Platforms like Shodan hunt for internet facing devices to perform scanning and enumeration.

These scanning services provide mechanisms to search their database for particular attributes. These attributes can be a domain, an IP range, or a list of services publicly facing for a target. Additionally, attackers can search for a particular service version which has a known vulnerability.

Common platforms

• Shodan

Malware/Threat actors

Name	Type	Years	Source
BlackEnergy	malware	2015	ukraine-report-when-the-lights-went-out.pdf Operation-Potao-Express_final_v2.pdf blackenergy_whitepaper.pdf

Preventions

One mitigation is to block the IP addresses of these scanners. Shodan provides a public list of these IP addresses.

Detections

• First, you need a sensor monitoring the traffic in your DMZ. Next, with a tool like BRO analyze the conn.log file for source addresses that are known to be Shodan.
• Use the Shodan service to determine what Shodan knows about your IP range, domain, and etc.
• GreyNoise can be used to confirm if a scan is a public scanner or not.

Toolkit

• eqllib query -s "Bro events" -f conn.log "bro_conn where source_address in ('<SHODAN public IPs>')

Similar techniques

• Vulnerability scanning

References

• How to block Shodan scanners