Shodan.io: Locating Vulnerable IoT Devices
In this lab we will see how we can locate various vulnerable IoT devices using shodan.io and Python.
IoT The Internet of Things (IoT) is basically the interconnection of different types of devices on a network that share data. This network can even be the Internet itself, or in other cases private networks. These devices communicate with other devices on the same network and in turn allow monitoring and control of their functionalities.
Nowadays this type of device is very varied, from security cameras, environmental sensors, lights, sound systems, etc. Even industrial controllers that maintain critical operations such as controllers for wind farm turbines, telecommunications centers, critical flight controls. Or much more mundane systems such as traffic light controllers or "smart" refrigerators.
This whole range of devices generally operates with some level of autonomy. But they commonly have some administration panel from which their operation can be monitored and even completely modified.
Considering that these devices in many cases are exposed to the Internet, they can usually be scanned for vulnerable software that allows access with elevated privileges, exposed services that use common or factory default passwords. One of the tools we can use to locate these types of devices is Shodan.io, a kind of search engine like DuckDuckGo, Google, etc. But unlike those, Shodan allows us to locate devices on the Internet.
Shodan has multiple services that run 24/7 and scan the Internet for devices to scan them, detect open ports and various types of information and possible vulnerabilities. By consuming the data generated in this process by Shodan, we can obtain very valuable information about the targets we intend to investigate.
Next we will see how we can use Shodan to locate various vulnerable IoT devices exposed on the Internet and the type of information we can obtain.
Using Shodan.io and its Search Query Syntax
To start with Shodan we can make use of its interface to browse results by categories, device types, countries, etc. This web interface even provides a map view where we can locate devices geographically. We also have a Shodan CLI command-line program for various operating systems, and development packages for Python, NodeJS, etc.
Shodan Search Query Syntax
In Shodan we also have a query language called Search Query Syntax. This syntax allows us to use various filters to obtain results more specific to our needs. The information returned contains various properties about the device and its exposed services, such as the country where it operates, open service ports, details about the organization it belongs to, etc.
Some of the useful filters we can use with Shodan:
geo: Allows us to specify geographic coordinates.
country: Allows us to search for devices in a given country.
city: Allows us to search for devices by city.
hostname: To locate hosts by name (google.com)
os: Search by operating system.
port: search by ports.
net: To search by IP or CIDR
And some examples of queries using some of these: Search for Apache servers in a given country:
apache country:"AR"Search for Nginx servers in a particular city:
nginx city:"Buenos Aires"A combination of several filters:
apache city:"Los Angeles" port:"80" product:"Apache/2.4.7"In this way we can generate our own queries to obtain more focused results about our targets. It is worth noting that this query language supports many other filters. We can learn them from the searches on the Shodan website itself and there are various repositories with useful queries we can try. For this practical exercise we will use some particular queries to locate certain devices of our interest.
It should be clarified that to obtain Shodan results via queries, you must obtain your API key on Shodan.io. This API key will be required to make queries on Shodan and view different pages of results. Shodan offers a free key, but obviously provides limited functionality, such as the number of queries we can perform. For this practical exercise I will use my personal key.
Locating devices with Shodan.io via Python3
For this practical exercise I will use the official Python library for Shodan, which you can download from the following repository. Let's see how this banner looks when making a query with a basic program in Python, a sort of Hello World with Shodan.
Repository: https://github.com/achillean/shodan-python
It actually contains a little more than necessary for a Hello World, but it is important to be able to visualize the information returned by Shodan in a friendlier format than the raw format in which the response is initially returned:
Note: To use this script just copy it and make sure to run:pip3 install IPy, shodan, json
"""
UTN-CEH Banner grabbing practice with Shodan API by Tzero86
"""
__author__ = "Tzero86"
__contact__ = "twitter: @tzero86"
__date__ = "2021/03/15"
import socket
import json
from shodan import Shodan
from IPy import IP
api_connection = Shodan("YOUR_API_KEY_GOES_HERE")
host_target = 'turismo.buenosaires.gob.ar'
# If a domain is entered it converts it to an IP
def check_ip(target):
try:
IP(target)
return target
except ValueError:
return socket.gethostbyname(target)
# we format the shodan response so that the structure and returned data are easier to appreciate
def format_response(target):
formatted_data = json.dumps(target, indent=1)
print(formatted_data)
target_info = api_connection.host(check_ip(host_target))
format_response(target_info)
If we observe the response, we see the level of detail we can obtain. For this example I set the Buenos Aires Tourism website as the target and intentionally removed some data so that it is easier to visualize the base information included in the banner:
{
"region_code": null,
"tags": [],
"ip": 3356514664,
"area_code": null,
"domains": [
"buenosaires.gov.ar"
],
"hostnames": [
"buenosaires.gov.ar"
],
"postal_code": null,
"dma_code": null,
"country_code": "AR",
"org": "Information Systems Agency, Government of the Autonomous City of Buenos Aires",
"data": [],
"asn": "AS52318",
"city": "Buenos Aires",
"latitude": -34.61315,
"isp": "Information Systems Agency, Government of the Autonomous City of Buenos Aires",
"longitude": -58.37723,
"last_update": "2021-03-15T11:44:54.025248",
"country_code3": null,
"country_name": "Argentina",
"ip_str": "200.16.89.104",
"os": null,
"ports": [
80,
443,
179
]
}As we can see, the information returned about the target includes valuable information, such as open ports, the country code and name among some other details. The complete response includes much more information which I will not show in this exercise for the sake of space.
Locating vulnerable webcams
So far we saw how to obtain basic information with Shodan using Python, now let's see how we can locate vulnerable webcams.
For this we will use the following query:
query = 'IPCamera_Logo country:AR'And we will consume that query in our Python script not with the method host() but by using the method search():
"""
UTN-CEH Practice Locating IoT Devices Tzero86
Basic script to locate devices using queries
"""
__author__ = "Tzero86"
__contact__ = "twitter: @tzero86"
__date__ = "2021/03/15"
import socket
import json
from shodan import Shodan
api_connection = Shodan("YOUR_API_KEY_GOES_HERE")
query = 'title:"Android Webcam Server"'
# we format the shodan response so that the
# structure and returned data are easier to appreciate
def format_response(target):
formatted_data = json.dumps(target, indent=1)
print(formatted_data)
devices = api_connection.search(query, limit=3)
format_response(devices)And this way we obtain the first 3 devices of this type exposed to the Internet.
{
"matches": [
{
"hash": -783407210,
"ip": 3007196261,
"org": "PUNTA INDIO DIGITAL S.A.",
"isp": "Red Intercable Digital S.A.",
"transport": "tcp",
"data": "HTTP/1.1 200 OK\r\nServer: WebServer(IPCamera_Logo)\r\nContent-Length: 2032\r\nContent-Type: text/html\r\nConnection: close\r\nLast-Modified: Thu, 11 Aug 2011 06:50:00 GMT\r\nCache-Control: max-age=60\r\n\r\n",
"asn": "AS27983",
"port": 80,
"hostnames": [
"101.44.62.179.unassigned.ridsa.com.ar"
],
"location": {
"city": "Ver\u00f3nica",
"region_code": null,
"area_code": null,
"longitude": -57.33691,
"country_code3": null,
"latitude": -35.38796,
"postal_code": null,
"dma_code": null,
"country_code": "AR",
"country_name": "Argentina"
},
"timestamp": "2021-03-16T02:36:35.691676",
"domains": [
"ridsa.com.ar"
],
"http": {
"robots_hash": null,
"redirects": [],
"securitytxt": null,
"title": null,
"sitemap_hash": 1473104497,
"robots": null,
"server": "WebServer(IPCamera_Logo)",
"host": "179.62.44.101",
"html": ""},
"os": null,
"_shodan": {
"crawler": "bf213bc419cc8491376c12af31e32623c1b6f467",
"ptr": true,
"id": "7728b63d-9637-4da0-bef6-a5d044634117",
"module": "http",
"options": {}
},
"ip_str": "179.62.44.101"
}As before we see only part of the results returned by our query. In this case we can see that this device is indeed vulnerable and has no access control. It is enough to go to the IP and Port returned in the results and we can see the live webcam and even control its movement. All this without having entered a username and password.
Locating RDP services infected with Ransomware
Now let's see how we can locate devices with Remote Desktop Protocol services that have fallen victim to ransomware:
We will use the following query:
query = '"attention"+"encrypted"+port:3389'In this case there is no need to review the script, we only need to update the query variable in our script and run it. Doing so we obtain the following response from Shodan:
{
"matches": [
{
"hash": 1447427490,
"tags": [
"self-signed"
],
"vulns": {
"CVE-2019-0708": {
"verified": true,
"references": [
"http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.htmlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529-01-windows-en",
"http://www.huawei.com/en/psirt/security-notices/huawei-sn-20190515-01-windows-en",
"https://cert-portal.siemens.com/productcert/pdf/ssa-166360.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-406175.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-832947.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf",
"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"
],
"cvss": 10.0,
"summary": "A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'."
