Translate

Tuesday, 3 April 2018

Shodan search engine for penetration tests: How-to get

Like Google and Yahoo, Shodan also uses Boolean operators. There are other filter options as well to make the search easy and more specific. Shodan shows 50 results for registered users; you have to subscribe for the paid service to get more results.
Shodan for vulnerability assessment (VA)/penetration testing (PT)
Shodan can be very useful while conducting a VA or PT a particular network or host, as banner grabbing is a major step in these operations. For instance, if host xyz.com is running a server and we have to find a vulnerable service like a mail server, FTP or router, it can be identified along with the host name. In this scenario, we can use the following search string.
        Usage: service name host name: host.com
        Example: proftpd host name: xyz.com
This string will display the proftpd banner if host xyz.com is running the service. It will also search for the exploit in the Shodan exploit section.
Basic filters in Shodan
Shodan has several powerful yet easy to use filters which prove handy during VA/PT exercises. The usage of filters is usually of the form filter:value.Some of the most common basic filters that you can use in Shodan are as follows. 
1.     Country: The country filter allows users to search for computers running services in a particular country. The country code is specified as a two-letter word.
            Usage: cisco country: IN (searches for Cisco devices in the particular country. In this case, it’s India).
2.     Host name: This useful option in Shodan lets you find a particular service or the service running in specified hosts or domains.
            Usage: "Server:IIS" host name: domain name
                         Host name: domain name
3.     Net: This filter is used to scan a particular IP address or subnet range. The service name can also be added along with the IP address or subnet.
            Usage: For scanning an IP address: net: 198.162.1.1(any IP)
                         For scanning a subnet: net: 198.162.1.1/24
4.     Port: This filter allows you to scan a particular service. For instance, FTP (21), HTTP (80).
            Usage: Service port number
                         Example: IIS port: 80
5.     Operating system (OS): This Shodan filter helps you to identify a service with a required OS. You can use it to find the service running on the particular OS.
            Usage: Service: OS: OS name
                        Example: IIS “OS: OSName”
6.     After/before: This option helps or returns the query, changed or unchanged before.
                       Example: apache after: 22/03/2010 before: 4/6/2010
                       Example: apache country: CH after:22/03/2010 before: 4/6/2010
If the target is a router, default passwords can be attempted to get access. For default router passwords, check here.
Defeating banner grabbing
Since Shodan can also be misused, it is very important that you ensure security within your environment. Banners are left as default and are normally not changed by administrators—a practice that can be easily exploited using tools like Shodan. Security can be ensured on this front by:
Changing the HTTP server banner string
  • Rearranging HTTP headers
  • Customizing HTTP error codes
Useful Shodan resources
Get the Shodan API here
Get the Firefox add-on here.

No comments:

Post a Comment