Search engines index web pages so you can find them more efficiently, and the same is true for internet-connected devices. Shodan indexes devices such as cameras, webcams, printers, and even industrial control devices into an easy-to-search database, giving hackers access to vulnerable devices online. globally. And you can find this database through website or command line library.
Shodan changed the way hackers’ tools were built, as it allowed a large portion of the target detection phase to be automated. Instead of needing to scan the entire internet, hackers can enter the right search terms to get a huge list of potential targets. Shodan’s Python library allows hackers to quickly write Python scripts to find potential targets.
You can imagine finding vulnerable devices similar to trying to find all the pages on the internet about a particular topic. Instead of searching for every available page on the web yourself, you can type a specific content into a search engine to get the most relevant results.
How to Find Vulnerable Cameras Using Shodan
Step 1: Login to Shodan
First, whether using the web or the command line, you need to log in to shodan.com on a web browser. Although you can use Shodan without logging in, Shodan restricts some features to only users who are not logged in. For example, you can only view one page of search results without logging in. And you can only see two pages of search results when you sign in to the free account. For the command line, you will need your API Key to make some requests.
Step 2: Set up Shodan via Command Line (Optional)
A particularly useful feature of Shodan is that you don’t need to open a web browser to use it if you know your API Key. To install Shodan, you need to have Python first. Then you can enter the following command in the cmd window to install the Shodan library.
~$ pip install shodan
Collecting shodan
Downloading https://files.pythonhosted.org/packages/22/93/22500512fd9d1799361505a1537a659dbcdd5002192980ad492dc5262717/shodan-1.14.0.tar.gz (46kB)
100% |████████████████████████████████| 51kB 987kB/s
Requirement already satisfied: XlsxWriter in /usr/lib/python2.7/dist-packages (from shodan) (1.1.2)
Requirement already satisfied: click in /usr/lib/python2.7/dist-packages (from shodan) (7.0)
Collecting click-plugins (from shodan)
Downloading https://files.pythonhosted.org/packages/e9/da/824b92d9942f4e472702488857914bdd50f73021efea15b4cad9aca8ecef/click_plugins-1.1.1-py2.py3-none-any.whl
Requirement already satisfied: colorama in /usr/lib/python2.7/dist-packages (from shodan) (0.3.7)
Requirement already satisfied: requests>=2.2.1 in /usr/lib/python2.7/dist-packages (from shodan) (2.21.0)
Building wheels for collected packages: shodan
Running setup.py bdist_wheel for shodan ... done
Stored in directory: /root/.cache/pip/wheels/fb/99/c7/f763e695efe05966126e1a114ef7241dc636dca3662ee29883
Successfully built shodan
Installing collected packages: click-plugins, shodan
Successfully installed click-plugins-1.1.1 shodan-1.14.0
You can then view all available options with the -h command to bring up the help menu.
~$ shodan -h
Usage: shodan [OPTIONS] COMMAND [ARGS]...
Options:
-h, --help Show this message and exit.
Commands:
alert Manage the network alerts for your account
convert Convert the given input data file into a different format.
count Returns the number of results for a search
data Bulk data access to Shodan
domain View all available information for a domain
download Download search results and save them in a compressed JSON...
honeyscore Check whether the IP is a honeypot or not.
host View all available information for an IP address
info Shows general information about your account
init Initialize the Shodan command-line
myip Print your external IP address
org Manage your organization's access to Shodan
parse Extract information out of compressed JSON files.
radar Real-Time Map of some results as Shodan finds them.
scan Scan an IP/ netblock using Shodan.
search Search the Shodan database
stats Provide summary information about a search query
stream Stream data in real-time.
version Print version of this tool.
These options are pretty simple, but not all of them will work without connecting it to your Shodan API Key. In a web browser, log in to your Shodan account, then go to “My Account” where you will see your unique API Key. Copy it, then use the init command to connect the Key.
~$ shodan init XXXXxxxxXXXXxxXxXXXxXxxXxxxXXXxX
Successfully initialized
Step 3: Find accessible Cameras
There are many ways to find cameras on Shodan. Usually, you can use the name of the camera manufacturer or camera server. Shodan indexes the information in the banner, not the content, which means if the manufacturer puts their name in the banner, you can search for it. Otherwise, the search will be fruitless.
