Search engines index Web sites on the Web so you can find them more efficiently. The same applies to devices with Internet connection. Shodan indexes devices such as webcams, printers, and even industrial controls into an easy-to-search database, so hackers worldwide can access vulnerable devices online. You can also search the database through the Web site or the command-line library.
Shodan has changed the way hackers create tools, as much of the target detection phase can be automated. Instead of having to search the entire Internet, hackers can enter the right search terms to get a comprehensive list of potential goals. With Shodan's Python library, hackers can quickly write Python scripts that list potential targets to which vulnerable devices connect at a specific time. Instead of searching through every page available on the web, you can enter a specific term into a search engine to get the most recent and relevant results. The same is true of connecting connected devices, and what you find online can surprise you!
The first thing you need to do is log in to the website or command line at shodanhq.com in a web browser. Although you can use Shodan without logging in, Shodan limits some of its features to only logged in users. For example, you can only view one page of search results without logging in. If you're signed in to a free account, only two pages of search results will be displayed. For the command line, you'll need your API key to perform some requests.
A In particular, a useful feature of Shodan is that you do not need to open a web browser to open it if you know your API key. To install Shodan you need a working Python installation. You can then enter the following in a terminal window to install the Shodan library.
~ $ pip install shodan Collect Shodan Download from https://files.pythonhosted.org/packages/22/93/22500512fd9d1799361505a1537a659dbcdd5002192980ad492dc5262717/shodan-1.14.0.tar.gz (46kB) 100% | ████████████████████████████████ | 51 kB 987 kB / s Prerequisite already met: XlsxWriter in /usr/lib/python2.7/dist-packages (by shodan) (1.1.2) Prerequisite already fulfilled: Click in /usr/lib/python2.7/dist-packages (by shodan) (7.0) Collect Click Plugins (by shodan) Download from https://files.pythonhosted.org/packages/e9/da/824b92d9942f4e472702488857914bdd50f73021efea15b4cad9aca8ecef/click_plugins-1.1.1-py2.py3-none-any.whl Requirement already met: colorama in /usr/lib/python2.7/dist-packages (by shodan) (0.3.7) Requirement already met: Requirements> = 2.2.1 in /usr/lib/python2.7/dist-packages (by shodan) (2.21.0) Building wheels for collective packaging: Shodan Runs setup.py bdist_wheel for shodan ... Filed in: /root/.cache/pip/wheels/fb/99/c7/f763e695efe05966126e1a114ef7241dc636dca3662ee29883 Shodan successfully built Install collected packages: click-plugins, shodan Successfully installed click-plugins-1.1.1 shodan-1.14.0
You can then view all available options -h to access the Help menu.
~ $ shodan -h Use: shodan [OPTIONS] COMMAND [ARGS] ... options: -h, --help View and exit this message. commands: alert Manage network alerts for your account convert Converts the specified input data file to another format. count Returns the number of results for a search Data mass data access to Shodan domain Show all available information for a domain download Download search results and save them in a compressed JSON ... honeyscore Check if the IP is a honey pot or not. Host View all available information for an IP address info Displays general information about your account init Initializes the Shodan command line myip Give out your external IP address org Manage your organization's access to Shodan parse Extracts information from compressed JSON files. Radar real-time map of some results, as Shodan finds them. Scan Scan an IP / Netblock with Shodan. search Searches the Shodan database Statistics Provide summary information about a search query stream stream data in real time. version Printable version of this tool.
These controls are pretty straightforward, but not all work without connecting them to your Shodan API key. Log into your Shodan account in a web browser and go to My Account where you will see your unique API key. Copy it and attach the key with the command init .
~ $ shodan init XXXXxxxxXXXXxxXxXXXXxxXxxxXXXXXX Successfully initialized
Step 3: Search for accessible webcams
There are many ways to find webcams on Shodan. Normally, using the name of the webcam maker or webcam server is a good place to start. Shodan indexes the information in the banner and not the content. If the manufacturer puts his name in the banner, you can search for it. Otherwise, the search is unsuccessful.
One of my favorites is webcamxp a webcam and network camera software developed for older Windows systems. Once you've entered this online into the Shodan search engine, links to hundreds, if not thousands, of web-enabled security cameras around the world will be retrieved.
Use the search option on the command line. (Results truncated below.)
