Shodan: There is Now an App for That

Wednesday, July 11, 2012

shawn merdinger


Shodan Overview

Since October, 2010, Shodan has consistently made waves in the information security world.

For a quick review, Shodan is a computer search engine; essentially a searchable database of pre-scanned IP addresses with service banners from various system services like Web servers, SNMP, Telnet and more.  

Like any security tool, Shodan can be leveraged by both malicious attackers and legitimate security operations to gain insights into the public IP exposure of an organization, and the results are often surprising.

Indeed, the DHS ICS-CERT has published multiple alerts directly referencing Shodan (and ERIPP) warning of the potential information gathering risks from malicious use of this resource and how misuse can pose threats to critical infrastructure like SCADA and ICS systems exposed on the public Internet.  

The following advisories have a Shodan focus, and several other ICS-CERT product vulnerability advisories directly mention Shodan as a threat multiplier:

In addition, many news articles and security conference presentations on Shodan's capabilities have helped to spread the word and have made Shodan an indispensable tool for penetration testing.  In fact, just last month Shodan was on the front page of the Washington Post.  

After a couple of years, Shodan is now mainstream.  My take on this is how I put it in a tweet - "Organizations not using Shodan by now should just go back to sleep..."

Enter the Shodan App

Given the popularity and capability of Shodan, it should come as no surprise for knowledgeable security folks that a Shodan App added to the iTunes store on 9 July, 2012 was developed by Erran Cary (currently doing an internship with Rapid7).  

Frankly, I was surprised that someone had not done this Shodan app sooner, but nonetheless it's a fine project and kudos to Erran for taking the initiative, and hopefully Rapid7 will be supportive of his Shodan app project.  And a tip o' the hat to Apple for approving the app due to Erran's persistence.

Shodan App ScreenshotDespite its coolness, from a pragmatic operational and penetration testing standpoint the Shodan app is not going to be my "go-to" means for executing Shodan queries.  

This is not because of the app in and of itself, but rather the testing platform and queries that I do for my style of research.  

I tend to use the Web-based and API scripted queries on a full computer rather than a iPhone/iPad for a number of reasons, but in a pinch or on-the-fly demo I'll be reaching for the Shodan app -- no question!

That said, I do not want to dismiss the value of the Shodan app.  

We need to keep in mind this is version 1.0 and I expect we will see further refinement of the app, and possibly more functionality, such as EIRPP queries (or perhaps a dedicated EIRPP app!).

I may have a few humble suggestions on how adding some other capabilities to the Shodan app could make this a more useful smartphone-based security tool.

Clearly, from an security awareness raising perspective the Shodan app is just the ticket to drive home the realities of how security tools and resources are becoming more portable and easier to use!

Possibly Related Articles:
Industrial Control Systems
SCADA Shodan Tools Penetration Testing Network Security Search Engine applications ICS-CERT Industrial Control Systems
Post Rating I Like this!
Bob Radvanovsky An application like this provides an invaluable set of tools for the 'good guys'. I see this as a 'win-win' insofar that this will allow security researchers, government and law enforcement, with capabilities that will assist them in efforts concerning the following: enumeration analysis, forensics management, correlation and pattern matching analysis, and more.

The fact is, as much as the news media wants to indicate that the 'bad guys' are utilizing SHODAN for potentially nefarious purposes, they seem to keep forgetting to include the 'good guys' (like you) who are performing research to protect our society's (no longer a single it's global, baby) cyber critical infrastructures.

This is a good tool to have at your disposal...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.