One of my favorites is webcamxp, a webcam and network camera software designed for older Windows systems. After typing this into the Shodan search engine, it brings up links to hundreds, if not thousands, of web-enabled security cameras around the world.
To do this from the command line, use the option search. (Results below have been truncated.)
~$ shodan search webcamxp
81.133.███.███ 8080 ████81-133-███-███.in-addr.btopenworld.com
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnConten t-Length: 7313rnCache-control: no-cache, must revalidaternDate: Tue, 06 Aug 2019 21:39:29 GMTrnExpires: Tue, 06 Aug 2019 21:39:29 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
74.218.███.██ 8080 ████-74-218-███-██.se.biz.rr.com
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnContent-Length: 7413rnCache-control: no-cache, must revalidaternDate: Wed, 07 Aug 2019 14:22:02 GMTrnExpires: Wed, 07 Aug 2019 14:22:02 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
208.83.██.205 9206 ████████████.joann.com HTTP/1.1 704 trnServer: webcam
XPrnrn
115.135.██.185 8086
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnContent-Length: 2192rnCache-control: no-cache, must revalidaternDate: Wed, 07 Aug 2019 06:49:20 GMTrnExpires: Wed, 07 Aug 2019 06:49:20 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
137.118.███.107 8080 137-118-███-███.wilkes.net
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnContent-Length: 2073rnCache-control: no-cache, must revalidaternDate: Wed, 07 Aug 2019 12:37:54 GMTrnExpires: Wed, 07 Aug 2019 12:37:54 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
218.161.██.██ 8080 218-161-██-██.HINET-IP.hinet.net
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnContent-Length: 7431rnCache-control: no-cache, must revalidaternDate: Mon, 05 Aug 2019 18:39:52 GMTrnExpires: Mon, 05 Aug 2019 18:39:52 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
...
92.78.██.███ 37215 ███-092-078-███-███.███.███.pools.vodafone-ip.de
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnContent-Length: 8163rnCache-control: no-cache, must revalidaternDate: Wed, 07 Aug 2019 05:17:22 GMTrnExpires: Wed, 07 Aug 2019 05:17:22 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
85.157.██.███ 8080 ████████.netikka.fi
HTTP/1.1 200 OKrnConnection: closernContent-Type: text/html; charset=utf-8rnContent-Length: 7947rnCache-control: no-cache, must revalidaternDate: Wed, 07 Aug 2019 00:25:41 GMTrnExpires: Wed, 07 Aug 2019 00:25:41 GMTrnPragma: no-cachernServer: webcamXP 5rnrn
108.48.███.███ 8080 ████-108-48-███-███.washdc.fios.verizon.net
HTTP/1.1 401 UnauthorizedrnConnection: closernContent-Length: 339rnCache-control: no-cache, must revalidaternDate: Tue, 06 Aug 2019 22:40:21 GMTrnExpires: Tue, 06 Aug 2019 22:17:21 GMTrnPragma: no-cachernServer: webcamXPrnWWW-Authenticate: Basic realm="webcamXP"rnContent-Type: text/htmlrnrn
(END)
To exit the results, press Q on your keyboard. If you only want to see certain fields instead of everything, there are ways to omit some unnecessary information. First, see how to use it by looking at the help page.
~$ shodan search -h
Usage: shodan search [OPTIONS] <search query>
Search the Shodan database
Options:
--color / --no-color
--fields TEXT List of properties to show in the search results.
--limit INTEGER The number of search results that should be returned.
Maximum: 1000
--separator TEXT The separator between the properties of the search
results.
-h, --help Show this message and exit.
Unfortunately, the help page doesn’t list all of the available schools you can search, but Shodan’s website has a very useful list.
Properties:
asn [String] The autonomous system number (ex. "AS4837").
data [String] Contains the banner information for the service.
ip [Integer] The IP address of the host as an integer.
ip_str [String] The IP address of the host as a string.
ipv6 [String] The IPv6 address of the host as a string. If this is present then the "ip" and "ip_str" fields wont be.
port [Integer] The port number that the service is operating on.
timestamp [String] The timestamp for when the banner was fetched from the device in the UTC timezone. Example: "2014-01-15T05:49:56.283713"
hostnames [String[]] An array of strings containing all of the hostnames that have been assigned to the IP address for this device.