~ $ shodan search webcamxp 81.133.███.███ 8080 ████81-133-███-███.in-addr.btopenworld.com HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; charset = utf-8 r nConten t-Length: 7313 r nCache Control: No Cache, must be re-validated r nDate: Tue, 06 Aug 2019 21:39:29 GMT r nExpires: Tue, 06 Aug 2019 21:39:29 GMT Pragma: No Cache Server: webcamXP 5 r n 74.218.███.███ 8080 ████-74-218-███-██.se.biz.rr.com HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; Content Length: 7413 Cache Control: No Cache, Must Be Validated Again Date: Wed, 07 Aug 2019, 14:22:02 GMT Runs: Wed, 07 Aug 2019 14:22:02 GMT Pragma: No Cache Server: WebcamXP 5 r n 208.83.██.205 9206 ████████████.joann.com HTTP / 1.1 704 t r nServer: Webcam XP. R n r n 115,135,185 8086 HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; Content Length: 2192 Cache Control: No Cache, must be re-validated Date: Wed, 07 Aug 2019, 06:49:20 GMT Runs: Wed, 07 Aug 2019 06:49:20 GMT Pragma: No Cache Server: WebcamXP 5 r n 137.118.███.107 8080 137-118-███-███.wilkes.net HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; Content Length: 2073 Cache Control: No Cache, Must Be Revalidated Date: Wed, 07 Aug 2019 12:37:54 GMT Run: Wed, 07 Aug 2019 12:37:54 GMT Pragma: No Cache Server: WebcamXP 5 r n 218.161.██.██ 8080 218-161-██-██.HINET-IP.hinet.net HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; Content Length: 7431 r nCache Control: No Cache, Must Be Revalidated r nDate: Mon, 05 Aug 2019 18:39:52 GMT r nWorks: Mon, 05 Aug 2019 18:39:52 GMT Pragma: No Cache Server: WebcamXP 5 r n ... 92.78.██.██ 37215 ███-092-078-███-███.███.███.pools.vodafone-ip.de HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; Content Length: 8163 r nCache Control: No Cache, Must Be Revalidated r nDate: Wed, 07 Aug 2019 05:17:22 GMT r nDrawn: Wed, 07 Aug 2019 05:17:22 GMT Pragma: No Cache Server: WebcamXP 5 r n 85.157.██.███ 8080 ████████.netikka.fi HTTP / 1.1 200 OK r nConnection: Close r nContent Type: Text / HTML; Content Length: 7947 Cache Control: No Cache, Must Be Validated Again Date: Wed, 07 Aug 2019 00:25:41 GMT Runs: Wed, 07 Aug 2019 00:25:41 GMT Pragma: No Cache Server: WebcamXP 5 r n 108.48.███.███ 8080 ████-108-48-███-███.washdc.fios.verizon.net HTTP / 1.1 401 Unauthorized r nConnection: close r nContent Length: 339 r nCache Control: No Cache, Must Be Validated Again r nDate: Tue, 06 Aug 2019 22:40:21 GMT r nExpires: Tue, 06 Aug 2019 22:17:21 GMT r nPragma: no-cache r nServer: webcamXP r nWWW Authentication: Basic Realm = "webcamXP" r nContent Type: text / html r n r n (END)
To finish the results, press Q on your keyboard. If you only want to display specific fields instead of everything, you can omit some information. First let's look at the search help page to see how the syntax works.
~ $ shodan search -h Usage: Shodan Search [OPTIONS]
Searches the Shodan database options: --color / --no-color --fields TEXT List of properties to be displayed in the search results. --limit INTEGER The number of search results to return. Maximum: 1000 --separator TEXT The separator between the properties of the search Results. -h, --help View and exit this message.
Unfortunately, the help page does not list all available fields that can be searched. However, Shodan's website contains a handy list (see below).