}
},
"timestamp": "2021-02-25T01:35:44.959900",
"isp": "Free SAS",
"transport": "tcp",
"data": "Remote Desktop Protocol\n\\x03\\x00\\x00\\x13\\x0e\\xd0\\x00\\x00\\x124\\x00\\x02\\x01\\x08\\x00\\x02\\x00\\x00\\x00\n\nAttention!\nYour PC ran into a critical problem and all files have been encrypted with .missing extension.\nIncluding all partitions from all drives. Its impossible to decrypt your files by yourself or with\nthierd parties softwares and doing such a thing could damage all files forever.\nThe only safe method to recover your data is contacting the email below and purchasing for the right\ndecrypter software.\nEmaik pcsolutionsmail.ru\nID code: .MISSING B1F2DOO3FR\nContact the email with your ID code and 1-2 files for free decryption to make sure the data is still safe and\nundamaged.\nIf you dont receive an answer within 12 h, email again from another email service.\nThe faster you purchase the software the sooner you get back on track. 1\nom.\n4 Windows Server-2008rz\nStandard",
"asn": "AS12322",
"port": 3389,
"ssl": {
"chain_sha256": [
"0297e31a785b7e6b74595ef1cd1a61a5fb871631c4a449f273b6cf23cd62064c"
],
"jarm": "06b06b00006b06b06b06b06b06b06b2bb1101b28b790bf5d9d4dcad463fdc2",
"chain": [
"-----BEGIN CERTIFICATE-----\nMIIC/DCCAeSgAwIBAgIQGEz28WkG+5VD2Hk+wxlBvDANBgkqhkiG9w0BAQUFADAn\nMSUwIwYDVQQDExxTRVJWRVUyMDA4LUJJUy5waXNzb25uaWVyLmZyMB4XDTIxMDEy\nMzEwMjIzM1oXDTIxMDcyNTEwMjIzM1owJzElMCMGA1UEAxMcU0VSVkVVMjAwOC1C\nSVMucGlzc29ubmllci5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAMT+xDunxgCaEBi0A3T/lF3XtBvHOvBv0vVOwD2lvzKIHr+qqGrvqXcX+wOLfBTq\nK/rMHr9akQP4DKXPYKfb8CjK9/LGw35j4YFteMOH4JqdkfAtid94JTpgn4nPMUlN\nTAHYVi38LbwCOMbfxixTiuBs9/OH7D3SLWQfHrrqBVDTANUWtJJlkiWOPX2f0vMl\ncSwpwtrVfllj8YEw2IaMaQnubMtiFnbOx3jbpqjIR2mO43xzOXnSqPfrGBfQmWES\n/PZEo/m2vAD0ycPucEjYA+//7T7XzoaQWcTKXR5X5PeXZypGVj2sukJAS1qmyn4a\nXgFYu4QV7uC8aYtNn3c1zoUCAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\nCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBBQUAA4IBAQCfTP5PPnpD/5qasaUj7PrB\nfeQwawbSy4W8OCcvmphWyIADQMMdlgGOxNehtPQ060xhssJHMxTiDLortanMd79T\nQ2xXHU5UJm+H+E3PiM4k+jzv4viLDeJuFojgM8TuU1vHTNo7GTRn289YAlqkHbog\nkInfXDg1O8e2HXFVKEIYnkucz2KRYGt9u0Ay5AsQeOY9M6utPyMOwnd6Xtx0CwSE\nsUL4QI587BJ/+X/mpn/WNEg4Z6PD3Nb6zyPDB5hno8FQwovNwUhuhd0nmbJ1ougN\nB/O0eUqSdh6VpE+RHWyfny9JlUO4ejkove4rGS7Juw+b3+h5U+gsYFesmwJbBgKX\n-----END CERTIFICATE-----\n"
],
"dhparams": null,
"versions": [
"TLSv1",
"-SSLv2",
"-SSLv3",
"-TLSv1.1",
"-TLSv1.2"
],
"acceptable_cas": [],
"tlsext": [
{
"id": 65281,
"name": "renegotiation_info"
}
],
"alpn": [],
"cert": {
"sig_alg": "sha1WithRSAEncryption",
"issued": "20210123102233Z",
"expires": "20210725102233Z",
"pubkey": {
"bits": 2048,
"type": "rsa"
},
"version": 2,
"extensions": [
{
"data": "0\\n\\x06\\x08+\\x06\\x01\\x05\\x05\\x07\\x03\\x01",
"name": "extendedKeyUsage"
},
{
"data": "\\x03\\x02\\x040",
"name": "keyUsage"
}
],
"fingerprint": {
"sha256": "0297e31a785b7e6b74595ef1cd1a61a5fb871631c4a449f273b6cf23cd62064c",
