Shodan Dorking ?
What is Shodan?
Shodan is your friend! Yeah, really! Okay, alright. As we have covered Google Dorking, I thought it would be good to cover Shodan today, as this is the search engine for us—I mean, for hackers. Unlike Google, which indexes websites, Shodan indexes and searches through devices. A few years back, I used to think that Shodan’s only use was for some IoT devices, and wondered why I would use it. I used it a little, and then I found out that there is way more to explore. I remember one talk on Shodan that was 1 hour long, and I was like, “Does this tool have this much power?” Well, this is a good topic to see—let’s cover it properly.
Target: MIT
I am so obsessed with MIT, maybe because they rejected me, lol, or maybe because I am still applying to it and have some friends over there. Most of my LinkedIn friends are from MIT, so in my free time, I research there, talk to them, and then sleep.
Shodan Dork!!!
Wow, Shodan also has dorks! Hell yeah! As it is a search engine after all, let’s cover it.
Step 1: Register
Open Shodan—I mean, search for Shodan on your favorite browser, sign up, and here is the link if you are lazy like me: Shodan.
Step 2: Basic Search
Search mit.edu or any target of your choice. I will go with this small university. In the search section, just type mit.edu. You will see 143 results—cool, right? And you will be amazed to see that you can view the ports too, and the country where the servers are based. Damn cool, right? I know xD. Your query will look like this: Search MIT.edu on Shodan.
Step 3: Find Something
Try to visit some of the results. For example, you will see https://18.7.88.92/ which is cool and has some hidden portals—there will be more there, so explore it.
Step 4: Your First Dork
Now you are ready to see the power, so use this magic item number 1: hostname:. If you have read the previous blog of mine, you remember we were using site: while doing Google Dorking. Here, we are using hostname:. Let’s do hostname:mit.edu. Woah! What? Total Results: 16,827. Wow, you know what this means—we can get something, maybe we can see some professors’ private life (which I really do not want to see, haha), but all we need is some hidden cybersecurity papers.
Step 5: Ports and Ports
Now, as in Step 1, we talked about there being lots of ports and services, so let’s explore the ports with the port: dork. So here is your dork: hostname:mit.edu port:22. We are looking for SSH here. As the days go on, I would like you all to learn all the ports. I don’t mean you have to learn all 65,000, lol, just some basic and important ones. Like, Nmap basic scan does all famous 100 ports. Have you ever thought of learning 100 ports? Well, there is also a trick in learning those ports as they are categorized. I will talk about it another time. But look here, we got 1,792 results. I am not exploring further here right now—you can use port: for any port you like.
Step 6: Search for Service
Hmm, can you remember any famous service? I can think of many. The one I am so into is Apache, as I have read a very cool report from a researcher named Orange on Twitter—the guy is crazy. So let’s see how many of them are running on Apache. The dork will be product:"Apache". The full dork will be hostname:"mit.edu" product:"Apache". 2,835 results. My eyes go to https://18.9.44.62/, but it seems like MIT removed the content. Haha, good for them, as I do not report bugs—I am so lazy to write reports. I just explore and put some on the xxxxxx.
Step 7: Find Services with SSL Certificates
If you ever bought or were hacking on a big company, you always noticed its certificate in the browser. I always see that it’s a part of recon, and good hackers always check the correlation between the websites and their certificates. Sorry, I am not going to talk about certificates that much, but if I am correct, here is a free lab on PentesterLab for that—try it out. The dork is hostname:"mit.edu" ssl.cert.serial:. You will find 7,615 results. A tip for you: there is a login page where you can find an SQL injection (error-based)—have fun.
Step 8: Vulnerability Checking
The last thing I want to mention here is that you can check for vulnerabilities. Have you ever seen people crying for Shodan dorks in comments when some hacker posts any CVE? Basically, they want to check the vulnerability for fun or just to explore, so you can do this: hostname:"mit.edu" vuln:"CVE-2017-5638". Unfortunately, I do not have an academic account as I stopped being a student, so if someone is willing to give me their account, send me a friend request on my Discord xfi1337.
Step 9: There’s a lot more to talk about, but I am so doomed right now and I have to go because I have to cry in front of HRs, lol.