While that was three years ago, Shodan has expanded quite a bit since then. For those of you who are still unfamiliar with it, Shodan searches for internet-connected devices across the world. As I’m sure you can guess, that doesn’t only include computers and smartphones. It can find such things as wind turbines, traffic lights, license plate readers, refrigerators, and practically anything else with an internet connection.
If that doesn’t seem like a big deal, here’s the caveat. Many of these devices that we rely on every day have little to no security protecting them. For a hacker, that’s a dream come true (is it not?).
Now, I don’t simply want to repeat old news, but Shodan isn’t the only search engine of its type; there are quite a few others. So I’m going to discuss four other web vulnerability search engines that you may (or may not) be familiar with.
First off, let’s learn a little more about Shodan.
“Sho” Me, Shodan
To reiterate, Shodan isn’t exactly new, but it is constantly being updated. Its name is a reference to SHODAN, a character from the System Shock game series. One of its top saved search terms is “Server: SQ-WEBCAM,” which reveals a number of IP cams that are currently connected. If you’re trying it out for the first time, use that as your first search and see what comes up.
The main reason that Shodan is considered hacker-friendly is because of the amount and type of information it reveals (like banner information, connection types, etc.). While it is possible to find similar information on a search engine like Google, you would have to know the right search terms to use, and they aren’t all laid out for you.
If you aren’t frightened yet, take a look at this. Another one of the most popular searches is “default password.” This search term finds results with “default password” in the banner information. You would be surprised how many devices are listed. (Hopefully yours isn’t on there. If it is, I’d recommend changing your password.)
Where Shodan becomes really useful is when you look for more specific information. Here’s a good example: do a search for “SSH port:’22’”. You’ll see a multitude of devices that are running on SSH using port 22.
In the results, you can also see the IP address, location, hosting service, ISP, and ports that the device is using.
Usually, Shodan will also reveal a device’s fingerprint, key exchange (kex) algorithms, server host key algorithms, encryption algorithms, MAC algorithms, and compression algorithms (if they exist, that is).
If, by chance, one of your personal devices shows up in a Shodan search, and reveals information you’d rather not have made public, then that’s your opportunity to patch up the holes! For pen testers, this sort of data is just as valuable.
Of course, even for non-hackers, it can just be fun to explore Shodan and see what kind of information turns up.
One of the scarier searches that someone recently shared was “port: ‘6666’’ kiler,” which finds devices infected with the KilerRat trojan.
Credit: 2015 AlienVault 1
KilerRat is a remote access trojan that can do such things as steal login credentials, manipulate the registry, and open a reverse shell, giving the attacker the capability to input commands directly into the system. It also can allow access to the victim’s webcam.
I think I’m going to put electrical tape over mine…now.
At first glance, PunkSPIDER may not look like much (especially compared to a behemoth search engine like Shodan). On the other hand, it has somewhat of a similar purpose.
PunkSPIDER is a global web application vulnerability search engine. The driving force behind it is PunkSCAN, a security scanner that can execute a massive number of security scans all at once. Among the types of attacks that PunkSPIDER can search for include Cross-Site Scripting (XSS), Blind SQL Injection (BSQLI), Operating System Command Injection (OSCI), and Path Traversal (TRAV).
Even if you’re completely unfamiliar with the definitions of these common attacks, you can still use PunkSPIDER, whether for fun or to see if your site is vulnerable. In my experimentation with it, I came up with far fewer results when I scanned specific URLs, as opposed to using generic search terms. (Though it may be that the URLs I selected didn’t happen to be vulnerable at the moment.)
Here’s an example: do a search for “Deepdotweb.com.” The results are as follows:
Bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | xpathi:0 | Overall risk:0
The first line shows the domain of the result. The timestamp on the second line shows the date and time that the domain was added to PunkSPIDER’s system. On the third line, you’ll see a list of the various types of attacks that it searches for, and whether or not any were found.
In the case of Deepdotweb, all the scan results returned “0.” Well, that’s reassuring, isn’t it, DDW?
On the contrary, if you do a more generalized search using terms like “blog,” “social media,” “forum,” or “porn,” you’re likely to come up with hundreds of results – especially if you type in “porn.”
Simply because a URL shows up in the results doesn’t necessarily mean that the site is infected, however. For a more detailed explanation of how you can use PunkSPIDER to your advantage, see PunkSPIDER Search Help.
By the way, out of curiosity, I wanted to see if this worked with sites on the Tor network as well. Although it doesn’t scan all of Tor’s hidden services, if you do a search for “.onion,” at present, you’ll get 588 results. I didn’t take the time to see whether or not they were all infected, but if one of those sites is yours, you may want to check that out.
Here’s a little analogy for you: Shodan is to Tor as I2P is to IVRE. In other words, though Shodan is a powerful search engine, and has advanced capabilities, it’s friendlier to a newcomer as well. The same goes for Tor: you could, for the most part, run it and use it without being an IT expert; at the same time, it has options for advanced users.
I2P, as darknets go, is geared more toward experts; even its main console requires basic knowledge of networking. Likewise, IVRE seems as though it’s designed more for hackers, coders, and/or pen testers than Shodan or PunkSPIDER, though hackers could make use of all three.
So what is it? IVRE (Instrument de veille sur les réseaux extérieurs) is a network recon framework. It’s open source, and is written in Python with a MongoDB backend. It uses tools such as Bro, Argus, NFDUMP, and ZMap to return data about internet-connected devices. It can also import XML output from Nmap and Masscan. Though I could go into detail about how each of these tools works, that would encompass a separate article!
The main IVRE site presents results of Nmap active scans that can be filtered with keywords (which is somewhat similar to Shodan.) A few keywords you can try are “phpmyadmin,” “anonftp,” or “x11open.” Searching for “phpmyadmin” returns results for phpMyAdmin servers; “anonftp” looks for FTP servers allowing anonymous access; “x11open” looks for open X11 servers. This may not sound all that revolutionary, but if you take the time to play around with IVRE a bit, you may discover some buried treasures, so to speak.
The search below, for example, shows results for the keywords “phpmyadmin” and “sortby:endtime.”
Obviously, this is just one of many things you can do with IVRE, but I’m trying to keep it simple. If you haven’t already, I suggest you hackers go there and start digging. It may not take long to find some of the “scary” data.
Speaking of which, for those who are interested in finding out more about the technical end of IVRE, they maintain a doc/ folder in their GitHub repository, so you can go into detail about its inner workings. Fork them, I say!
For further reading, you can also check out their blog, but it hasn’t been updated in a while.
ZoomEye, like its counterparts, finds internet-connected devices and vulnerabilities. You might say, “Yawn…I’ve seen this before,” but before you nod off, let’s investigate.
The mad geniuses behind ZoomEye are some developers from Knownsec Inc, a Chinese security firm based in Beijing. Though its original version (like Shodan’s) was released in 2013, its newest version goes by the name of ZoomEye 3.0. Think of it as the final version of the Omindroid in The Incredibles…but a little less deadly.
Once again, this search engine is much more helpful if you know of specific search strings that can help you find what you’re looking for, but here are a few suggestions:
Apache httpd – finds results for Apache http servers.
device:”webcam” – finds a list of webcams with an internet connection.
app:”TED 5000 power use monitor” – finds a list of The Energy Detective (TED) monitors.
Obviously, there are thousands of other searches you can try, but that’s a good start. ZoomEye, like Shodan, also makes it easy to filter searches by country, public devices, web services, etc. If you have no idea what to search for, the search engine flashes some popular searches on the screen as well.
On occasion, even just searching for a random word that you may not think will turn up anything might have fantastic results. Try typing in “zombie,” for instance. You just may find out how soon the apocalypse will start.
Last but not least, let’s take a look at Censys. Like its search engine brethren, it’s designed to search for internet-connected devices.
It collects data using both ZMap and ZGrab (an application layer scanner that operates via ZMap), which in this case scan the IPV4 address space.
You can experiment with Censys too and see what data you uncover. Testing it just may make you feel like Darth Vader blowing up Alderaan…well, maybe not that powerful. Here are a few sample searches:
https://www.censys.io/ipv4?q=80.http.get.status_code%3A%20200 – this allows you to search for all hosts with a specific HTTP status code.
You can also just type in an IP address, such as: “18.104.22.168” or “22.214.171.124” (those are fake; I assure you.) To find hosts in 126.96.36.199/8 and 188.8.131.52/24, type in “184.108.40.206/8 or 220.127.116.11/24.”
In addition, Censys can perform full-text searches. If you do a search for “Intel,” it will find any hosts with the word “Intel” in the record; you’ll come up with more than just Intel devices. Like most standard search engines, you can also use Boolean operators like “and,” “or,” and “not.”
Again, this may not be the fun stuff, but that’s just to get you started. By playing around somewhat, you could certainly uncover a plethora of valuable data.
Wait…I Need an Instruction Manual
Most of these search engines will require a little practice before they become efficient tools, but even then, they can just be fun to play around with, and see what results they produce.
However, for those of you who are far beyond the beginner phase, any one of these by themselves, or in combination, could prove to be powerful. In particular, I’d recommend these to developers, because they open all sorts of possibilities.
So, if searches like “SMTP server” and “APC AOS cryptlib sshd” make you laugh like a mad scientist, I’d recommend any and all of these search engines to you.