All roads lead to Rome but sometimes the path you get there matters. In the case of Shodan, there's the main website that provides a general-purpose search engine interface but we also provide a few other ways of looking at the data that are sometimes better suited. In this article we will be discussing the following 3 services on the Shodan website:
Shodan: https://www.shodan.io
Shodan Maps (membership required): https://maps.shodan.io
Shodan Images (membership required): https://images.shodan.io
All of the above websites access the same Shodan data but they're designed with different use cases in mind. In this article we will be going through all the features of the above websites and learn a few tricks along the way. Lets start off by discussing the main Shodan website:
The main interface for accessing the data gathered by Shodan is via its search engine located at https://www.shodan.io
By default, the search query will look at the data collected within the past 30 days. This means that the results you get from the website are recent and provide an accurate view of the Internet at the moment.
In addition to searching, the website also provides the following functionality:
After completing a search there will be a button at the top called Download Data:
Clicking on that button will provide you with the option of downloading the search results in JSON (recommended), CSV or XML formats.
The JSON format generates a file where each line contains the full banner and all accompanying meta-data that Shodan gathers. This is the preferred format as it saves all available information. And the format is compatible with the Shodan command-line client, meaning you can download data from the Shodan website then process it further using the terminal.
Note: The Shodan CLI can convert JSON data files into Excel spreadsheets.
Downloading data consumes query credits. 1 query credit can be used to download up to 100 results.
Data files generated by the website can be retrieved in the Downloads section of the website, which you can visit by clicking on the Downloads link in the main menu:
The website lets you generate a report based off of a search query. The report contains graphs/ charts providing you a big picture view of how the results are distributed across the Internet. This feature is free and available to anyone.
To generate a report, click on the Create Report button from the search results page:
Then give your report a descriptive title in the pop-up window that appears:
And hit the green Create Report button! It usually takes a few minutes for Shodan to gather all the relevant information and once it's available you will receive an email with a link. The only way for other users to see your report is if you share your link with them. The report will then look something like this:
When you generate a report you are asking Shodan to take a snapshot of the search results and provide an aggregate overview. Once the report has been generated, it doesn't change or automatically update as new data is being collected by Shodan. This also means that you can generate a report once a month and keep track of changes over time by comparing it to reports of previous months. By clicking on the Reports button in the main menu you can get a listing of previously generated reports.
Finding specific devices requires knowledge about the software they run and how they respond to banner grabs over the Internet. Fortunately, it is possible to leverage the shared knowledge of the community using the search directory on Shodan. People are able to readily describe, tag and share their search queries for others to use. If you're interested in getting started with Shodan, the shared searches should be your first stop.
Likewise, if you've created a search query that you'd like to share with the community simply click on the Share Search button in the search results page:
And then describe the content of the search results so others can easily discover your query:
Warning: Shared search queries are publicly viewable. Do not share queries that are sensitive or you don't want others to know about.
Shodan Maps provides a way to explore search results visually instead of the text-based main website. It displays up to 1,000 results at a time and as you zoom in/ out Maps adjusts the search query to only show results for the area you're looking at.
All search filters that work for the main Shodan website also work on Maps. From a technical perspective, Shodan Maps is the same as the main Shodan website except it automatically adds a geo filter to your search query to restrict search results to the area that you're looking at on the map.
There are a variety of map styles available to present the data to your preference. Click on the gear button next to the search button for a list of options:
Here's a quick glance at the various styles that are currently available:
For a quick way to browse all the screenshots that Shodan collects check out Shodan Images. It is a user-friendly interface around the has_screenshot filter and is one of the services that's included with the Shodan Membership.
The search box at the top uses the same syntax as the main Shodan search engine. It is most useful to use the search box to filter by organization or netblock. However, it can also be used to filter the types of images that are shown.
Image data is gathered from 5 different sources:
Each image source comes from a different port/ service and therefor has a different banner. This means that if you only want to see images from webcams you could search for HTTP. To search for VNC you can search using RFB and for RTSP you simply search with RTSP.
The images can also be found using the main Shodan website or Shodan Maps by using the search query has_screenshot:true:
