 So I've talked a lot in the past about using Shodan, but probably never did an exact tutorial on Shodan and really explained what it was other than briefly in some of my videos. So that's what I decided to do. So Shodan is a search engine for the internet of things. The world's first search engine for the internet-connected devices to discover how internet intelligence can help make better decisions. Now, the one thing about Shodan, and right away I realized some people didn't get it, I've seen it a day in my live stream, someone says, well, how do we block it? No, you don't block it. You're gonna get indexed by Shodan if you have publicly exposed services. And people know that many attack vectors can come from discovering these known services. So there is a thought process that, well, the Shodan systems are helping people discover it. I don't really have a number on how many bad actors versus good actors in the security community actually use Shodan. I know quite a few people, at least the people, I know on the white hat side, definitely use it because it's an excellent tool. And I'm sure, yes, there are some bad actors to use it, but they're exposing the fact that you have something potentially that's a problem. And this comes up all the time because I, well, we just had a slight response with a client where we had to talk to him because, well, they called us and they thought that there was no possible way this person discovered the fact that RDP was on an odd port. And I'm like, oh yeah, Shodan can even find things not on common ports. Or in anyone with the utility scanning the internet and trust me, the bad actors are definitely doing that. So back to Shodan here. So it's pretty reasonably priced. And I bring this up because you can use it for free just to do some basic discovery and look at a few things. But if you wanna do some of the more advanced, like have it actively engaged in looking at IP addresses, it's really simple. And I'm gonna do separate videos on how to set this up. But for example, $59 a month gets you a million results, 5,000 IPs per month in scanning. And what this does is you can actually make out your own list, build lists and say, monitor these IP addresses. Maybe they're ones you own, maybe they're ones your client owns, but you can have this system actively looking and letting you know if it discovers something on those addresses that wasn't there previously. You can for free dump in IP addresses, you just can't actively tell it when to scan them. And it does seem to scan them quite frequently, but if you want control over that, that's the paid version versus the free version. And of course you go higher when you go into the small business and corporate. And also, once you get into the basic one here, they have a command line version. So the command line version allows you to get things and information and script this all from command line. It's easy to install you, add your API key and away you go. They limit just how many accesses you get for pulling things from there, but that's also gonna be a separate video on just running the command line and scripts related to it. So can you get the idea? But mostly you can, like I said, you can use this for free. Matter of fact, let's just open up a showdan.io. This is so I'm not logged in and for free. And if we type in, oh, I don't know, port 22. And then we'll click the first one here. You can right away jump in and say, okay, this person has port 22 and 1723 open. So you get the idea right away. You're like, okay, yes. Matter of fact, this is the first notion of this is PPTP, that's an old VPN protocol by Microsoft servers, weird that it's exposed while also a Linux, what appears to be Linux running SSH exposed, but you get the idea. You can start searching things right away with showdan. Now, what else can we search for showdan? I got a couple examples pulled up so I can kind of show you how it works. So they have a lot of information, a lot of getting started, a lot of how tos on here. So obviously just go there. This is all free. You can just go there and do a lot of reading. They got a cheat sheet and show some of the filtering, but let's play with the results. So right here is what happens when you type in port 22. Now you can take different port numbers, port 22 being SSH, and let's try 25 because that's a mail server port for SMTP. So let's go that way. So we got 18 million results for SSH exposed, seven million results for this. Now what showdan does when it's in here, let's open it in a new window, is it pulls not just that the port's open. A port scanner does that. It goes a little step further and pulls what they refer to as the banner to grab that information. So here we go. We know that this system, it lets you know once you click on one of these what else it has opened. So 25, 53, 443. All right, what else is there? So UDP, this is probably their name server that they have exposed here. And then here is the Lightspeed HTTP keep up. So this is exposed as well. So all right, we have more information about this and you can start pivoting and going there. Now by the way, you're doing this all passively because you're not actually connecting to them. And just so you know, and just so we're clear on this part of it, once you connect