domains [String[]] An array of strings containing the top-level domains for the hostnames of the device. This is a utility property in case you want to filter by TLD instead of subdomain. It is smart enough to handle global TLDs with several dots in the domain (ex. "co.uk")
location [Object] An object containing all of the location information for the device.
location.area_code [Integer]The area code for the device's location. Only available for the US.
location.city [String] The name of the city where the device is located.
location.country_code [String] The 2-letter country code for the device location.
location.country_code3 [String] The 3-letter country code for the device location.
location.country_name [String] The name of the country where the device is located.
location.dma_code [Integer] The designated market area code for the area where the device is located. Only available for the US.
location.latitude [Double] The latitude for the geolocation of the device.
location.longitude [Double] The longitude for the geolocation of the device.
location.postal_code [String] The postal code for the device's location.
location.region_code [String] The name of the region where the device is located.
opts [Object] Contains experimental and supplemental data for the service. This can include the SSL certificate, robots.txt and other raw information that hasn't yet been formalized into the Banner Specification.
org [String] The name of the organization that is assigned the IP space for this device.
isp [String] The ISP that is providing the organization with the IP space for this device. Consider this the "parent" of the organization in terms of IP ownership.
os [String] The operating system that powers the device.
transport [String] Either "udp" or "tcp" to indicate which IP transport protocol was used to fetch the information
Optional Properties:
uptime [Integer] The number of minutes that the device has been online.
link [String] The network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem".
title [String] The title of the website as extracted from the HTML source.
html [String] The raw HTML source for the website.
product [String] The name of the product that generated the banner.
version [String] The version of the product that generated the banner.
devicetype [String] The type of device (webcam, router, etc.).
info [String] Miscellaneous information that was extracted about the product.
cpe [String] The relevant Common Platform Enumeration for the product or known vulnerabilities if available. For more information on CPE and the official dictionary of values visit the CPE Dictionary.
SSL Properties:
If the service uses SSL, such as HTTPS, then the banner will also contain a property called "ssl":
ssl.cert [Object] The parsed certificate properties that includes information such as when it was issued, the SSL extensions, the issuer, subject etc.
ssl.cipher [Object] Preferred cipher for the SSL connection
ssl.chain [Array] An array of certificates, where each string is a PEM-encoded SSL certificate. This includes the user SSL certificate up to its root certificate.
ssl.dhparams [Object] The Diffie-Hellman parameters if available: "prime", "public_key", "bits", "generator" and an optional "fingerprint" if we know which program generated these parameters.
ssl.versions [Array] A list of SSL versions that are supported by the server. If a version isnt supported the value is prefixed with a "-". Example: ["TLSv1", "-SSLv2"] means that the server supports TLSv1 but doesnt support SSLv2.
So if we just want to see the IP address, port number, organization name and hostname for the IP address, we can use – fields like this:
~$ shodan search --fields ip_str,port,org,hostnames webcamxp
81.133.███.███ 8080 BT ████81-133-███-███.in-addr.btopenworld.com
74.218.███.██ 8080 Spectrum Business ████-74-218-███-██.se.biz.rr.com
208.83.██.███ 9206 Jo-ann Stores, LLC ████████████.joann.com
115.135.██.███ 8086 TM Net
137.118.███.███ 8080 Wilkes Communications 137-118-███-███.wilkes.net
218.161.██.██ 8080 HiNet 218-161-██-██.HINET-IP.hinet.net
...
92.78.██.███ 37215 Vodafone DSL ███-092-078-███-███.███.███.pools.vodafone-ip.de
85.157.██.███ 8080 Elisa Oyj ████████.netikka.fi
108.48.███.███ 8080 Verizon Fios ████-108-48-███-███.washdc.fios.verizon.net
(END)
Go through the results and find the camera you want to try. Type their domain name into the browser and see if you get instant access. Here is a bunch of open cameras from different hotels in Palafrugell, Spain that I can access without any login information:
While it can be fun and exciting to see what’s going on in front of these unprotected security cameras without the knowledge of the rest of the world, you’re probably looking for more specific cameras.
Try default Username and Passwords
While some of the cameras Shodan found are usually unprotected, many will require authentication. To try to get access without too much effort, try the default username and password for the camera manufacturers. I’ve compiled a short list of default usernames and passwords for some of the most widely used webcams below.
