INFORMATION ABOUT Shodan

Search engines are computer programs designed to help someone find the files that are stored in a computer, for example, in a public server on the web (WWW) or the computer itself.The search engine allows us to ask for media content with specific criteria (typically those containing a word or phrase that you specify) and obtain a list of files that meet these criteria.Search engines usually use the index (which was made before and updated on a regular basis) to locate the file after the user enters search criteria. (Http://id.wikipedia.org / wiki / Mesin_pencari)

 search engines like google, bing, yahoo and others is an excellent search engine for finding websites, but if we want to find a computer that is running softwere (like apache) or want to know which version of IIS is the most popular, or would like to know how much FTP servers can be logged as a nonymous, or may also want mengathui vulnerability is new and we want to know how many are still using the type / types affected by these vulnerabilities, the search engine standard (traditional) will not answer those questions.

 most of the data in the grab of the "banner" is a meta-data information from a server that is sent back to the client (such as HTTP HEADER) may contain information inforamsi server software support services, or a form of data messages sent to the client before berintraksi with server, for example, a message stating that the ftp server is ready to run

A

  Kcg.cz 220 FTP server (Version 6.00LS) ready.

 The data tells us that there ftp softwere with the name "kgc.cz" with version "6:00" or the more complete we can melihatny in the form of http headers

A

2

3

4

5

6

7

8

  HTTP/1.0 200 OK

Date: Tue, February 16, 2010 10:03:04 GMT

Server: Apache/1.3.26 (Unix) PHP/4.1.2 AuthMySQL/2.20 mod_gzip/1.3.19.1a mod_ssl/2.8.9 OpenSSL/0.9.6g

Last-Modified: Wed, July 1, 1998 08:51:04 GMT

ETag: "135074-61-3599f878"

Accept-Ranges: bytes

Content-Length: 97

Content-Type: text / html

 with information obtained from the grab "banner" is Shodan can answer questions that are not answered by other search mesain. Shodan is not much different from search engines that we have known so far, only Shodan have little uniqueness in comparison with other search enggine. Unlike the usual search enginee, Shodan is a search engine that provides information from services run by all the devices connected to the internet either server, router or a computer with public IP addresses, etc., the workings of Shodan is by Utilizing spiders that crawl on the pages of the website for retrieve important information from the header, do the scanning and banner grabbing against ports that are generally open like SSH, telnet and FTP on the server then collects this information can be accessed like a search enngine thus Shodan search engines will be a search engine that memabantu inpenetration action, How to use it quite easy, simply enter the keywords of the information you want didapatkan.dan can also be filtered by country (2 letter country code), hostname (full or partial hostname)

how to use

Shodan search engine was originally located at http://shodan.surtri.com/ now this search engine can be accessed at http://www.shodanhq.com, the search engine which was released by John Matherly (http://twitter. com / achillean) is menharuskan us to register before using its search engine, (free & paid) like other search engines, Shodan also use the boolean operators ('+', '-' and '|') in search by default Shodan will provide operator "+" on every keyword that we give, boolean operators addition, there are special filters to narrow your search results.

General

All filters have the format 'filter: value' and can be added anywhere in the search query. Note that there is no space before or after the sign ":."

country

filters 'country' is used to narrow search results by country. This is useful when we want to find a computer in certain countries.

A

2

  apache + country: ID -> will search all of the computers that exist in Indonesia that is running the apache service softwere

nginx + country: MY -> will search the entire computer in malaysia who run softwere / service ngingx

hostname

filters 'hostname' allows us to find a host that contains the value in the host name.

A

  apache hostname:. id

net

filters 'net' is used to restrict search results to a specific IP or subnet. Using CIDR notation to designate the subnet range. Here are some examples:

A

2

3

4

  216.219.143.14: net: 216.219.143.14

216,219,143 .*: net: 216.219.143.0/24

216 219 .*: net: 216.219.0.0/16

216 .*: apache net: 216.0.0.0 / 8

os

'Os' is used to search for a specific operating system. Typical values ​​are: windows, linux and cisco.