to any of these things, they are public facing, but that's where things can get fuzzy when it terms to legalities of stuff. Once you start connecting and then interacting with something, even though it is technically just exposed to the internet, but sometimes these things are exposed by accident. This is something you should consider before you don't actively engage in there. Now I have a couple other little things that we have here and show Dan that show you a few more advanced features. One, let's just look for exposed Cisco's with www authenticate. Why would we do this? Well, pretty simple. We wanna see all the different things that have their Cisco exposed as people constantly leave the web interface open for their routers. So this is just not a good idea. Testing purposes, open SSL, test intermediate. Okay, interesting. So we got this one, port 8080. All right, more things running there. What is this here? You gotta look through the headers. And by the way, looking through the headers is a big part of the security through obscurity thing people do. By looking at the headers, we can figure out what that port's doing even if it's not the normal port for that. This is also shows like the history of how many times it's been scanned. And like I said, if you do a paid account, you can force a scan of an IP address, but it will tell you this was scanned on the first 1127. So like every three days, four days, it gets hit with another scan. So you can get the idea and you can see the history of when this came online, when things may have changed and stuff like that. And that's what gives you a lot of information. Now this goes back to the command line. If you wanted to do differentials in the command line and pull this type of information, this is what something else the paid account would get you. Here's another thing that's just kind of, let's go into the fun side of this a little bit. Server, Canon HTTP server. Well, that pulls people who have decided to publicly expose their Canon servers to the internet. And why would you do that, Canon print servers? Like this is just a horrible idea. But people do it all the time and we've run into this many times. And people ask about how so much of this hacking goes on. Well, there's so much low hanging fruit. It was an exploit and we can actually search for this specifically. And I talked about this. It was for port 515, which is for printers. And 152,000 windows printer ports opened up here. And this is so you can send print jobs directly to printers. We've seen this many times where people, I'm not sure, well, I kind of know why I've actually seen people who do this because this is how they think they can send print jobs instead of through a VPN. And they're not wrong. You can simply send print jobs right to an IP address to a printer and over the internet and unauthenticated. It happens a lot. So right here we have TFTP exposed, which is weird, UDP. Wow, we've got a brother printer exposed. We have probably the control interface. Like I said, I'm not logging into it. Let's look at the banners here. 631 and printer job, no queue in printer. I'm sure occasionally someone just rattles something off to that printer and it probably prints it. And that's just, it's out there. For those of you wondering if it's a honeypot, what was a honeypot? Well, it's a way to decide if, I'll show you real quick here, let me pull up the honey score. Nope, not a honeypot. Honeypot is a way of information gathering. You set up a fake printer on there and you're just kind of measuring the noise on the internet and figuring out who's trying to send what so you can do some reconnaissance work. But it's kind of funny. Shodian figures out who's running honeypots and who's not so they give it a honey score and it looks like not a honeypot. Someone just has their printer in the Ozark exposed right to the internet. So yeah, that's a mess. What about port 3389? There's five million of these. The port 3389, if you're not familiar, is the port for RDP. People expose this all the time. Now this is where it's kind of cool because it can do screen scraping on this. So you can go through here, see all the ports open and it will do a screen grab of them. Let me just jump to a research where it does. So we'll just say, all right, if we do the search string, X03, X00, X00, XOB, et cetera, et cetera, you can see right here, this specifically looks for some of these that are running the remote desktop protocol back to what I said about the ports. Now the first one that scares me and it's screen scraping these, by the way, I'm not interactively logging in but it takes care of this for you, is POS ready. Wow, that's scary. I've seen the POS here. In this particular box, a part of the indexing it did was mention potential CVEs. Now this is in no means the same as a full vulnerability scan and external vulnerability scan of an IP address. But what it will do is it'll line up and say, hey, this is running Microsoft IS 5.1, provided it's not patched, these are CVEs that we'll be finding there. It also looks for the version numbers and by searching for this specific remote desktop protocol, it's gonna find older versions that are probably vulnerable to blue keep and things like that. Doesn't mean they are not patched