asn [String] The number of the autonomous system (eg "AS4837"). data [String] Contains the banner information for the service. ip [Integer] The IP address of the host as an integer. ip_str [String] The IP address of the host as a string. ipv6 [String] The IPv6 address of the host as a string. If this is the case, the fields "ip" and "ip_str" are not displayed. port [Integer] The port number on which the service is running. timestamp [String] The timestamp at which the banner was retrieved from the device in the UTC time zone. Example: 2014-01-15T05: 49: 56.283713 Hostname [String] An array of strings containing all the hostnames assigned to the IP address for this device. domains [String] An array of strings containing the top-level domains for the hostnames of the device. This is a utility property if you want to filter for TLD instead of subdomain. It's smart enough to handle multi-point global TLDs in the domain (for example, "co.uk"). location [Object] An object that contains all location information for the device. location.area_code [Integer] The area code for the location of the device. Only available for the USA. location.city [String] The name of the city in which the device is located. location.country_code [String] The two-letter country code for the device location. location.country_code3 [String] The three-digit country code for the device location. location.country_name [String] The name of the country where the device is located. location.dma_code [Integer] The specified market area code for the area where the device is located. Only available for the USA. location.latitude [Double] The latitude for geolocation of the device. location.longitude [Double] The length of the geolocation of the device. location.postal_code [String] The postal code for the location of the device. location.region_code [String] The name of the region where the device is located. opts [Object] Contains experimental and supplementary data for the service. This may include the SSL certificate, robots.txt, and other raw information that has not yet been included in the banner specification. org [String] The name of the organization to which the IP range for this device is assigned. isp [String] The ISP that provides the organization with the IP space for this device. Think of this as the "parent" of the organization in terms of IP ownership. os [String] The operating system used to operate the device. transport [String] Either "udp" or "tcp" to indicate which IP transport protocol was used to retrieve the information Optional features: Operating Time [Integer] The number of minutes that the device was online. link [String] The network connection type. Possible values are: Ethernet or Modem, General Tunnel or VPN, DSL, IPIP or SIT, SLIP, IPSec or GRE, VLAN, Jumbo Ethernet, Google, "GIF", "PPTP", "Loopback", "AX.25 radio modem". title [String] The title of the site as extracted from the HTML source. html [String] The raw HTML source for the website. product [String] The name of the product that generated the banner. version [String] The version of the product that generated the banner. Device Type [String] The device type (webcam, router, etc.). info [String] Various information extracted about the product. cpe [String] The relevant Common Platform Enumeration for the product or known vulnerabilities, if available. For more information about CPE and the official value dictionary, see the CPE dictionary. SSL properties: If the service uses SSL, e.g. HTTPS, the banner also contains a property named "ssl": ssl.cert [Object] The analyzed certificate properties that contain information about the time of issuance, the SSL extensions, the issuer, the subject, and so on. ssl.cipher [Object] Preferred encryption for the SSL connection ssl.chain [Array] An array of certificates, where each string is a PEM-encoded SSL certificate. This includes the user SSL certificate up to its root certificate. ssl.dhparams [Object] The Diffie-Hellman parameters, if available: prime, public_key, bits, generator, and an optional fingerprint if it knows which program generated these parameters. ssl.versions [Array] A list of SSL supported versions of the server. If a version is not supported, the value will be preceded by a "-". For example, ["TLSv1", "-SSLv2"] means that the server supports TLSv1, but SSLv2 does not.
So if we just want to show the IP address, port number, organization name, and host name for the IP address, we can use . –fields as such:
~ $ shodan search --fields ip_str, port, org, hostnames webcamxp 81.133.███.███ 8080 BT ████81-133-███-███.in-addr.btopenworld.com 74.218.███.██ 8080 Spectrum Business ████-74-218-███.se.biz.rr.com 208.83.██.███ 9206 Jo-Ann Stores, LLC ████████████.joann.com 115.135.██.██ 8086 TM Net 137.118.███. 8080 Wilkes Communications 137-118-███-███.wilkes.net 218.161.██.██ 8080 HiNet 218-161-██-██.HINET-IP.hinet.net ... 92.78.██.███ 37215 Vodafone DSL ███-092-078-███-███.███.███.pools.vodafone-ip.de 85.157.██.███ 8080 Elisa Oyj ████████.netikka.fi 108.48.███. 8080 Verizon Fios ████-108-48-███-███.washdc.fios.verizon.net (END)
Browse the results and find webcams you want to try. Enter the domain name in a browser and see if you can access it immediately. Here are a number of open webcams from different hotels in Palafrugell, Spain that I could access without any credentials:
Although It Can Be Entertaining And Exciting Watch voyeuristic about what's going on in front of these unprotected security cameras, without people all over the world noticing.
Although some of the webcams Shodan If you are unprotected, many of them require authentication. Use the default username and password for the security camera hardware or software to gain easy access. Below I've put together a short list of standard usernames and passwords for some of the most popular webcams.
- ACTi : admin / 123456 or Admin / 123456
- Axis (traditional) : root / pass
- Axis (new) : Requires password creation at first logon
- Cisco : No default password, requires first logon creation Login
- Grandstream : admin / admin
- IQinVision : root / system
- Mobotix : admin / meinsm
- Panasonic : admin / 12345
- Samsung Electronics : root / root or admin / 4321
- Samsung Techwin (old) : admin / 1111111
- Samsung Techwin (new) : admin / 4321
- Sony : admin / admin
- TRENDnet : admin / admin
- Toshiba : ro ot / ikwd
- WebcamXP : admin /
There's no guarantee that any of this will work, but many inattentive and lazy administrators just keep it the default settings. In these cases, the standard usernames and passwords for the hardware or software provide access to private and confidential webcams around the world.