"sha1": "8bcd285685e971d004ffb766700d00d2640a8608"
},
"serial": 32301095059340659751689116196458283452,
"issuer": {
"CN": "SERVEU2008-BIS.pissonnier.fr"
},
"expired": false,
"subject": {
"CN": "SERVEU2008-BIS.pissonnier.fr"
}
},
"cipher": {
"version": "TLSv1/SSLv3",
"bits": 128,
"name": "AES128-SHA"
},
"trust": {
"revoked": false,
"browser": null
},
"ja3s": "4192c0a946c5bd9b544b4656d9f624a4",
"ocsp": {}
},
"hostnames": [
"lns-bzn-23-82-248-108-145.adsl.proxad.net"
],
"location": {
"city": "Cr\u00e9teil",
"region_code": "IDF",
"area_code": null,
"longitude": 2.4716,
"country_code3": null,
"latitude": 48.7926,
"postal_code": null,
"dma_code": null,
"country_code": "FR",
"country_name": "France"
},
"ip": 1392012433,
"domains": [
"proxad.net"
],
"org": "Free SAS",
"os": null,
"_shodan": {
"crawler": "a3cc14ebb782071aec2032690d4fd1979446a9ab",
"ptr": true,
"id": "1758c294-2b39-4a14-8262-0baec1181cce",
"module": "rdp",
"options": {}
},
"opts": {
"screenshot": {
"data": "/9j/4AAQSkZJRgABAQIAJwAnAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU\nFhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo\nKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAMgBAADASIA\nAhEBAxEB/8QAHAABAAMBAQEBAQAAAAAAAAAAAAQFBgcDAgEI/8QAUhAAAgICAQMCAwQIAgcEBQkJ\nAAECAwQRBQYSIRMxFCJBFVFhlAcjMlNUcdLTQoEWM1JVkZXRFyRioSVDcpOxREZWc4KDoqPB8DU2\nRXSSpLK0/8QAGwEBAQEBAQEBAQAAAAAAAAAAAAECAwQGBQf/xAAyEQEAAQIEBAUCBgIDAQAAAAAA\nAQIRAyEx8BITQVFhocHR4QRxFCKBkbHxBSMGMlJC/9oADAMBAAIRAxEAPwDnMpKEXKT1FLbZp6Og\nuqr6oWV8LZ2yW135FEHr8Yymmv8ANGR5F64/Jf3VS/8Agz+lbuVSyLF3f4mfsY2JVRMRS+f+nwac\nSJmpx1fo66uf/wDJJfnMb+4P+zrq7/ckvzmN/cO3zuuroVtkqFFxU1F5Fffpra+Xe/r9x85GRfRd\nfVdW4WUrusTa8LaW/wAfdf8AE8/4mvwer8Hh+LiEv0e9WR9+Fl+bx/7hmLa503WVWwcLapyrnCXv\nGUXpp/immj+iJcsnJfMcB5yfqdRc1P7+Ryn/APnTO+Fi1VTaXm+owaMOm9KGAD0PIAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAicr\n/wDuvM/+pn//AKs2Wb1Xyvx+RFU4/ibXmMvv/wDaMdyacuNy0ltuma//AAs6HLp7LzM++/FxLraL\nbJThZXByjKLe0019Dz4tr5vVgX4cl5zXNcnZxtF+HjdPWV/A0OVzzl66kqo9y9P109pprXZv/wCJ\nL5XqqWRHqp/EYfr4/dDE87WTXK+DWmn5cdN+PdS+6JV0dH8i4r/0flf+5l/0Pq3o7kVF/wDo/K/9\nzL/oebhpezir7Mm+q+VjNbpxvf8A2Zf1GdssndmZ9tiSnPMyJSS+jd0zbZvS3IVvcsDJST93U0v/\nAIGLyO15/IOtpwebkOLXs07p6Z6cK3Fk8mNfgz7+75AB6HkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACM8DEb28XHb/+rX/Qkgkx\nE6kTMaIv2fh/wmP/AO7j/wBB9n4f8Jj/APu4/wDQlAnDHZeKrui/AYf8Jj/+7X/QkxSikopJLwkv\nofoLERGhMzOoACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAA2XP8DgYvTNfwsJLl+PVM+Qk5NqUb490fG9LsfbF6+sixw+h+Ju5fprFl\nztDhyVEbbYRVvfJuU1utunSXypfN52n9NHOcWmIvvu6xg1Tl4X87OeA0FXTSnG2+XL8bTx0bfQrz\nLfWULrNJuMYqvv8ACa23FJff5R6LpDLqpzLuRzMDj6cTK+DtnkTk9Wa2tKEZOSa+sU/v9vJeOne/\nFnl1dt7iWbBtMbouqrH6ihy/KYuLl8bGuUGnZOuSnKOptxrluEoyWtedtbSRHyuBzuRs4yr0+Mxa\nocXHLnkVpwhGnul+suetue/HhNvwkmTmU7+115VW/vZkwaSnpDLys7jaOPzMHMp5CU66cqqU41d8\nFuUJd8Yyi0tPzH2afsR+Q6fnhcbVyMM3CzsP1/h7Xizk3VZru7Zd0Y72t6lHcXp+TUVRM2ZnDqjo\nowXXWuFjcd1Zy2Hg1+li0ZEoVw7nLtin4W22ylFNXFEVR1SqnhmaZ6AANIAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE7grcOjmcK7k4Wzwq7\nYzuhVFOUop7cUm0vPt7njiYlmV3+lKiPbrfq3wr9/u7mt+30JH2Tk/vMH87T/WS8R1W0z0aWjrq7\nM5HknzdOM8Hkara7/hsCiN3zJuL71GMpdslF+ZedHzg9Tcfj5fSvITjlvK4mMaLqFXHsnWpzl3Rn\n3b7tSS7XHW/qZz7Jyf3mD+dp/rPz7Jyf3mD+dp/rOfBRpG9fd15mJOu9PaGr4zqnFweHt4jE5jn+\nPx68p5NGXh1qE7FKKUoWVq5Lw4pp97+vjyU3K85Xm8Nk4krc3IyLOReUr8qSnOVfZ2rulvbl7fgV\nv2Tk/vMH87T/AFj7Jyf3mD+dp/rHDTvfgTiVzlbc392ov6n4zNyOVqyVm04mdx2Li+pXVGc4WUqv\nz2uaTi3CX+LflP8AA+I9U8fOFOJkU5TwbeIr4zIlFR9SE42d6sgt6kk1Hw2t+V49zNfZOT+8wfzt\nP9Y+ycn95hfnaf6xwUWsRiVxv7ezS8b1LxnET4rEwlm34GJfdlW3W1RhZZZOvsSUFJqKSS/xPe2/\nHsUuJymPV0nm8XZG31782jIUopdqjCNia3ve/nWvH3kT7JyP3mF+dp/rH2TkfvML87T/AFlimn+P\nKbpxVZZaX84s/Ocuxsjl8u7CszLceyxyhPMkpXS39ZteGyCT/snI/eYX52n+sfZOR+8wvztP9ZqL\nRFmJiZm9kAE/7JyP3mF+dp/rH2TkfvML87T/AFlvCcM9kAE/7JyP3mF+dp/rH2TkfvML87T/AFi8\nHDPZABP+ysj95hfnaf6h9lZH7zC/O0/1C5wz2QAT/snI/eYX52n+ofZOR+8wvztP9QucM9kAE/7J\nyP3mF+dp/qH2TkfvML87T/UU4Z7IAJ/2VkfvML87T/UPsrI/eYX52n+oHDPZABP+ysj95hfnaf6h\n9lZH7zC/OU/1A4Z7IAJ/wBlZH7zC/OU/wBQ+ysj95hfnKf6gcM9kAE/7KyP3mF+cp/qH2VkfvML85T/AFA4Z7IAJ32VkfvML85T/UPsrI/eYX5yn+oWOGeyCCd9lZH7zC/OU/1D7KyP3mF+cp/qFpOGeyCCd9lZH7zC/OU/1H79lZH7zC/OU/1C0nDPZABP+ysj95hfnaf6h9k5H7zC/O0/1C0nDPZABP8AsnI/eYX52n+s\n... (truncated long base64 content unchanged) ...\n",
"labels": [
"windows",
"login",
"desktop"
],
"mime": "image/jpeg",
"hash": -847163145,
"text": "Attention!\nYour PC ran into a critical problem and all files have been encrypted with .missing extension.\nIncluding all partitions from all drives. Its impossible to decrypt your files by yourself or with\nthierd parties softwares and doing such a thing could damage all files forever.\nThe only safe method to recover your data is contacting the email below and purchasing for the right\ndecrypter software.\nEmaik pcsolutionsmail.ru\nID code: .MISSING B1F2DOO3FR\nContact the email with your ID code and 1-2 files for free decryption to make sure the data is still safe and\nundamaged.\nIf you dont receive an answer within 12 h, email again from another email service.\nThe faster you purchase the software the sooner you get back on track. 1\nom.\n4 Windows Server-2008rz\nStandard"
}
},
"ip_str": "82.248.108.145"
}
],
"total": 1,
"_scroll_id": "FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoGRRNZXItT0hnQlRudmtkS1k4VWR4XwAAAAAHE9eFFndYWjhPWF9oUnptaXNyQXFMV0puRUEUUjk3LU9IZ0J4U05GMmVsR1VVRi0AAAAABye0zhZIaVdqdlJ0VFJKLUFGQjBMVW1lRUhnFDlJVC1PSGdCV3U3THNsTjVVYWxfAAAAAAcwid4WdHFzbjZ3eGZRQU92NTdocVk2WElVURRhQjMtT0hnQkVQLVFWWGoxVVhsXwAAAAAG_46EFlR6dFlDZWw1UU5XU250dTdHN3pORWcUUjdmLU9IZ0JEdXN6aWgxbVVUbF8AAAAAByIp5BZESGpxdnZTVVRUS2JGd0lZeURIU0xBFHM4UC1PSGdCVmRkbmdBbXlVUjlfAAAAAAcnU9oWY0ppeXVEc0RRY3E4aUI1Qm9peWtsZxRuTGotT0hnQjRJdkVMWVJXVWZ1QQAAAAAHHerdFmcxbUlwUzgwVFoycVZ3SHl6amlVSkEUTjFiLU9IZ0JmWU5yYldaaFViYUEAAAAABxIHWxZpcnVHT2Q3aVRoYUlZdURhNnNlYzlnFEZ5ci1PSGdCQlZyUkdXTkFVWnVBAAAAAAcPXF4WLVVVYTVOMTZTLW1uRHROdHZfcmNKQRRtb18