___ # Tags #shodan #threat-intel #threat-hunting # Helpful Docs - [ePub link to the book](https://leanpub.com/shodan) # Notes - A lot of this information is just a rewrite from what's available in the book and with certain information left out due to convenience for me to reference #### Banners - Software often verbosely announces itself in the form of a banner, typically the software name followed by a version of the software - This is the primary way Shodan collects data about internet facing devices #### Device Metadata & IPv6 - Shodan will gather host metadata whenever it presents itself as well as all of the banners offered by scanning IPv6 #### Frequency - The crawlers that Shodan use are always processing the internet, every query has a real-time updated picture of known-results - Crawling is performed completely at random without any sequential order in IP ranges or ports #### SSL In-Depth - SSL gets scraped and all services serving up a certificate get catalogued as well, the SSL version and handshake ciphers also get tested using every available common method as well as following the certificate chain all the way down to the host - Search with `ssl.versions` and `ssl.chain` fields #### Web Components - Shodan crawlers also try their best to determine the technologies that make up the website such as php, jquery, wordpress, etc - Search with `http.component` and `http.components` #### Cascading - As the internet gets scanned association between assets starts getting built-out due to the relational nature of the results - Search with `_shodan.id` and `_shodan.options.referrer` for relational associations #### Search Queries - There is an implicit `and/+` between all of the search keywords, it is important to learn the filter language to accurate get back desired results - Search filters are often `filtername:value` - Example would be `city:indianapolis` - An example of an exclusion would be `-city:indianapolis` - Every banner in Shodan has a hash property, blank banners have a `hash:0` assigned, which could be good to exclude if searching by hashes #### Search Filter List - A comprehensive list of search filters can be found [here](https://www.shodan.io/search/filters) #### Searching for Images by Service - Shodan has an images section [here](https://images.shodan.io/) and filtering of screenshots can be done with the `has_screenshot:true` filter #### Shodan CLI - Install your API key using `shodan init API_KEY` ![[Pasted image 20221108200229.png]] - Calculate a suspected honeypot score with `shodan honeyscore [ip]` - Find out your public IP with `shodan myip` - Submit a manual scan with `shodan scan submit [ip]` - See what's running on your public facing IP ranges with `shodan count net:x.x.x.x/x` #### Shodan Exploits - You can search for exploits and vulnerabilities [here](https://exploits.shodan.io/) #### Facets - Creates aggregations of data based on banners of interest #### Industrial Control Systems - A list of common acronyms relating to ICS ![[Pasted image 20221109140628.png]] #### Honeypotting and Detecting Them - Honeypots are purpose-built appliances or software solely used to identify malicious actors - You deploy a honeypot and make it internet accessible so a script/botnet/bad guy detects it and begins to run exploits or other attacks against it and have those methods get recorded in a safe way - Honeypots are often deployed with default settings which is a dead give-away when faced with anti-honeypot detections methods #### Popular Software Properties Collected ![[Pasted image 20221109142653.png]] ![[Pasted image 20221109142709.png]] ![[Pasted image 20221109142720.png]] ![[Pasted image 20221109142734.png]] ![[Pasted image 20221109142747.png]] ![[Pasted image 20221109142820.png]] ![[Pasted image 20221109142832.png]] ![[Pasted image 20221109142917.png]]