- ACTi: admin/123456 or Admin/123456
- Axis (traditional): root/pass,
- Axis (new): requires password creation during first login
- Cisco: No default password, requires creation during first login
- Grandstream: admin/admin
- IQinVision: root/system
- Mobotix: admin/meinsm
- Panasonic: admin/12345
- Samsung Electronics: root/root or admin/4321
- Samsung Techwin (old): admin/1111111
- Samsung Techwin (new): admin/4321
- Sony: admin/admin
- TRENDnet: admin/admin
- Toshiba: root/ikwd
- Vivotek: root/
- WebcamXP: admin/
There is no guarantee that any of the above will work, but many sloppy and lazy administrators will leave the default settings as they are. In those cases, the default username and password will grant you access to secret and private cameras around the world.
Step 4: Find Cameras by Country
Now that we know how to find the cameras and have the ability to log into them with the default username and password, we will now go into more detail and try to find the webcam in a specific geographical location. . For example, if I’m interested in webcams from Australian manufacturer WebcamXP, I can find them by typing webcamxp country:AU into the Shodan search box.
So how are we going to do the advanced search in the command line? Here’s a quick list of some of the things you can search for in Shodan via the command line:
after: Search by a timeframe delimiter for things after a certain date.
asn: Search by the autonomous system number.
before: Search by a timeframe delimiter for things before a certain date.
city: Search by the city where the device is located.
country: Search by the country where the device is located (two-letter code).
device: Search by the device or network's name.
devicetype: Search by the type of device (webcam, router, etc.).
domain: Search an array of strings containing the top-level domains for the hostnames of the device.
geo: Search by the coordinates where the device is located.
hash: Search by the banner hash.
has_screenshot:true Search for devices where a screenshot is present.
hostname: Search by the hostname that has been assigned to the IP address for the device.
ip: Search by the IP address of the host as an integer.
ip_str: Search by the IP address of the host as a string.
ipv6: Search by the IPv6 address of the host as a string.
isp: Search by the ISP that is providing the organization with the IP space for the device.
link: Search by the network link type. Possible values are: "Ethernet or modem", "generic tunnel or VPN", "DSL", "IPIP or SIT", "SLIP", "IPSec or GRE", "VLAN", "jumbo Ethernet", "Google", "GIF", "PPTP", "loopback", "AX.25 radio modem".
net: Filter by network range or IP in CIDR notation.
port: Find devices based on the open ports/ software.
org: Search for devices that are on a specific organization’s network.
os: Search by the operating system that powers the device.
state: Search by the state where the device is located (two-letter code).
title: Search by text within the title of the website as extracted from the HTML source.
If you want to directly search for webcamxp:AU country from the command line, you will need to follow the commands below. However, if you’re not on a paid plan, you can’t use the Shodan API to do detailed searches like I’m doing here. But you can still perform an advanced search on Shodan’s website, with occasional restrictions for free users.
~$ shodan search webcamxp country:AU
~$ shodan search device:webcamxp country:AU
On the website, searching for the country webcamxp:AU will bring up a list of every WebcamXP in Australia that is web-enabled in Shodan’s index.
Step 5: Search Webcam from a city
To be more specific, we can narrow our search down to an individual city. Let’s see what we can find in Sydney, Australia, by typing webcamxp city: sydney into Shodan’s search bar. For the command line, it would be the following commands – but this is a paid feature.
~$ shodan search webcamxp city:sydney
~$ shodan search device:webcamxp city:sydney
On the Shodan website, here are the results.
When we click on one of these links, we will see the camera in Sydney, Australia.
Step 7: Shodan from Command Line
One thing we can do from the Command Line that we can’t do from the web is look up information on the server. For example, we can run the command shodan myip to output our external IP.
~$ shodan myip
174.███.██.███
Once we know that, we can find information on Shodan by running the host command.
~$ shodan host 174.███.██.███
174.███.██.███
Hostnames: cpe-174-███-██-███.socal.res.rr.com
Country: United States
Organization: Spectrum
Updated: 2019-08-02T23:04:59.182949
Number of open ports: 1
Ports:
80/tcp
Shodan is a powerful way to discover devices on the network
I hope this short article about Shodan will stimulate your imagination about the creative ways you can find privacy cameras anywhere in the world. Remember, illegally entering other people’s cameras is breaking the law, instead try to notify the owner so they can take remedial measures.
In addition, you can also check out Shodan Eye – A tool to collect information about all Internet-connected devices here.