Basic Scanning (Shodan.io & Nmap)

In this lab we will see how to use Shodan to locate servers with ports 22 and 23 open and we will use nmap to obtain basic information about the targets.

CEH: "In scanning, we usually find open, closed, and filtered ports. Each one corresponds to completely different services, except for some ports used to present a website (80 or 8080). One of the biggest vulnerabilities is finding easily accessible ports, such as port 22 (SSH) and port 23 (Telnet)."

In this mini-practice we will see how to use Shodan to locate servers that have certain ports open. For this example we are interested in finding the ports 22 and 23 open. Then we will use nmap to confirm that those servers indeed have both ports open.

Wikipedia: Telnet (Teletype Network​) is the name of a network protocol that allows us to access another machine to manage it remotely. It is also the name of the software program that implements the client. Its biggest problem is security, since all the usernames and passwords needed to log into machines travel through the network as plain text (text strings without encryption). This makes it easy for anyone sniffing the network traffic to obtain the usernames and passwords. For this reason it fell out of use with the arrival of SSH.

Wikipedia: SSH (or Secure SHell) is the name of a protocol and of the program that implements it whose main function is remote access to a server through a secure channel in which all information is encrypted. SSH allows copying data securely (both individual files and simulating FTP encrypted), managing RSA keys so as not to type passwords when connecting to devices and to pass the data of any other application through a secure tunneled channel via SSH and it can also redirect traffic from the (X Window System) to be able to run graphical programs remotely.

Locating servers with ports 22, 23 open.

Shodan allows us to perform searches both from its website and from the terminal using an API access key. In this case we will quickly use the web version, Shodan.io using the search. Which we will refine with the use of filters, in this case the port filter called port:.

We can use this filter in the following way:

In the search bar we enter the text port: followed by the port number we want to filter by. For example: port:80.

This search with shodan we will perform to find the targets for this practice, it is enough to select from the list of results offered by shodan the IP addresses. Those IP addresses we will use next to confirm that the open ports for each target reported by shodan are indeed open. For that confirmation we will use the tool nmap.

Scanning targets with nmap

For scanning I will use nmap as a tool, it comes preinstalled in distributions like Kali Linux.

Port 22

As a first example I will use the target 35.199.79.95 when scanning it with nmap we see that that server has port 22 open. For this we will use nmap with a series of switches or flags that allow us to refine the type of scan, speed and port.

In this mini-practice we are not going to delve into nmap. To learn more about this tool and how to perform different types of scans, follow this 👉 link.

Once the scan is completed we see that we obtain confirmation that the target has port 22 open as had been reported by the search we performed in shodan. If we look closely at the scan result, we see that nmap returns quite a bit of additional information.

Port 23

Now let's search for a target that has port 23 open, for which we refine our search in shodan with the filter port:23, alternatively we can search directly by the service name, telnet.

To find servers with the telnet service active, it is enough to enter the service name in the search bar. This works with other services such as for example SSH.

Once the target is chosen we proceed to scan it with nmap to confirm that indeed the port 23 is open. In my case I chose 67.201.141.136 as the target:

As we can see in the results the scan confirms that port 23 is open. In this particular case port 21 is also open. In this way we saw how to locate servers with certain ports open and how using nmap we can verify that they are indeed open.