SHODANという検索エンジンがある。
一時期はIoT検索エンジンとか言われていたが、ネット上に晒されている機器を検索することができるサービスである。
https://www.shodan.io/
アクセスすると、検索ウィンドウがあると思うので、IPアドレスやポート番号等のキーワードを入れて検索する。
※注:罠の可能性もあるので、脆弱っぽい機器を見つけたとしても安易にアクセスしないでください。
【インターネット直結のプリンタでパスワード設定が無い機器を調べるときの例】
printer password is not set
【日本国内でtelnetがオープンになっているインターネット機器を調べるときの例】
country:"JP" port:23
【日本国内のAnonymous FTPを調べるときの例】
country:"JP" Anonymous FTP
【日本国内でインターネットにポート445がオープンになっているWindows PC(Windowsサーバは除外)を調べるときの例】
port:445 country:"JP" OS:"Windows" country:"JP" !OS:"Server"
【既知の脆弱性(例:CVE-2019-0708)を持つデバイスを検索するときの例】
vuln:CVE-2019-0708
※フリーアカウントでは不可。
【Onion Address(v2/v3)を検索するときの例】
"Onion-Location"
【参考】
日本国内で接続されている IoT 機器数(IPA)
https://www.ipa.go.jp/security/iot/20170417.html
増加するインターネット接続機器の不適切な情報公開とその対策(IPA)
https://www.ipa.go.jp/files/000052712.pdf
Exchange Serverの脆弱性まとめとSHODANでの観測状況(マクニカネットワークス)
https://blog.macnica.net/blog/2020/06/exchangeserver-shodan.html
【参考】
日本国内で接続されている IoT 機器数(IPA)
https://www.ipa.go.jp/security/iot/20170417.html
増加するインターネット接続機器の不適切な情報公開とその対策(IPA)
https://www.ipa.go.jp/files/000052712.pdf
Exchange Serverの脆弱性まとめとSHODANでの観測状況(マクニカネットワークス)
https://blog.macnica.net/blog/2020/06/exchangeserver-shodan.html
OSINT 用検索エンジンあれこれ
https://ninoseki.github.io/2018/12/03/osint-search-engine.html
-2020/7/11追記-
【ダークウェブのIPアドレス調査の例】
-2020/7/11追記-
【ダークウェブのIPアドレス調査の例】
-2020/8/26追記-
【特定のドメイン(証明書のコモンネーム)を調べる場合の例】
-2020/9/1追記-
【IPで検索する場合の例】
net:115.165.122.0/24
-2021/3/16追記-
【検索フィルタ一覧】
| filter | desc. |
|---|---|
| asn | The Autonomous System Number that identifies the network the device is on. |
| before | Only show results that were collected before the given date (dd/mm/yyyy. |
| city | Show results that are located in the given city. |
| country | Show results that are located within the given country. |
| geo | There are 2 modes to the geo filter: radius and bounding box. ex: geo:50,50,100. or geo:10,10,50,50. |
| hash | Hash of the "data" property |
| has_ipv6 | If "true" only show results that were discovered on IPv6. |
| has_screenshot | If "true" only show results that have a screenshot available. |
| hostname | Search for hosts that contain the given value in their hostname. |
| isp | Find devices based on the upstream owner of the IP netblock. |
| link | Find devices depending on their connection to the Internet. |
| net | Search by netblock using CIDR notation; ex: net:69.84.207.0/24 |
| org | Find devices based on the owner of the IP netblock. |
| os | Filter results based on the operating system of the device. |
| port | Find devices based on the services/ ports that are publicly exposed on the Internet. |
| postal | Search by postal code. |
| product | Filter using the name of the software/ product; ex: product:Apache |
| state | Search for devices based on the state/ region they are located in. |
| version | Filter the results to include only products of the given version; ex: product:apache version:1.3.37 |
| bitcoin.ip | Find Bitcoin servers that had the given IP in their list of peers. |
| bitcoin.ip_count | Find Bitcoin servers that return the given number of IPs in the list of peers. |
| bitcoin.port | Find Bitcoin servers that had IPs with the given port in their list of peers. |
| bitcoin.version | Filter results based on the Bitcoin protocol version. |
| http.component | Name of web technology used on the website |
| http.component_category | Category of web components used on the website |
| http.html | Search the HTML of the website for the given value. |
| http.html_hash | Hash of the website HTML |
| http.status | Response status code |
| http.title | Search the title of the website |
| ntp.ip | Find NTP servers that had the given IP in their monlist. |
| ntp.ip_count | Find NTP servers that return the given number of IPs in the initial monlist response. |
| ntp.more | Whether or not more IPs were available for the given NTP server. |
| ntp.port | Find NTP servers that had IPs with the given port in their monlist. |
| ssl | Search all SSL data |
| ssl.alpn | Application layer protocols such as HTTP/2 ("h2") |
| ssl.chain_count | Number of certificates in the chain |
| ssl.version | Possible values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 |
| ssl.cert.alg | Certificate algorithm |
| ssl.cert.expired | Whether the SSL certificate is expired or not; True/ False |
| ssl.cert.extension | Names of extensions in the certificate |
| ssl.cert.serial | Serial number as an integer or hexadecimal string |
| ssl.cert.pubkey.bits | Number of bits in the public key |
| ssl.cert.pubkey.type | Public key type |
| ssl.cipher.version | SSL version of the preferred cipher |
| ssl.cipher.bits | Number of bits in the preferred cipher |
| ssl.cipher.name | Name of the preferred cipher |
| telnet.option | Search all the options |
| telnet.do | The server requests the client to support these options |
| telnet.dont | The server requests the client to not support these options |
| telnet.will | The server supports these options |
| telnet.wont | The server doesnt support these options |