Before we get into the tool itself, we need to bring some theory to mind. There are two types of reconnaissance — passive and active.
Passive reconnaissance means collecting information about devices from sources publicly available on the Internet. For example, getting information about a server, we do not interact with it directly, which would be, for example, connecting to it.
Active reconnaissance means direct contact with the device. So we need, for example, to send a packet to it. Tools that use active reconnaissance are nmap and WPrecon.
Using Google or Yahoo, not everything can be found. We can filter our queries, but it is of little use. Shodan is just such a search engine that focuses on IoT. What can we find in it? Any networked device, including scanners, servers, and cameras, among others. If the device is connected to the Internet, Shodan’s algorithm queries it from publicly available information. This allows us to obtain such information as server software, supported services, or other information useful in collecting information about the target.
Shodan provides the ability to filter IoT devices. You will find a few example below. For all of them, we refer you to here.
Pages that use bootstrap:
Pages that used the word “Apache” in the html code:
Sites vulnerable to CVE-2014–0160:
Sites supporting TLS 1.3:
Sites requiring HTTPS connection:
For those who have a free evening, at this link you can look at random images taken straight from the search engine to the rhythm of retro music 🙂
On repository you will find a tool that allows you to use the Shodan search engine via the command line. For extended use, you'll need an API key.
And for those of you with an insufficiency, a handful of readings for the evening: