Shodan Guide

[Danielle Just]

Ifyou have an API plan then you get a certain number of query credits that you can spend each month. For people with the Shodan Membership that means you get 100 query credits per month while for the API plans it can range from 10,000 up to unlimited.

To follow along with this guide you must have the Shodan Python library installed. Most Unix-based operating systems already come with Python installed so all you need to type to install the Shodan library is:

The Shodan CLI provides access to most functions of the API in a user-friendly interface. It also includes a command to easily download data using the query credits from your API. Here's a quick video that shows how it works in action:

The results of the above command will be saved in a file called mongodb-results.json.gz. At this point, you can easily convert the file into CSV, KML or simply output a list of IP:port pairs by using the shodan parse command:

The CLI should work for most purposes but sometimes you want to perform custom transformations on the banners as you're downloading them. Or you don't want to store the information in a local file. In those cases, you can use a convenient helper method provided by the Python library for Shodan called search_cursor() to iterate over the results:

We've discussed how to download data with the CLI, how to extract properties out of it, how to convert it to other file formats and how to process search results directly in Python. For a complete example that uses these skills check out how to track hacked websites.

The shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you're running the latest version of the library you already have access to the CLI. To install the new tool simply execute:

The download command is what you should be using most often when getting results from Shodan since it lets you save the results and process them afterwards using the parse command. Because paging through results uses query credits, it makes sense to always store searches that you're doing so you won't need to use query credits for a search you already did in the past.

Use parse to analyze a file that was generated using the download command. It lets you filter out the fields that you're interested in, convert the JSON to a CSV and is friendly for pipe-ing to other scripts.

This command lets you search Shodan and view the results in a terminal-friendly way. By default it will display the IP, port, hostnames and data. You can use the --fields parameter to print whichever banner fields you're interested in.

This method behaves identical to "/shodan/host/search" with the only difference that this method does not return any host results, it only returns the total number of results that matched the query and any facet information that was requested. As a result this method does not consume query credits.

This method is restricted to security researchers and companies with a Shodan Enterprise Data license. To apply for access to this method as a researcher, please email jm...@shodan.io with information about your project. Access is restricted to prevent abuse.

Add the specified notifier to the network alert. Notifications are only sent if triggers have also been enabled. For each created user, there is a default notifier which will sent via email.

Search engines index websites on the web so you can find them more efficiently, and the same is true for internet-connected devices. Shodan indexes devices like webcams, printers, and even industrial controls into one easy-to-search database, giving hackers access to vulnerable devices online across the globe. And you can search its database via its website or command-line library.

Shodan has changed the way hackers build tools, as it allows for a large part of the target discovery phase to be automated. Rather than needing to scan the entire internet, hackers can enter the right search terms to get a massive list of potential targets. Shodan's Python library allows hackers to quickly write Python scripts that fill in potential targets according to which vulnerable devices connect at any given moment.

You can imagine hunting for vulnerable devices as similar to trying to find all the pages on the internet about a specific topic. Rather than searching every page available on the web yourself, you can enter a particular term into a search engine to get the most up-to-date, relevant results. The same is true for discovering connected devices, and what you can find online may surprise you!

First, whether using the website or the command line, you need to log in to shodanhq.com in a web browser. Although you can use Shodan without logging in, Shodan restricts some of its capabilities to only logged-in users. For instance, you can only view one page of search results without logging in. And you can only see two pages of search results when logged in to a free account. As for the command line, you will need your API Key to perform some requests.

A particularly useful feature of Shodan is that you don't need to open a web browser to use it if you know your API Key. To install Shodan, you'll need to have a working Python installation. Then, you can type the following in a terminal window to install the Shodan library.

These controls are pretty straightforward, but not all of them work without connecting it to your Shodan API Key. In a web browser, log in to your Shodan account, then go to "My Account" where you'll see your unique API Key. Copy it, then use the init command to connect the key.

There are many ways to find webcams on Shodan. Usually, using the name of the webcam's manufacturer or webcam server is a good start. Shodan indexes the information in the banner, not the content, which means that if the manufacturer puts its name in the banner, you can search by it. If it doesn't, then the search will be fruitless.

One of my favorites is webcamxp, a webcam and network camera software designed for older Windows systems. After typing this into the Shodan search engine online, it pulls up links to hundreds, if not thousands, of web-enabled security cameras around the world.

To exit results, hit Q on your keyboard. If you only want to see certain fields instead of everything, there are ways to omit some information. First, let's see how the syntax works by viewing the help page for search.

Look through the results and find webcams you want to try out. Input their domain name into a browser and see if you get instant access. Here is an array of open webcams from various hotels in Palafrugell, Spain, that I was able to access without any login credentials:

Although it can be fun and exciting to voyeuristically watch what's going on in front of these unprotected security cameras, unbeknownst to people around the world, you probably want to be more specific in your search for webcams.

Although some of the webcams Shodan shows you are unprotected, many of them will require authentication. To attempt to gain access without too much effort, try the default username and password for the security camera hardware or software. I have compiled a short list of the default username and passwords of some of the most widely used webcams below.

There is no guarantee that any of those will work, but many inattentive and lazy administrators simply leave the default settings in place. In those cases, the default usernames and passwords for the hardware or software will give you access to confidential and private webcams around the world.

Now that we know how to find webcams and potentially log in to them using default usernames and passwords, let's get more specific and try to find webcams in a specific geographical location. For example, if we were interested in webcams by the manufacturer WebcamXP in Australia, we could find them by typing webcamxp country:AU into the search box on Shodan's website.

So if we were to search webcamxp country:AU on the website directly, to do it from the command line, you would format as one of the ways below. However, if you're not on a paid plan, you can't use the Shodan API to perform detailed searches like we are trying to here. But you can still perform an advanced search on Shodan's website, with the regular restrictions for free users.

When we get that specific, on Shodan's website, it only finds four WebcamXP cameras. Click on one, and we can find that once again, we have a private webcam view of someone's camera in their backyard in Melbourne, Australia.

Something we can do from the command-line interface that we can't from the website is search for information on a host. For instance, we can run the shodan myip command to print our external IP.

I hope this short demonstration of the power Shodan gets your imagination stimulated for inventive ways you can find private webcams anywhere on the globe! If you're too impatient to hunt down webcams on Shodan, you can use a website like Insecam to view accessible webcams you can watch right now. For instance, you can view all the WebcamXP cameras that have pictures.

Whether you use Shodan or an easier site such as Insecam to view webcams, don't limit yourself to WebcamXP, but instead try each of the webcam manufacturers at a specific location, and who knows what you will find.

I hope you enjoyed this guide to using Shodan to discover vulnerable devices. If you have any questions about this tutorial on using Shodan or have a comment, ask below or feel free to reach me on Twitter @KodyKinzie.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

3a8082e126