Exploring the dark side of Shodan

DroobingNoob
4 min readFeb 8, 2023

--

Shodan stands for Sentient Hyper-Optimised Data Access Network. It is a search engine which anyone can use to find vulnerable IoT devices.

Click here to access the Shodan Website.

After you put in a search query on the Shodan website, any device with an IP address that is connected to the internet, such as a laptop, server, printer, or other device, is scanned by Shodan. This can be incredibly helpful in identifying devices with improper configurations that might expose sensitive data.

The most interesting part is, most of the devices listed on Shodan have default credentials. So, it is pretty easy to just login into the device.

Obviously, now you might be wondering, if I connect my home computer to the internet, my device will show up on Shodan and hackers will try to exploit my system. Well… no. It doesn’t work like that. Shodan will probably list your router but cannot list a private ip device. Or, if someone, for example, has port forwarding enabled on his device, then his device might show up on Shodan.

TOP 5 Search Queries I came across for Shodan

  1. FTP port 21 anonymous login enabled :

"220" "230 Login successful." port:21

Picked a search result at random and logged into the FTP server as anonymous user.

I even found a file called “client_package.zip”. Aborted the download later.

Another ftp server I logged into -

2. Android IP Webcam Server :

"Server: IP Webcam Server" "200 OK"

Picked a random search result and it lists ports 80 & 8080 open.

Lets access the website on port 80.

On port 8080

Got a company name too. Now just need to lookup default credentials of that company and hope to god they haven’t changed it.

Another way to look for webcams-

cgi-bin/guestimage.html

3. SMB Disabled Authentication:

"Authentication: disabled" port:445

I even found a host vulnerable to the famous Eternal Blue SMB Vulnerability.

Look at the amount of ports open on this machine

Running its website on port 80 exposes that its running apache tomcat

4. Hacked Ubiquiti Devices:

hacked Ubiquiti

This lists compromised Ubiquiti Devices. This means they have already been hacked before.

You can see on the hostname of the first one that it has a default password.

5. Finding compromised VMware ESXi servers:

html:"We hacked your company successfully" title:"How to Restore Your Files"

A global ransomware attack has hit thousands of servers running the VMware ESxi hypervisor, with many more servers expected to be affected, according to national cybersecurity agencies and security experts around the world.

This search query exposes those VMware servers that are vulnerable.

I opened its website on port 443. Looks like its already been hacked and the hackers are demanding btc in return to remove their ransomware.

In conclusion, Shodan is an insanely powerful search engine that can be used to identify potential security vulnerabilities and weaknesses in connected devices. It has the potential to cause significant damage if misused, and it is important to understand the risks associated with its use. For this reason, it is essential to remain vigilant and aware of the potential risks of using Shodan, and to take all necessary steps to ensure that connected devices are secure before placing them online.

--

--

DroobingNoob
DroobingNoob

Written by DroobingNoob

Cybersecurity Enthusiast | TryHackMe Top 1% | Future Pentester