Site Overlay

Using SHODAN to find insecure Servers, Routers and gain ROOT access

SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well.
Lets say you want to find servers running the ‘Apache’ web daemon. A simple attempt would be to use:
apache
How about finding only apache servers running version 2.2.3?
apache 2.2.3
You can also narrow down the results using the following search parameters:
country:2-letter country code
hostname:full or partial host name
net:IP range using CIDR notation (ex: 18.7.7.0/24 )
port:21, 22, 23 or 80
For example: get all web (port:80) hosts running ‘apache’ in switzerland (country:CH) that also have ‘.ch’ in any of their domain names:
apache country:CH port:80 hostname:.ch

SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. SHODAN is the brainchild of John Matherly aka @achillean

Lets say you want to find servers running the ‘Apache’ web daemon. A simple attempt would be to use:

apache

You can also narrow down the results using the following search parameters:

country:2-letter country code

hostname:full or partial host name

net:IP range using CIDR notation (ex: 18.7.7.0/24 )

port:21, 22, 23 or 80

How about something really bad. Hopefully, the webmasters below are taking steps to upgrade from IIS 4

Get all web (port:80) hosts running ‘IIS 4.0’ in United States (country:US)

IIS 4.0 country:US port:80

Gain root shell access exploiting built in shell (ash)

The query below is not confirmed but shows the power of SHODAN. Thanks to HDMoore

http://shodan.surtri.com/?q=port:23+”list+of+built-in+commands”


Similar Posts:

Published By:

Author: Ajit Gaddam

Ajit Gaddam is an accomplished technology executive and is currently the Head of Security Engineering at Visa, where he is responsible for building large scale AI driven cybersecurity products, leading engineering programs, and providing expert guidance on cybersecurity matters. He has presented at conferences worldwide, including USENIX Enigma, RSA, Black Hat, Strata Data Hadoop, COSO Dublin, and GCS Ukraine. Ajit has been quoted by major media organizations and his work has been showcased in academic journals, security publications, and in two published books. He is an active participant in various open source and standards bodies, is a prolific inventor of disruptive technologies (over 100+ global patents), and moonlights as an instructor (SANS, community colleges).

3 thoughts on “Using SHODAN to find insecure Servers, Routers and gain ROOT access

  1. Wow. It would be interesting to see what else can shodan find. Definitely queried Microsoft.com to see if they host using Apache 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll Up