Tuesday, December 1, 2009

SHODAN - Banner grabbing search engine

I recently discovered a new search engine which has some interesting capabilities, from the site..

SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning.

What makes this interesting (and somewhat controversial)  is SHODAN (Sentient Hyper-Optimized Data Access Network) has done the leg work and initial scanning for those wishing to break into (or secure) systems.

If a new exploit is released which targets a vulnerability in a specific version of Apache, lets say, why bother scaning for vulnerable web servers when someone else has done it for you? Add filtering by country / domain / keyword and an attacker can build a nice set of targets without ever sending a packet to any of them.

Here are a few SHODAN queries to demonstrate

IIS servers running default page: 
http://shodan.surtri.com/?q=port%3A80+iisstart.htm  
Cisco devices listening on port 80: 
http://shodan.surtri.com/?q=port%3A80+%22Cisco%22 
IP's in the US with telnet open: 
http://shodan.surtri.com/?q=country%3Aus+port%3A23 
Citrix servers in Brazil on port 80
http://shodan.surtri.com/?q=citrix%20country:BR%20port:80