides an unprecedented view into the invisible side of the Internet. It reflects the reality of network devices, their vulnerabilities, and the potential for hacker attacks. Shodan can be a dangerous tool in the hands of attackers, but it is also valuable for security professionals, allowing them to proactively identify threats and improve the protection of network devices.

It is important to understand that Shodan is a mirror that reflects threats and opportunities. Using Shodan requires responsibility and competence. Security professionals should use it to improve the protection of network devices and prevent hacker attacks. At the same time, risks must be considered and regulatory mechanisms must be developed to prevent the misuse of information obtained through Shodan.

Source