Using shodan to fingerprint…. shodan

So some people have devoted some effort to find the IP that shodan scans from. Various out of date lists like this one.

Now, i'm dubious as to the rationale for this, it doesn't make your vulnerability any lower, just makes it a bit harder for the lazy to find you.

But, nonetheless, how would one approach the problem? You could build the list up if you ran a set of honeypots and looked at scan behaviour and user-agents etc. You could probably come up with a unique fingerprint. Likely they move the scan around from multiple IP's, and those IP's probably change over time, making this a tricky endeavour.

Hmm. what to do. Well, what if we used the Shodan API itself? Well it turns out lots of services banner out who connected. SMTP is a great example. If we use the Shodan API and query port 25, we'll see things like:

220 DC2011.assfalg.local Microsoft ESMTP MAIL Service ready at Wed, 6 Dec 2017 03:34:48 +0100
250-DC2011.assfalg.local Hello [19.3.254.105]
250-SIZE
...

Well that was easy. There's one now. Just going down the list, lots of them pop out, probably all of them.

You could scrape this daily! And then it would start an arm's race, Shodan would respond (maybe) by poisoning their database and putting in e.g. your customer's IPs overtop, you'd block them and go out of business.

So on second thought, let sleeping dogs lie!

Leave a Reply

Your email address will not be published. Required fields are marked *

*