Fun with Shodan

[Garda]

I have been having a bit of fun with the search engine [url"http://www.shodanhq.com]Shodan[/url]. It was mentioned in this episode of Hak5 and in a few old discussions in these forums. Unlike other search engines it indexes technical information about services that run on the Internet. For example, it lets you search by web server type, or by strings in the headers sent when sessions are initiated.

For example, I was kind of interested to know if there are a lot of people with Internet facing instances of the http://www.rejetto.com/hfs/'>HFS web server. If you access a web server via telnet and ask for /index.html (I'm not 100% sure what the proper http command is to get the root web page, I need to look it up), you get a few http headers and then the start of the 404 error page. (see below)

 
garda@localhost:~$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /index.html
 
HTTP/1.1 404 Not Found
Content-Type: text/html
Accept-Ranges: bytes
Server: HFS 2.2f
 
<html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    <style>

[Garda]

What is of interest here is the name of the server and the version. Searching on Shodan for the string "hfs 2.2f 200" gives all the open HFS servers on the Internet. There is even an API (I used Python, but there are other languages). The following will give back the same search but output it to output.txt. (You need to get an API key and download the Python module "pip install shodan" run as root was enough for me.

#!/usr/bin/env python
 
from shodan import WebAPI
 
apiKey = ""
api = WebAPI(apiKey)
 
try:
    allIP = []
    # Search shodan
    results = api.search("hfs 2.2f 200")
    for result in results["matches"]:
        allIP.append(result["ip"])
 
    f = open("output.txt", "w")
    for anIP in allIP:
        f.write("%s\n" % anIP)
    f.close()
    #print allIP
except Exception, e:
    print "Error:", e
 

[digip]

telnet sitename.com port#
GET / HTTP/1.1
HOST: sitename.com
\r\n\r\n

An http request needs a GET, the file or directory, in this case / or you could use index.htm, index.html, index.php, etc, depending on site and web server/software in use, and the type of HTTP request, in this case 1.1. You can also do HTTP/1.0 for older requests, or through proxies that only accept 1.0 through proxies and not 1.1.

Basic request types for web servers, are GET, HEAD, PUT, POST, OPTIONS, TRACE and CONNECT but you get put pretty much anything in place of GET for a get request, like FOO, and some web servers will treat it as a GET request.

[Garda]

Thanks, I also found the relevant RFC is RFC2616 and http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html'>Section 9 is the one that lists all of the request types. However, all I wanted was just enough to get the server to give me its headers. I found this Firefox addon listing headers as you visit a webpage, which I think can be quite useful.

[digip]

Yeah. You can do just a HEAD request as well, same as GET just replaced it with HEAD in the example I gave above, should work. \r\n\r\n is more or less just two carriage returns, and after it sees the second one with no more data, it assumes EOL it sent for the request and should send back the data. Just keep hitting return until you see the returned data(if it is a live web server) it will scroll by your screen. You can do similar with netcat to banner grab or any number of scripting languages too, including PHP forms to just grab HEAD requests from urls and specified ports.

Edited February 5, 2013 by digip