Exploring shodan io Dorks for Hackers and Pentesters

Rahul Thakur
By -Rahul Thakur
September 05, 2024
0


Within the field of cybersecurity, shodan.io has emerged as a preferred resource for researchers, hackers, and pen testers. Because of its propensity to search the internet for vulnerable websites, services, and gadgets, it is frequently referred to as the "Google for hackers." Knowing Shodan and its queries, or Shodan io dorks, can give ethical hackers and pen-testers a big advantage in detecting weak systems and comprehending the current attack surface.

We will go into the inner workings of Shodan, examine Shodan dorks, and discuss how hackers and pen-testers can make the most of this tool in this blog.


What is Shodan?

The search engine Shodan, or Sentient Hyper-Optimized Data Access Network, was created especially for gadgets with Internet access. In contrast to conventional search engines like Google, which index webpages, Shodan searches the internet for networked devices like servers, webcams, routers, Internet of Things devices, SCADA systems, and more. This makes it possible for ethical hackers to find systems vulnerable to security breaches.

Shodan gathers metadata about these devices, including:

  • IP address
  • Open ports
  • Running services
  • SSL certificates
  • Operating system versions

In addition to locating exposed devices, Shodan offers comprehensive details about them, which is very helpful for pen testers trying to exploit potential security holes.

Why Should Hackers and Pentesters Use Shodan?



Shodan is invaluable for the following reasons:

Vulnerability Identification: Hackers and pen testers can discover exposed systems and services that shouldn’t be publicly accessible. This can range from open ports to vulnerable applications.

IoT Security Audits: With the increasing number of IoT devices connected to the internet, Shodan can help identify weak or default configurations that may be exploitable.

Network Mapping: Pentesters can map out the public-facing infrastructure of an organization before launching more in-depth testing.

Real-Time Threat Intelligence: Shodan provides real-time data about connected devices, helping hackers and pen testers identify live, vulnerable targets.

Shodan Dorks: Supercharging Your Search

Advanced search terms known as "shodan dorks" let users more effectively filter the results. They function in a manner akin to Google Dorks, granting hackers exact authority over the search outcomes. Pentesters can identify susceptible devices or systems by employing Shodan dorks.

Targeting Specific Organizations

Organization Search:
  • org:"http://target.com"
    • Find devices related to a specific organization.

HTTP/HTTPS-Based Queries

HTTP Status Code:

  • http.status:"<status_code>"
    • Search for specific HTTP status codes (e.g., 200, 404).

HTTP Component:

  • http.component:"<Component_Name>"
    • Filter devices based on the HTTP component used (e.g., WordPress).

HTTP Component Category:

  • http.component_category:"<Component_Category>"
    • Find devices by component categories like CMS, E-commerce, etc.

HTTP Web Application Firewall (WAF):

  • http.waf:"<firewall_name>"
    • Discover devices behind a specific web application firewall.

HTTP Title:

  • http.title:"<Title_Name>"
    • Filter search results by the title of web pages (useful for identifying login pages, etc.).

HTTP HTML Content:

  • http.html:"<Name>"
    • Look for specific strings in the HTML body of web pages.

HTTP Favicon Hash:

  • http.favicon.hash:"<Favicon_Hash>"
    • Identify web applications based on their favicon hash (useful for identifying applications with unique favicons).

SSL and Protocol Queries

SSL ALPN Protocol:

  • ssl.alpn:"<Protocol>"
    • Search devices by their Application-Layer Protocol Negotiation (ALPN) protocol (e.g., http/1.1, spdy/3.1).

SSL Certificate Subject Common Name:

  • ssl.cert.subject.cn:"<Domain.com>"
    • Look for SSL certificates associated with a particular domain.

Cookie-Based Queries

Set-Cookie Headers:

  • "Set-Cookie: phpMyAdmin"
  • "Set-Cookie: lang="
  • "Set-Cookie: PHPSESSID"
  • "Set-Cookie: webvpn"
  • "Set-Cookie: webvpnlogin=1"
  • "Set-Cookie: mongo-express="
  • "Set-Cookie: _gitlab_session"
  • "Set-Cookie: user_id="

These dorks search for specific cookies that could reveal sessions or the type of application used (e.g., phpMyAdmin, GitLab, VPN systems).

Product and Service Queries

Product Search:

  • product:"<Product_Name>"
    • Search for systems running a specific product (e.g., Apache, Elasticsearch, nginx).

Port Number and Service Name/Message:

  • port:<Port_Number> "Service_Name"
  • port:<Port_Number> "Service_Message"
    • Filter by specific ports (e.g., port:443 for HTTPS) and by service names or messages (e.g., port:22 "OpenSSH").

X-Elastic-Product Header:

  • "X-elastic-product: Elasticsearch"
    • Find systems that are running Elasticsearch.

X-Drupal-Cache Header:

  • "x-drupal-cache"
    • Identify Drupal-based systems using a specific caching mechanism.

X-Magento-Cache-Debug Header:

  • "X-Magento-Cache-Debug"
    • Search for Magento-based e-commerce platforms.

Kibana Instances:

  • "kbn-name: kibana"
    • Find Kibana instances.

Network and ASN Queries

IP Address:

  • ip:"<IP_Address>"
    • Search for a specific IP address.

Net Range:

  • net:"<Net_Range>"
    • Search for devices within a specific network range (e.g., 104.16.100.52/32).

ASN:

  • asn:"<ASnumber>"
    • Search for devices based on the Autonomous System Number (ASN).

Hostname:

  • hostname:"<Hostname>"
    • Search for a specific hostname (useful for subdomain enumeration).

Other Queries

  1. Keyword Search:

    • all:"<Keyword>"
      • Search for devices containing a specific keyword across all indexed fields.

  2. Access-Control-Allow-Origin Header:

    • "access-control-allow-origin"
      • Search for systems with open CORS policies, which can lead to security misconfigurations.

  3. WWW-Authenticate Header:

    • "WWW-Authenticate"
      • Discover systems using HTTP authentication mechanisms.

Practical Examples

Search for Apache servers with a specific version:

  • product:"Apache" version:"2.4.39"

Find exposed MongoDB databases:

  • product:"MongoDB" port:27017

Locate devices with misconfigured or missing CORS headers:

  • "access-control-allow-origin" -"null"
Look for devices using SSL certificates issued to a specific domain:
  • ssl.cert.subject.cn:"example.com"

Final Thoughts

Shodan is a powerful resource for both offensive and defensive cybersecurity purposes. Whether you are a pentester mapping out an organization’s attack surface or an ethical hacker trying to identify vulnerable systems, Shodan and its dorks provide unparalleled visibility into the internet’s exposed devices.

The key to mastering Shodan is practice—experiment with different dorks, explore various device types, and integrate it into your pentesting workflow to better understand the systems you’re testing.

Key Takeaways

  1. Shodan is a search engine for exposed internet-connected devices.
  2. Shodan dorks are advanced search queries that help refine results.
  3. Pentesters and hackers can use Shodan for reconnaissance, vulnerability discovery, and targeted exploitation.
  4. Defenders can also use Shodan to reduce their organization's exposure to attacks.
Tags:

You Might Like

Show more
bugbounty

Post a Comment

0Comments

Post a Comment (0)
Share to other apps
Copy Post Link