Task 1 of 4

How a Shodan Search Found 50,000 Exposed Industrial Control Systems

In 2012, researcher Kyle Wilhoit ran a series of Shodan searches targeting industrial control systems — power grids, water treatment plants, factory automation. He found over 50,000 internet-connected ICS devices, many running with default credentials or no authentication at all.

These weren't obscure findings. One search returned the control panel for a French hydroelectric dam. Another found HVAC systems for a major US data centre. All of it on the public internet, all of it indexed by Shodan, all of it accessible to anyone with the right search query.

WHAT SHODAN FINDS THAT GOOGLE DOESN'T
GOOGLE
Google crawls pages
SHODAN
Shodan scans ports — it talks directly to servers on every port, reads whatever they respond with
GOOGLE
Google needs HTTP
SHODAN
Shodan speaks every protocol — SSH, FTP, MongoDB, Redis, Elasticsearch, RDP, Telnet, industrial protocols
GOOGLE
Google indexes content
SHODAN
Shodan indexes banners — the first thing a server says when you connect to it, revealing software, version, config
GOOGLE
Google follows robots.txt
SHODAN
Shodan ignores everything — it scans the entire IPv4 internet continuously regardless of any permission settings

The bug bounty angle

For bug bounty hunting, Shodan answers the questions no other tool does: Is there a MongoDB port open on any of Critbook's IPs? Did they leave Redis exposed without a password? Is there a development server running on an unusual port that Subfinder didn't find?

1

What makes Shodan fundamentally different from Google for security research?

Answer all 1 question to continue