tT0hnQnFtUzlQcUtxVWVKXwAAAAAHHCw0FnJSQks3a25GUTl5b0NGZVJyVXh1QXcUMDFiLU9IZ0IxaC0taGRIM1ViZUEAAAAABzJdgRZFcGstLXJKNVM2ZTJwT1UzcTNscVR3FFBLMy1PSGdCUEpqenp4WUlVWEtCAAAAAAcbLq0WLVZnSmF0dl9ReUdvNU1TZk5pa1BLZxQ1aHotT0hnQnJpODF0VGZFVVhKLQAAAAAG8sFhFmNZMDNVSUt6UUtPblVBTDkyR0xFeVEUUXQ3LU9IZ0JSN0RJMzkzSFVXSl8AAAAABx2izBZmQV95Rkxka1RER19paFRBNnJhUHdRFGVUai1PSGdCeE1ob1J5bkFVZXBfAAAAAAcvf9YWM2VWcUVoQWRSX1cxVkpNZmhKcXNEdxRSNlgtT0hnQmVNcU1Wc2FyVVdaXwAAAAAHHev4FnNHejlEdzZCUm15dGtvWkpETE1ZRlEUUURqLU9IZ0JUZF9HZ3RlLVVmMkMAAAAABx8cYRY3dnZWNk9XQlNYR0hTbTF5LTdOTVFnFDdXai1PSGdCb2M2TjJLMk1VZUdDAAAAAAcYi5kWMXJ4VldZTGVRQXk5NW1pMmJlVzhpQRRHTzctT0hnQmtjajlsYzZmVVN5RAAAAAAHJEpjFjRtcU83MzlfU1FXbG8tME1PV2VCRXcUSnE3LU9IZ0JIUUgwWVcxTVVVaUQAAAAABxQvnRZZc3g2Q0RJSlNIeUxrYm9qLVFQcWV3FG5Xdi1PSGdCSHRvenpqdkJVWkdEAAAAAAcS1pMWeEVXS2R0ajlRY2k4MElLSXdnUkhXdxR2eDMtT0hnQnlpRnMydU5LVVdTRAAAAAAHEwOgFkVqZkZGa1A4U0VpSEJsZmE3STgwbFE="
}If we look at the screenshot that comes as part of the results:
The same result we would obtain by running the query on the Shodan.io website:
Locating Printers
Now let's see how we can locate another type of device, such as printers. For this we will use the following query to feed our Python script:
query = 'Printer Type: Lexmark country:AR'We update our script with the new query and when we run it we get the following:
{
"matches": [
{
"product": "Samba",
"hash": -975219927,
"asn": "AS12150",
"timestamp": "2021-03-15T16:50:58.075947",
"isp": "COTELCAM",
"transport": "tcp",
"hostnames": [
"host210.200-59-15.cotelcam.net.ar"
],
"data": "SMB Status:\n Authentication: disabled\n SMB Version: 1\n OS: Windows 6.1\n Software: Samba 4.10.7-Ubuntu\n Capabilities: dfs, extended-security, infolevel-passthru, large-files, large-readx, large-writex, level2-oplocks, lock-and-read, nt-find, nt-smb, nt-status, raw-mode, rpc-remote-api, unicode, unix\n\nShares\nName Type Comments\n------------------------------------------------------------------------\nprint$ Disk Printer Drivers\nIPC$ IPC IPC Service (gaston server (Samba, Ubuntu))\nLexmark-X264dn Printer Lexmark X264dn\n",
"_shodan": {
"crawler": "dfd12d70c30ccb3812bf26f89905deeb85e98c77",
"ptr": true,
"id": "dccc9ea1-a56f-4869-8008-6a25fd88a222",
"module": "smb",
"options": {}
},
"port": 445,
"version": "4.10.7-Ubuntu",
"location": {
"city": "Santa Catalina - Dique Lujan",
"region_code": null,
"area_code": null,
"longitude": -58.70673,
"country_code3": null,
"latitude": -34.38375,
"postal_code": null,
"dma_code": null,
"country_code": "AR",
"country_name": "Argentina"
},
"ip": 3359313874,
"domains": [
"cotelcam.net.ar"
],
"org": "COTELCAM",
"os": "Windows 6.1",
"smb": {
"shares": [
{
"type": "Disk",
"temporary": false,
"name": "print$",
"special": false,
"comments": "Printer Drivers"
},
{
"type": "IPC",
"temporary": false,
"name": "IPC$",
"special": true,
"comments": "IPC Service (gaston server (Samba, Ubuntu))"
},
{
"type": "Printer",
"temporary": false,
"name": "Lexmark-X264dn",
