ACTIVITY 03: SHODAN RECON

Search engine for Internet-connected devices and IoT infrastructure

What is Shodan?

Shodan is a search engine for Internet-connected devices. Unlike Google which indexes websites, Shodan scans the entire Internet and records what services and devices are running on every IP address - webcams, routers, servers, industrial control systems, and more.

Security researchers use Shodan to find exposed devices, assess network security postures, and discover vulnerable systems. It reveals what's publicly accessible on the Internet - often things that shouldn't be.

Quick Start: How to Use This Module

1

Learn Shodan search filters in the Field Manual

2

Copy queries and paste them into Shodan.io

3

Complete the Open Window challenge

Note: Shodan requires a free account. Some advanced filters require a paid membership, but basic searches are free.

FIELD MANUAL

// Search Filters

For Beginners: Shodan uses filters to narrow searches. Combine multiple filters (like port:80 country:US) for precise results. Always search ethically - viewing is research, accessing without permission is illegal.

Public Webcams

Find internet-connected camera feeds that are publicly accessible or using default credentials. Common in surveillance systems, traffic cameras, and consumer security cameras.

Use Case: Security audits, finding traffic cams, public feeds
webcamxp
product:"Hikvision"

Remote Desktop

Locate exposed Windows Remote Desktop Protocol (RDP) services. Port 3389 is the default for RDP. These should never be directly exposed to the Internet without VPN protection.

Use Case: Finding misconfigured RDP servers, security assessments
port:3389
has_screenshot:true

Industrial Control

Discover Modbus protocol devices (port 502) used in industrial automation, power plants, and manufacturing. These systems control physical processes and should be isolated from the Internet.

Use Case: Critical infrastructure research, ICS security audits
port:502
port:502 Modbus

Location Filter

Narrow searches to specific countries or cities using geographic filters. Essential for regional security assessments or finding devices in a target location.

Use Case: Regional research, geolocation-specific reconnaissance
country:AE city:"Dubai"
country:US city:"New York"

CVE Vulnerabilities

Search for devices affected by specific CVE (Common Vulnerabilities and Exposures) identifiers. Critical for finding unpatched systems vulnerable to known exploits.

Use Case: Vulnerability research, patch compliance audits, threat hunting
vuln:CVE-2019-0708
vuln:CVE-2021-44228 country:AE

Examples: CVE-2019-0708 (BlueKeep RDP), CVE-2021-44228 (Log4Shell)

ACTIVE MISSION

LIVE RECON

🖥️ The Forgotten Desktop

YOUR MISSION: While researching exposed Remote Desktop servers, I stumbled upon something interesting in Abu Dhabi. There's a Windows login screen visible online showing a user profile. Can you find this exposed RDP server and identify the name displayed on the login screen?

Hint: Look for Remote Desktop Protocol (RDP) services with screenshots in Abu Dhabi.

Open Shodan
CRITICAL WARNING: Viewing publicly indexed devices on Shodan is legal research. Attempting to access, log in, or interact with these systems without authorization is illegal and prosecutable. This is for educational reconnaissance only.