A lot of people prefer to avoid the terminal and instead want a user-friendly web interface to manage their server. So to determine which solution is the most popular Shodan has started to crawl the Internet for cPanel (2082, 2083), WHM (2086, 2087) and Webmin (10000)! The banners are all fairly standard HTTP(S) responses so I won’t show those, but lets take a look at who runs what and how they compare.
The majority of devices are located in the United States (117,000) followed by Canada (9,000) and the United Kingdom (7,000). So cPanel is definitely way more popular in the US than anywhere else. And it’s especially popular at the hosting provider Unified Layer, which is responsible for 21,000 of those US installations.
There are fewer Webmin instances on the Internet than cPanel, but the distribution of them is wider across the globe; i.e. it’s not as US-centric as cPanel. The US still leads with 38,000 instances, but not that much more compared to the following countries France (11,400) and Germany (11,000). In terms of hosting providers though there is once again a standout: OVH. Their organization accounts for roughly 10,000 of the installed Webmin instances.
Web Host Manager (WHM)
WHM is a bit different in that it is the software to manage cPanel accounts. This effectively gives us a measurement of which devices are being used by re-sellers. Unsurprisingly, the distribution of devices in terms of countries and organizations is very similar to cPanel. US with 97,000 devices, followed by Canada (9,000) and the UK (7,000) once again.
Call for Ports
Am I missing some ports or services? Is there something you’d like to see Shodan crawl? Then let me know and send me an email (email@example.com) or tweet at me (@achillean) with the ports that you’d like me to add!
As some of you have already seen, I’ve been working on a revamped version of Shodan. It already has some cool new enhancements over the current shodanhq.com website, such as support for CSV and JSON exports, prettier search listing, faster results, better integration with Shodan Exploits/ Maps and a lot of small tweaks to make life easier.
The latest feature that I’m adding is Shodan Reports:
To get a feel for what I’m talking about, please check out the following example report on Industrial Control Systems:
A report is a snapshot and overview of the search results at the time of report creation. At the moment, it creates a bunch of charts/ graphs for breakdowns on: location, organization, operating system, product, hostname and many more (see the developer documentation for a list of all facets). The purpose for reports is 3-fold:
- Pretty Overview That You Can Share
You should be able to get a basic feel for the devices in the search results just from looking at the report. And if you’re interested in the details, you can perform a live search to get a listing of actual results. Reports are meant to be accessible!
- Tracking Results Over Time
As mentioned earlier, reports are snapshots of the search results as Shodan sees them at the moment. You can create reports every few months to see how things are changing over time (this might actually be built into Shodan Reports as well)
The old shodanhq.com website has bookmarks (there’s a small star icon at the top of the search results) but it was rarely used and didn’t offer much that browser bookmarks didn’t. I’m hoping that these reports will provide a prettier bookmarking mechanism that’s also more useful!
Alright, you’re sold on reports and want to give it a shot yourself – here is how.
- Login to Shodan and perform a search. For example: Webcams
- Click on “Create Report” and give your report a title such as “Webcams of the World”
- You will be redirected to the page that will list all your reports
- Now just wait a few minutes for Shodan to generate your report, you will receive an email when it’s done! Once it’s ready, you can follow the link and you should see something like:
- And you can always find a list of all the reports you’ve generated by clicking on the chart icon in the top right corner
I created it because I needed a friendlier way to share search results and I got tired of manually generating my charts for blog posts 🙂 It’s very simple and straight-forward to create reports so give it a try and let me know what you think!
Up until now, if you’ve wanted to answer questions like “which version of Apache is most popular?” or “what FTP software is most common?” you had to run several Shodan queries and compile them into a list yourself. It wasn’t hugely prohibitive, but I thought Shodan could make it easier since that’s a common problem people are looking at. Introducing Shodan’s new fingerprinting for product and version! In addition to grabbing the banner for a service, Shodan now also tries to determine what type of product/ software is running the service and extract the version information when available. And to provide a top-level view of this new data, I’m exposing 2 new categories that are shown on the left side of the search results page: Top Products and Top Versions.
Above you can see how it looks like on the website at the moment. In the example, I’ve searched for “port:22” on Shodan and as you can tell there’s now a breakdown of the most popular SSH daemons. Note that not the entire Shodan dataset has been analyzed for fingerprints yet, so the total number is on the lower bound. Once you click on a product (which triggers the use of the new product search filter) then you will see a version breakdown as follows:
The fingerprints aren’t available yet for all services, but more are being added constantly. I’m very excited about having these sorts of breakdowns available at a glance and I’ll be looking into adding more features to make analyzing the data easier.
The main purpose of Scanhub is to provide an easy way to create a search engine out of raw network scans. Nmap is the most common and famous tool for such a job, but there are some new kids on the block that fill a different niche and Masscan is the first of the new breed of scanning tools that Scanhub now supports thanks to the help from @andrewsmhay. Masscan provides a fast way to scan the entire Internet on your own and with Scanhub you can make that data searchable for yourself and others. The only thing to note is that the XML from Masscan isn’t as full-featured as an Nmap scan, so you won’t be seeing as much summary information as you would if you uploaded an Nmap XML file (i.e. no breakdown of operating systems, domains, traceroutes and fewer banners). That being said, to get started with Scanhub + Masscan simply set your Masscan tool to output in XML format using -oX scan.xml and upload that file to your Scanhub repository.
A long time ago, I added the ability to share search queries with other people by adding them to the Search Directory. It’s developed into the easiest way to get started with finding devices, especially when it comes to locating some of the more obscure things on the Internet. Since launch, people have shared close to 1,000 different queries through the directory and it just keeps on growing. Unfortunately, that has made it near impossible to navigate all the queries and the only ones people paid attention to were the most popular and most recent. To solve that problem I’m introducing the new ability to search the directory:
On the right side of the screen there’s a new input box that will let you search the directory. There’s not much more to it than typing in the type of device you’re looking for and seeing whether anybody else has already been able to find it for you. For example, here are some search queries to locate wind farms through Shodan:
I hope this will make somebody’s life easier, let me know what you think!