"special": false,
"comments": "Lexmark X264dn"
}
],
"smb_version": 1,
"raw": [
"0000009fff534d4272000000008807c8170000000000000000000000000049af0000010011000003320001000441000000000100a6660000fdf38080e0e6b65dbb19d701b400005a00676173746f6e00000000000000000000604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa32a3028a0261b246e6f745f646566696e65645f696e5f5246433431373840706c656173655f69676e6f7265",
"00000128ff534d4273160000c08807c8170000000000000000000000000049af6dd2020004ff0000000000a900fd00a181a63081a3a0030a0101a10c060a2b06010401823702020aa2818d04818a4e544c4d53535000020000000c000c003800000005828ae24685bbc179758fd300000000000000004600460044000000060100000000000f47004100530054004f004e0002000c0047004100530054004f004e0001000c0047004100530054004f004e0004000200000003000c0067006100730074006f006e000700080036d7dc5dbb19d70100000000570069006e0064006f0077007300200036002e0031000000530061006d0062006100200034002e00310030002e0037002d005500620075006e0074007500000057004f0052004b00470052004f00550050000000",
"00000088ff534d4273000000008807c8170000000000000000000000000049af6dd2030004ff000000010009005d00a1073005a0030a0100570069006e0064006f0077007300200036002e0031000000530061006d0062006100200034002e00310030002e0037002d005500620075006e0074007500000057004f0052004b00470052004f00550050000000",
"00000038ff534d4275000000008807c8170000000000000000000000e00c49af6dd2040007ff0000000100ff010000ff010000070049504300000000",
"00000087ff534d42a2000000008807c8170000000000000000000000e00c49af6dd205002aff00000000136401000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000200ff0500000000000000000000000000000000000000000000000000ff011f009b0112000000",
"0000007cff534d4225000000008807c8170000000000000000000000e00c49af6dd206000a000044000000000038000000440038000000000045000005000c03100000004400000002000000b810b810f05300000d005c504950455c73727673766300000100000000000000045d888aeb1cc9119fe808002b10486002000000",
"000001b8ff534d4225000000008807c8170000000000000000000000e00c49af6dd207000a000080010000000038000000800138000000000081010005000203100000008001000003000000680100000000000001000000010000000c0002000300000010000200030000001400020000000000180002001c00020003000080200002002400020001000000280002000700000000000000070000007000720069006e0074002400000000001000000000000000100000005000720069006e007400650072002000440072006900760065007200730000000500000000000000050000004900500043002400000000002c000000000000002c000000490050004300200053006500720076006900630065002000280067006100730074006f006e00200073006500720076006500720020002800530061006d00620061002c0020005500620075006e00740075002900290000000f000000000000000f0000004c00650078006d00610072006b002d00580032003600340064006e00000000000f000000000000000f0000004c00650078006d00610072006b002000580032003600340064006e0000000000030000002c0002000000000000000000",
"00000023ff534d4204000000008807c8170000000000000000000000e00c49af6dd20800000000",
"00000023ff534d4275220000c08807c8170000000000000000000000000049af6dd20900000000"