Now that we know how to find webcams and sites, you may want to log in with the default usernames and passwords. Let's be more specific and try to find webcams in a specific geographic location. For example, if we were interested in Webcams of the manufacturer WebcamXP in Australia, we could find them by entering webcamxp country: AU in the search box on Shodan's website.
So how would we do an advanced? Search in the command line? Here's a quick list of some things you can search for in Shodan from the command line:
after: Search for things that are after a specific date after a timeout delimiter. asn: search for the number of the autonomous system. before: Search for a time frame delimiter for things before a certain date. City: Search for the city where the device is located. Country: Search for the country where the device is located (two-letter code). Device: Search by device or network name. Device type: Search for device type (webcam, router, etc.). domain: Searches an array of strings containing the top-level domains for the host name of the device. geo: Search for the coordinates where the device is located. hash: Search with the banner hash. has_screenshot: true Search for devices that have a screenshot. Host name: Search for the host name assigned to the IP address for the device. ip: Search for the IP address of the host as an integer. ip_str: Search for the IP address of the host as a string. ipv6: Search for the IPv6 address of the host as a string. ISP: Search for the ISP that provides the organization with the IP storage space for the device. link: Search by network connection type. Possible values are: Ethernet or Modem, General Tunnel or VPN, DSL, IPIP or SIT, SLIP, IPSec or GRE, VLAN, Jumbo Ethernet, Google, "GIF", "PPTP", "Loopback", "AX.25 radio modem". net: Filter by network range or IP in CIDR notation. port: Search devices by open ports / software. org: Search for devices on the network of a particular organization. os: Search for the operating system used to operate the device. Condition: Search for the state in which the device is located (two-letter code). title: Search for text within the title of the site as extracted from the HTML source.
So, if we were to search webcamxp country: AU directly on the site to do this from the command line, you would format it as follows. However, if you do not have a paid plan, you can not use the Shodan API to perform detailed searches as we try here. However, you can still perform an advanced search on the Shodan website with the usual restrictions for free users.
~ $ shodan search webcamxp country: AU ~ $ shodan Locator: webcamxp Country: AU
If you search the site for webcamxp country: AU a list of all WebcamXPs in Australia will be displayed that are web-enabled in the Shodan Index (see picture)
To be more specific, we can narrow our search to a single city. Let's see what we can find in Sydney, Australia, by typing webcamxp city: sydney in the search bar of the site. For the command line, it would look like one of the following commands – but it's a paid feature with the API.
~ $ shodan search webcamxp city: sydney ~ $ shodan search device: webcamxp city: sydney
On the Shodan website, the search results are as follows.
If we click on one of these links, we are in a backyard in Sydney, Australia!
With Shodan we can even search very closely for web-enabled devices. In some cases, we can specify the latitude and longitude of the devices we want to find.
In this case we are looking for WebcamXP cameras at latitude and longitude (-37.81, 144.96) of the city of Melbourne. Australia. In the search we get a list of all WebcamXP at these coordinates on the globe. We must use the keyword geo followed by latitude and longitude. So use in the search bar webcamxp geo: -37.81,144.96 . On the command line interface, which is a paid feature, it would look like this:
~ $ shodan search webcamxp geo: -37.81,144.96 ~ $ shodan search device: webcamxp geo: -37.81,144.96
If we can see that, only four WebcamXP cameras will be found on Shodan's website. Click on one, and we'll see that we once again have a private webcam view of a person's camera in their backyard in Melbourne, Australia.
The command line interface allows us to search for information on a host that is not available on the site. For example, we can execute the command shodan myip to print our external IP.
~ $ shodan myip 174.███.███.███
Once we know it, we can search Shodan for information by executing the command host .
~ $ shodan host 174.███ .██.███ 174.███.██.███ Hostnames: cpe-174-███-██-███.socal.res.rr.com Country: United States Organization: Spectrum Updated: 2019-08-02T23: 04: 59.182949 Number of open ports: 1 ports: 80 / tcp
Shodan is a Powerful Way to Discover Devices on the Internet
I hope this brief demonstration of the power of Shodan stimulates your imagination so that you can inventively find private webcams all over the world! If you are too impatient to track webcams on Shodan, you can access accessible webcams that you can view on a website like Insecam. For example, you can see all the WebcamXP cameras that contain pictures.
If you use Shodan or a simpler site like Insecam to view webcams, do not limit yourself to WebcamXP, but try each of the webcam manufacturers at a specific location and who knows what you'll find.
I hope you liked these instructions for using Shodan to detect compromised devices. If you have any questions or comments about this tutorial on how to use Shodan, contact me at Twitter @KodyKinzie .
Do not miss: Wi-Fi steal passwords with a nasty twin attack