Sipcer's Blog

Shodan使用笔记之Web篇

简介

Shodan是互联网连接设备的搜索引擎。 Web搜索引擎(如Google和Bing)非常适合查找网站。 但是如果你有兴趣找到运行某个软件(例如Apache)的计算机怎么办? 或者如果你想知道哪个版本的Microsoft IIS是最受欢迎的? 或者你想看看有多少匿名FTP服务器? 也许一个新的漏洞出来,你想看看有多少主机可以感染? 传统的网络搜索引擎不会回答你这些问题。

最直接使用Shodan的方式就是通过他的Web界面,本文主要围绕Web搜索框的使用。

www.shodan.io

Shodan的基础数据是banner信息

以下是一个最简单的查询,Shodan会查询出所有banner里存在Tencent的结果,如果一个IP多个banner匹配,会显示多个结果。

1
Tencent

下面列举一些常用搜索:
搜索深圳市

1
city:"Shenzhen"

搜索非深圳市

1
-city:"Shenzhen"

搜索23,8080端口,并且banner不为空

1
port:23,8080 -hash:0

搜索一个组织

1
org:"Shenzhen Tencent Computer Systems Company Limited"

搜索中国IP的心脏滴血漏洞

1
country:CN vuln:CVE-2014-0160

按照类别搜索[ics/malware] ics(industrial control systems)

1
category:ics

www.shodan.io/report

在搜索结果上点Create Report,Shodan会在后台生成报告,并发送到你的注册邮箱。
以下是category:ics结果的report
https://www.shodan.io/report/HAEpJHKy

maps.shodan.io

在地图上展示搜索结果
category:ics

images.shodan.io

可以搜索互联网主机的截屏,搜索语法与Shodan一致。
图像数据来自以下服务:

  • VNC
  • Remote Desktop (RDP) • RTSP
  • Webcams
  • X Windows

搜索vnc可以使用RFB,RDP可以使用RTSP搜索

1
RFB

搜索VNC服务可以看到工控设备,甚至已经登录的系统:


exploits.shodan.io

网上搜集的exploits,可以按照来源,系统,类型,作者来搜索

honeyscore.shodan.io

输入一个IP来查看是否是一个蜜罐

simple.shodan.io

简化版Shodan,带一个酷炫的3D效果

ics-radar.shodan.io

ICS雷达,是个介绍页面

附录:Filters

General Filters

Name Description
after Only show results after the given date (dd/mm/yyyy) asn Autonomous system number
before Only show results before the given date (dd/mm/yyyy) category Available categories: ics, malware
city Name of the city
country 2-letter country code
geo Accepts between 2 and 4 parameters. If 2 parameters:
latitude,longitude. If 3 parameters: latitude,longitude,range. If 4 parameters: top left latitude, top left longitude, bottom right latitude, bottom right longitude.
hash Hash of the data property has_ipv6 True/ False
has_screenshot True/ False
hostname Full hostname for the device ip Alias for net filter
isp ISP managing the netblock
net Network range in CIDR notation (ex. 199.4.1.0/24) org Organization assigned the netblock
os Operating system
port Port number for the service
postal Postal code (US-only)
product Name of the software/ product providing the banner region Name of the region/ state
state Alias for region
version Version for the product
vuln CVE ID for a vulnerability

HTTP Filters

Name Description
http.component Name of web technology used on the website
http.component_category Category of web components used on the website
http.html HTML of web banners
http.html_hash Hash of the website HTML
http.status Response status code
http.title Title for the web banner’s website

NTP Filters

Name Description
ntp.ip IP addresses returned by monlist
ntp.ip_count Number of IPs returned by initial monlist
ntp.more True/ False; whether there are more IP addresses to be gathered from monlist
ntp.port Port used by IP addresses in monlist

SSL Filters

Name Description
has_ssl True/ False
ssl Search all SSL data
ssl.alpn Application layer protocols such as HTTP/2(“h2”)
ssl.chain_count Number of certificates in the chain
ssl.version Possible values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
ssl.cert.alg Certificate algorithm
ssl.cert.expired True/ False
ssl.cert.extension Names of extensions in the certificate
ssl.cert.serial Serial number as an integer or hexadecimal string
ssl.cert.pubkey.bits Number of bits in the public key
ssl.cert.pubkey.type Public key type
ssl.cipher.version SSL version of the preferred cipher
ssl.cipher.bits Number of bits in the preferred cipher
ssl.cipher.name Name of the preferred cipher

TELNET Filters

Name Description
telnet.option Search all the options
telnet.do The server requests the client do support these options
telnet.dont The server requests the client to not support these options
telnet.will The server supports these options
telnet.wont The server doesn’t support these options