],
"capabilities": [
"rpc-remote-api",
"raw-mode",
"unicode",
"dfs",
"infolevel-passthru",
"large-files",
"nt-status",
"level2-oplocks",
"extended-security",
"lock-and-read",
"large-readx",
"nt-smb",
"nt-find",
"unix",
"large-writex"
],
"anonymous": true,
"os": "Windows 6.1",
"software": "Samba 4.10.7-Ubuntu"
},
"ip_str": "200.59.15.210"
}
],
"total": 5,
"_scroll_id": "FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoGRRWcTBLT1hnQlBKanp6eFlJam82bgAAAAAHG0rHFi1WZ0phdHZfUXlHbzVNU2ZOaWtQS2cUTmQ0S09YZ0JSN0RJMzkzSGlYN0oAAAAABx2-vxZmQV95Rkxka1RER19paFRBNnJhUHdRFEF1NEtPWGdCa2NqOWxjNmZpVWV3AAAAAAckZU0WNG1xTzczOV9TUVdsby0wTU9XZUJFdxRaXzRLT1hnQnJwdHY4bS1jaVVpdwAAAAAHF7m-FjF2NmxpVUFwUUFPQS1MWEVkTURBdHcUNFlNS09YZ0J2alBvMmt0c2lob2QAAAAABw3W-hZXQ05uZ3VNZlFncWZfQXJWNFlsSEp3FHJSd0tPWGdCcmk4MXRUZkVpbzRjAAAAAAby3SgWY1kwM1VJS3pRS09uVUFMOTJHTEV5URREMnNLT1hnQi1ZblpJODRTaWVxdwAAAAAG-cj5FlRGZkVoNXB2Uy11QzNIUV9CRFM2NWcUOEtVS09YZ0JlTXFNVnNhcmluNEQAAAAABx4EoRZzR3o5RHc2QlJteXRrb1pKRExNWUZRFHYyc0tPWGdCczVJVVF0X2tpWFN4AAAAAAcYv7YWU2Jxc1YxVFFTSC1raXp4Vld0RkJfURRKTFVLT1hnQnp3QUlobVhUaWFtdwAAAAAHG49XFm42Ql95STRWVERhTURjaW1WVlpXTVEUZzhNS09YZ0JWZGRuZ0FteWlUdXcAAAAABydvqhZjSml5dURzRFFjcThpQjVCb2l5a2xnFERCMEtPWGdCRVAtUVZYajFpWlN3AAAAAAb_qSgWVHp0WUNlbDVRTldTbnR1N0c3ek5FZxRCbUFLT1hnQk03aDVVQmJXaVFLeAAAAAAHBZcVFnlTY0hsbEVxUkhhYnZHTVdndHdlU3c="
}If we analyze this result, we can see that among the data returned by Shodan an enumeration of SMB (Samba) Shares is included. We can view these in a more pleasant format by performing the same query on the Shodan.io website
Just as Shodan provides us with these kinds of results, it can also include the list of vulnerabilities detected on those devices. In the case of this exercise we will only see an example of this type of result both as an API response and on the Shodan Web:
"isp": "Universidad Nacional de La Plata",
"longitude": -57.95453,
"last_update": "2021-03-15T20:08:12.310077",
"country_code3": null,
"vulns": [
"CVE-2010-2068",
"CVE-2011-4317",
"CVE-2017-7679",
"CVE-2018-1312",
"CVE-2011-3368",
"CVE-2011-3348",
"CVE-2012-3499",
"CVE-2012-4558",
"CVE-2011-3607",
"CVE-2016-8612",
"CVE-2016-4975",
"CVE-2012-4557",
"CVE-2019-9639",
"CVE-2019-9638",
"CVE-2017-7668",
"CVE-2013-6438",
"CVE-2012-2687",
"CVE-2019-9637",
"CVE-2011-4415",
"CVE-2012-0031",
"CVE-2013-2249",
"CVE-2010-1452",
"CVE-2013-1896",
"CVE-2017-3167",
"CVE-2012-0053",
"CVE-2012-0883",
"CVE-2017-3169",
"CVE-2011-3639",
"CVE-2011-0419",
"CVE-2014-0231",
"CVE-2013-1862",
"CVE-2014-0098",
"CVE-2019-9641",
"CVE-2011-3192"
],
"country_name": "Argentina",This list of vulnerabilities is presented as follows on Shodan.io:
In this way we saw how we can harness the power of Shodan.io to easily locate different kinds of devices connected to the Internet. We saw how to find Webcams, RDP sessions compromised by ransomware and finally we located a printer whose SMB Shares were enumerated by Shodan.io.
Last updated
Was this helpful?