but I'm gonna probably go with, they're not patched based on some statistics here. But you kinda get the idea that we can now peruse and look for screens that are logged in and wow, Windows Embedded, Windows Embedded, Windows XP stuff. I mean, isn't this crazy? Windows Server 2008. Yeah, just tons of things on there. Now the last one I'm gonna do for some kind of fun here is to show you the authentication disabled RFB003.008. What does that do? Well, this is VNC and there was a whole list of vulnerabilities released talking about VNC but who needs vulnerabilities when people have authentication disabled? And what they're probably relying on is giving VNC access to the screen and then relying on some other login which is a terrible idea because sometimes you may log into that and well, now you would be able to not only see it but interact with it. So provided they have some interaction turned on, like who puts VNC on their untangle? Well, this person did over here. They have, well, everything exposed including VNC and here's the screen screen from it and wow, I'm not gonna connect to it but obviously rebooting their firewall is well, right there, it's a click away. Granted, I know there's some secondary authentication untangle has but you can see like this is a real problem for that. So yeah, there's so much you can do with this and like I said, people who don't get it who are thinking about security the wrong way have said things, well, can't we just block showdown from indexing my stuff? Cause I like leaving things insecure. That's a terrible idea because showdown is just a easier way to do something that forever when we're doing something like an external vulnerability scan we have tools like Nmap. We have tools that automate and index this. Showdown just consolidated this and made it easy. Not to mention showdown has a massive amount of servers not one server scanning the internet. It's a whole lot of them. But from a defensive tool, it's really nice. So you can go through, put your list of IPs just drop in your client IPs. If you're in, you know, if you wanna figure out if your clients has something exposed to you all the time just to see when we meet a new client drop things in there. When they're an engaged client with us we set them up and we can monitor their IP addresses. Like I said, I'll get more in depth than maybe in our video but I wanted to give an intro to show what showdown is. It's highly affordable not to mention free for just basic scanning. You can just go to showdown.io. And if you're noticing in the header here I did put beta.showdown.os. I like the new interface. I've been trying it out. It works pretty well. But it's a great utility. They have an entire book you can get that has just a ton of a whole guide in here for really minimum price, $5 suggested price if you wanna pay more. But yeah, for $5 you can get a complete guide to showdown. Also, if you have the paid account then you get all kinds of little things besides the showdown CLI, honeypot or not a showdown 3D, a complete guide to showdown, a dashboard. One of the other fun things is just this image stream of crawl devices that has its own showdown image search which is a lot of fun. And also, I'll click next once or twice but sometimes you have to blur things out because there'll just be people with their webcams open and maybe sharing something overly personal. It's just, yeah, it's amazing what comes on here and how many of these, oh gosh, that's bad. A bunch of people and users exposed there. You can just stumble across things. It's so much, there's so many targets out there exposed and that's, like I said, it leads to a lot of hacking. Maybe these people should start learning about these tools and finding if you're exposed and also use it against yourself. See if you're exposed somewhere that you didn't realize that you may have overlooked something. It's nice taking an external look at your equipment. I would recommend people do this from another address, looking at their office address, try to see what they have exposed but the reality is it's out there, people are scanning. Shodan did consolidate and make it easier probably for the people with lesser skill to do this but it's also a great defensive tool so you can do some info set gathering and get an idea of something that you may be missed when you configure to firewall if it's exposed and it's pretty reasonably priced product. I have no affiliate links. I have to know association with Shodan so my endorsement of it is only because it's a great tool to use not because I have anything to gain by telling you other than sharing some knowledge and hoping that one of the people who's on here watches this and goes, oh, that's me. I should turn all that off because it really is a bad idea to have all this exposed or maybe someone can convince, look at their own company and go, hey, you're on Shodan, you guys should probably fix this. So I'll leave links to Shodan and maybe a couple of the queries. It'll be a further discussion because I'm not sure how YouTube feels about this so I'll leave any further discussion on the forums for sure on this particular topic. Thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you and once again, thanks for watching and see you next time.