Listen to this Post
Shodan is a powerful search engine that allows cybersecurity professionals to identify exposed devices, services, and vulnerabilities on the internet. Unlike traditional search engines, Shodan scans and indexes internet-connected systems, making it an essential tool for both offensive and defensive security practices.
Shodan Cheatsheets & Resources
To help you get started with Shodan, here are some valuable resources:
1. Shodan Cheatsheet for ICS/OT
2. Shodan Cheatsheet for IT
3. Video on Using Shodan
You Should Know: Essential Shodan Commands & Techniques
1. Basic Shodan Search Queries
Shodan allows you to search for devices using filters. Some useful search queries include:
– Find exposed Industrial Control Systems (ICS):
org:"Company Name" port:502 (Modbus)
– Discover open webcams:
webcamxp
– Locate exposed databases (MySQL, MongoDB, etc.):
product:"MySQL"
2. Using Shodan CLI for Advanced Searches
Install the Shodan CLI tool for deeper analysis:
pip install shodan shodan init YOUR_API_KEY
Common CLI Commands:
- Search for vulnerable routers:
shodan search 'title:"router login" http.title:"admin"'
- Scan a specific IP:
shodan host 8.8.8.8
3. Automating Shodan Scans with Python
Use the Shodan API to automate vulnerability discovery:
import shodan
API_KEY = "YOUR_API_KEY"
api = shodan.Shodan(API_KEY)
try:
results = api.search('port:3389')
for result in results['matches']:
print(f"IP: {result['ip_str']} - Org: {result.get('org', 'N/A')}")
except shodan.APIError as e:
print(f"Error: {e}")
4. Detecting Exposed ICS/OT Devices
Industrial systems often use specific ports:
- Modbus (TCP/502)
- EtherNet/IP (TCP/44818)
- Siemens S7 (TCP/102)
Search for them in Shodan:
port:44818
5. Defensive Measures: Protecting Your Assets
- Firewall Rules: Restrict inbound traffic to critical ports.
- Network Segmentation: Isolate OT networks from IT.
- Shodan Monitoring: Use Shodan alerts to detect unexpected exposures.
What Undercode Say
Shodan is a double-edged sword—while it helps security teams identify exposures, attackers also use it to find vulnerable targets. Regularly audit your internet-facing assets using Shodan and implement strict access controls.
Additional Linux & Windows Commands for Security Audits
– Linux (Nmap Scan for Open Ports):
nmap -sV -p 1-65535 <target_IP>
– Windows (Check Open Ports):
Test-NetConnection -ComputerName <IP> -Port <Port>
– Linux (Check for Unauthorized Connections):
netstat -tulnp
– Windows (Firewall Rule to Block Shodan Scanners):
New-NetFirewallRule -DisplayName "Block Shodan" -RemoteAddress 104.131.0.0/16 -Action Block
Expected Output:
A structured report of exposed devices, automated alerts for new exposures, and hardened network configurations to prevent unauthorized access.
Use Shodan responsibly—always ensure you have permission before scanning networks.
For further reading, check the provided Shodan cheatsheets and video tutorial.
References:
Reported By: Mikeholcomb Are – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