A

2

  iis microsoft-os: "windows 2003"

JBoss os: linux

port

 Filter 'port' is used to narrow the search to a specific service. The values ​​are allowed: 21, 22, 23 and 80. ex:

A

  proftpd port: 21 -> search for proftpd service on port 21

and many more that we can use filters to narrow the results perncarian us, just like other search engines halanya, Shodan also have a dork, dork please to combine the boolean operators and filters to narrow your search results using the example

A

  country: ID port: 80 hostname:. id

query is used to obtain information from the apache daemon on any server which is located in Indonesia with a query containing the hostname. id it will display around 102 IP either server or router equipped with the info banner examples

A

2

3

  backbone.perumnas.co.id

ip30-222.sby.uninet.net.id

dns1.jogja.go.id

some other interesting keywords that should be tested as

A

2

3

4

5

  port: 23 + "list + of + + built-in commands" <- list backdoor

telnet <- a vital service

iis +4.0 <- old server:)

lighttpd + php <- try their luck on service lighttpd bug

"Cisco-ios" + port: 80 <- cisco web interface

some dork that can be used

A

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

  "Debian" ssh port: 22

"Joomla" http port: 80

"Microsoft" telnet port: 23

apache country: in port: 80 hostname:. com

server country: in port: 80 hostname:. com

debian country: in port: 80 hostname:. com

server country: in port: 21 hostname:. com

"Joomla" http port: 80 hostname:. Com

IIS port: 80 hostname:. Com

IIS 5 ports: 80 hostname:. Com

IIS 6 ports: 80 hostname:. Com

IIS 4 ports: 80 hostname:. Com

tomcat port: 80 hostname:. com

phpmyadmin port: 80 hostname:. com

"GIGASET" server port: 80

server port: 21

"Mysql" server port: 80 hostname:. Com

"Sqlserver" server port: 1433

"Sql" server port: 1433

http://shodan.surtri.com/?q=cisco-IOS

http://shodanhq.com/?q=IIS+4.0

http://shodanhq.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)

http://shodanhq.com/?q=Fuji+xerox

http://shodanhq.com/?q=JetDirect

http://shodanhq.com/?q=port:23+% 22list + of + the built-in commands +% 22

http://shodanhq.com/?q=port% 3A80 + iisstart.html

http://shodanhq.com/?q=Server:% 20SQ-WEBCAM

http://shodanhq.com/?q=Netgear

http://shodanhq.com/?q =% 22Anonymous + access + allowed% 22

http://shodanhq.com/?q=Golden+FTP+Server (REF: http://www.exploit-db.com/exploits/10258)

http://shodanhq.com/?q=IIS+5.0 (REF: http://milw0rm.com/exploits/9541)

http://shodanhq.com/?q=IIS+6.0

http://shodanhq.com/?q =% 22Server% 3A +% 22 + iWeb HTTP (REF: http://packetstormsecurity.org/0912-exploits/iweb-traversal.txt)

http://shodanhq.com/?q=Wordpress

http://shodanhq.com/?q=Joomla

http://shodanhq.com/?q=Drupal

http://shodanhq.com/?q=iPhone+Web+Server

http://shodanhq.com/?q=FreeBSD

http://shodanhq.com/?q=IPCop

http://shodanhq.com/?q=IBM-HTTP-Server

http://shodanhq.com/?q=barra_counter_session

http://shodanhq.com/?q=BIGipServer

http://shodanhq.com/?q=F5-TrafficShield

http://shodanhq.com/?q=st8id

http://shodanhq.com/?q=profense

http://shodanhq.com/?q=X-dotDefender-denied

http://shodanhq.com/?q=X-Cnection

http://shodanhq.com/?q=nnCoection

http://shodanhq.com/?q=Cneonction

http://shodanhq.com/?q=PowerDNS (REF: http://www.securityfocus.com/bid/37650)

http://shodanhq.com/?q=ADSL+port% 3A80

http://shodanhq.com/?q=Default+Password

http://www.shodanhq.com/?q =% 22X-Powered-By% 3A% 22 + PHP

http://www.shodanhq.com/?q =% 22Sagem% 22 (REF: http://www.exploit-db.com/exploits/11633)

http://www.shodanhq.com/?q=vFTPd+1.31 (REF: http://www.exploit-db.com/exploits/11293)

http://www.shodanhq.com/?q=KM-MFP-http (Thanks to: http://www.twitter.com/Motoma)

http://www.shodanhq.com/?q=mod_antiloris (This does not work with PyLoris per Motoma).

http://www.shodanhq.com/?q=X-Powered-By:W3% 20Total% 20Cache

http://www.shodanhq.com/?q=port% 3A161 + SIMATIC

http://www.shodanhq.com/?q=PLC

http://www.shodanhq.com/?q=scada

http://www.shodanhq.com/?q=bacnet

http://www.shodanhq.com/?q=telemetry+gateway

So it is conceivable in the presence of Shodan would be a lot of servers that will be the compromise. how not, an attacker needs ga was looking for one target-one can even attack aimed at random victims. Shodan is likely to be the primary choice of pentester at any stage of information gathering or the script kiddies anymore prankster.