January 13, 2020

Using Shodan Monitor for IT Asset Awareness

Note: Shodan Monitor requires an .edu email address or a paid account.

Are you responsible for the security of a network or a subnet? Simply understanding which devices are connected to your IP space can be a challenge. In addition to understanding what each of those devices are, understanding which services should be running on each device vs. which services are actually running, and how those services might be vulnerable to attack is an even greater challenge.

Shodan is an excellent tool for surfacing some of the hidden truths about the networks we’re meant to defend. Through periodic service discovery and banner grabbing, Shodan offers a searchable repository of all of the world’s internet connected devices.

At first, many network defenders may be disturbed by seeing their attack surface laid bare to the public. And it’s true that the moment exploit code for a widespread vulnerability is publicly released, unsophisticated cyber actors (skids) will use services like Shodan to enumerate vulnerable devices and start attacking them. While easy access to lists of vulnerable devices are a boon to less-sophisticated cybercriminals, your devices are going to be vulnerable regardless of whether Shodan indexes them, and more sophisticated cyber actors will use homegrown scanning tools to find and attack them anyway. Security through obscurity is an ineffective paradigm.

Shodan Monitor

Periodically querying Shodan is good practice to aid in understanding your network from an attacker perspective. To augment this capability, Shodan released a network monitoring feature that allows you to enter your CIDR blocks and receive customizable alerts when they find something of interest in your network space.

The monitoring feature is limited to paid accounts, but if you sign up using an .edu email address you will receive a free upgrade to an Educational account with greatly expanded access to the Shodan platform, including network monitoring for up to a whopping 131,072 IP addresses.

Enrolling Your Assets

To sign up, head over to https://monitor.shodan.io/networks (after creating an account) and enter the CIDR blocks you’re interested in. You may also enter any of your domains, but be aware of how domains are tracked. Shodan Monitor will enumerate subdomains for your given domain, resolve their IP addresses, and then send you alerts on new findings for those IPs. You may receive superfluous alerts for your domains that utilize shared hosting.

Configuring Alerts

After entering your assets to be monitored, you can configure your desired alert triggers and notification targets. I tend to keep all of the triggers ticked.

You can set custom notification services on the settings page, with several options including email and Slack.

Receiving Alerts

Now every time Shodan learns something new about an asset you told it to watch for, that aligns with the triggers you set, you will get a real-time notification sent to the services you indicated (they re-scan at least every 30 days). Sit back, and watch the alerts roll in! You might learn something new about your IP space.