Shodan is the search engine for everything on the internet. While Google and other search engines index only the web, Shodan indexes pretty much everything else — web cams, water treatment facilities, yachts, medical devices, traffic lights, wind turbines, license plate readers, smart TVs, refrigerators, anything and everything you could possibly imagine that’s plugged into the internet (and often shouldn’t be).
The best way to understand what Shodan does is to read founder John Matherly’s book on the subject. The basic algorithm is short and sweet:
1. Generate a random IPv4 address
2. Generate a random port to test from the list of ports that Shodan understands
3. Check the random IPv4 address on the random port and grab a banner
4. Goto 1
That’s it. Find all the things, index all the things, make searchable all the things. It’s a thing, and it’s called Shodan.
How Shodan works
Services running on open ports announce themselves, of course, with banners. A banner publicly declares to the entire internet what service it offers and how to interact with it. Shodan gives the example of an FTP banner:
220 kcg.cz FTP server (Version 6.00LS) ready.
While Shodan does not index web content, it does query ports 80 and 443. Here’s the https banner from CSOonline:
$ curl -I https://www.csoonline.com HTTP/2 200 server: Apache-Coyote/1.1 x-mod-pagespeed: 22.214.171.124-0 content-type: text/html;charset=UTF-8 via: 1.1 varnish accept-ranges: bytes date: Fri, 25 May 2018 14:16:18 GMT via: 1.1 varnish age: 0 x-served-by: cache-sjc3135-SJC, cache-ewr18125-EWR x-cache: HIT, MISS x-cache-hits: 2, 0 x-timer: S1527257779.808892,VS0,VE70 vary: Accept-Encoding,Cookie x-via-fastly: Verdad content-length: 72361
Other services on other ports offer service-specific information. That’s not a guarantee that the published banner is true or genuine. In most cases, it is, and in any event publishing a deliberately misleading banner is security by obscurity.
Some enterprises block Shodan from crawling their network, and Shodan honors such requests. However, attackers don’t need Shodan to find vulnerable devices connected to your network. Blocking Shodan might save you from momentary embarrassment, but it is unlikely to improve your security posture.
Shodan freaks people out
Let’s address the elephant in the room: Shodan totally freaks people out.
Shodan terrifies non-technical people who don’t understand how the internet works. CNN called it the “scariest search engine on the internet” in 2013. How can you let hackers know where all the power plants are so they can blow them up? This is awful!
This is, of course, hyperbole caused by ignorance. Attackers intent on causing harm don’t need Shodan to find targets. That’s what botnets running zmap are for. The real value of Shodan lies in helping defenders gain greater visibility into their own networks.
You can’t play defense if you don’t know what you must defend, and this is true equally at both the enterprise level and society as a whole. Shodan gives us greater visibility into the insecure, interconnected cyberphysical world in which we all now live.
Playing defense with Shodan
The modern enterprise typically exposes more to the internet than they would like. Employees plug things into the network to get their job done, and voila! Multiply that across all of shadow IT, and you’ve got a growing attack surface to manage.
Shodan makes it easy to search a subnet or domain for connected devices, open ports, default credentials, even known vulnerabilities. Attackers can see the same thing, so batten down the hatches before they decide to attack.
Many devices publicly announce their default passwords in their banner. Many Cisco devices, for example, advertise a default username/password combo of “cisco/cisco.” Finding devices like this on your network before attackers do seems like it would be a good idea.
Shodan also lets you search for devices vulnerable to specific exploits, such as Heartbleed. In addition to helping defenders identify their own devices to secure, this aids penetration testers during the information gathering phase; using Shodan is faster and stealthier than noisily nmap’ing your client’s entire subnet.
Paid members have access to the API, and can even create alerts when new devices pop up on the subnet(s) they want to monitor — a cheap and effective way to keep an eye on what your folks are plugging into the internet.
Stop putting sh*t on the internet
The most remarkable aspect of Shodan, however, might be the public awareness it brings to the vast quantity of insecure, critical cyberphysical infrastructure that has somehow gotten plugged into the internet. Shodan’s internet cartography helps quantify the systemic security issues the internet faces, and enables journalists to write about, and policymakers to wrangle with, solutions to problems at this scale. (Full disclosure: This reporter has a paid Shodan membership and finds it a mighty useful tool for investigative journalism.)
Take things like ICS/SCADA, for example. Industrial control systems predate the internet and were designed on purpose with no security in mind. They were never intended to be plugged into a global internet, after all, and physical security controls were considered more than sufficient to prevent a malicious attacker from, say, dumping raw sewage into your fresh water supply.
That’s changed, and critical infrastructure that was never intended to be on the internet is now a few hops away from every attacker on the planet. Shodan makes it easy to find these systems and raise the alarm. Should water treatment facilities, dams, crematoriums, yachts — you name it — should these things ever be connected to the internet under any circumstances? Probably not, and Shodan makes raising awareness of the issue much easier.
Likewise, a flood of insecure IoT devices is drowning the market, everything from connected coffeemakers to sex toys to refrigerators to, again, you name it. The market has clearly failed to select for strong cybersecurity for these devices, and regulators have, with some notable exceptions, failed to step in to demand stronger cybersecurity controls. Worse, IoT manufacturers go out of business or simply abandon support of the devices they manufacture, leaving consumers stranded with insecure — and unsecurable — devices that then get slaved into botnet armies. The systemic risk this poses to the entire internet cannot be understated.
The initial gasp of “omg” from non-technical folks on discovering Shodan is best targeted at the market and regulatory forces that enable this situation to flourish.
Nuts and bolts
Shodan is free to explore, but the number of results is capped with a free account. Advanced filters require a paid membership (USD $49/lifetime). Developers and enterprise users needing a real-time data stream of the whole shebang can get that too.
Defending your organization from embarrassment may have public relations value, but no security value. Shodan gives organizations visibility into their external security posture, and those of other organizations.
The internet continues to incur greater and greater security debt. Shodan lets us see the problem clearly, no matter how uncomfortable that may make some non-technical people.