Shodan Doesn’t Index Content, It Indexes Banners
It’s important to note that unlike Google, Bing, Yahoo, and other search engines, Shodan does not index the content of a website, rather it indexes the information in the banner. These banners will tell us whether the device is a webcam, a router, a VOIP phone system, or whatever, along with something about the underlying technology.
To do a specific search in Shodan, you need to understand what is in these banners and how we can use it to search for a specific and vulnerable site.
The Search Tools Are a Lot Like Other Search Engines
The search syntax for Shodan is very similar to the searching on other search engines, but what you are searching for is very different. Shodan accepts the same standard Boolean operators as the others (+-|) and quotation marks can be used to narrow a search to only the exact content between the quotation marks.
Shodan also accepts some basic filters that allows you to narrow down your search results. These include the following.
- after/before – limits our results to banners that have been indexed before or after a specific date
- country – filters our results by country using the two-letter country code
- hostname – filters results by domain name
- net – filters results by IP address range using CIDR notation
- geo – filters by longitude and latitude
- os – filters results by host operating system
- port – filters results by port
Now that we have the basics of Shodan searching and filtering, let’s see what we can find.
Step 1: Log in to Shodan
First, let’s log in to Shodan. Although you can use Shodan without logging in, some of the filters we will use here require us to login to enable them. Navigate to shodanhq.com and log in.
Step 2: Search for Cisco Routers
Once logged in, let’s do a search for Cisco banners. These would be the banners on Cisco devices (the most widely used routers and switches in the world) that have a Internet-enabled administration panel. When we do, Shodan finds over 3 million devices! It breaks it down by country on the left side panel as you can see below.
Step 3: Filter by Country
So, now we have all the Cisco devices indexed by Shodan. The 3+ million devices is a pretty unwieldy amount to work with, so let’s try to target our search by country. In this case, let’s find all the Cisco devices in India.
To do so, we will need the two-letter country code of India, which is IN. The syntax then finding all the Cisco routers in India is below. Note the colon (:) between the keyword country and the two-letter country code.
- cisco country:IN
When we do so, we narrow our search considerably. As you can see in the screenshot below, we are now down to 71,147 routers. Still an unwieldy amount, but considerably smaller.
Step 4: Filter by Port
Let’s continue to narrow our search and try to become very specific for what we are seeking. Let’s imagine that we are looking for Cisco routers that enable VOIP in India. We know that VOIP uses the SIP protocol and the SIP protocol uses port 5060, so let’s find all the Cisco routers in India that use VOIP. We can type in the search window:
- cisco country:IN port:5060
As you can see below, we have now narrowed our results down dramatically to just 2,435 routers.
Step 5: Narrow the Results by IP Address
Finally, let’s narrow our search down a even further. Let’s add one more condition, an IP address range. Let’s look for Cisco routers in India that use port 5060 (VOIP) on the IP address range of 18.104.22.168/24.
- cisco country:IN port:5060 net:22.214.171.124/24
As you can see, we have narrowed our search of Cisco routers from 3 million to a single router in India with port 5060 open!
Step 6: Open the Results
Finally, let’s click on the info for that router. As you can see below, Shodan provide us a significant amount of info on this single router.
To be able to access these devices, you would be well-advised to first look up the admin username and password as many admins are too lazy or reckless to change them. If you look through this banner carefully, there is an indication that there is at least a single user named “root”. With that info, it becomes a password cracking exercise.