Hack Like a Pro: How to Find Any Router's Web Interface Using Shodan

How to Find Any Router's Web Interface Using Shodan

Welcome back, my hacker noviates!

In a recent post, I introduced you to Shodan, the world's most dangerous search engine. Shodan crawls the globe from IP to IP address, attempting to pull the banners of each web-enabled device and server it finds.

These banners are what the web servers and devices "advertise" to the world as to who they are. By searching these web banners, we can find the log-in interface for nearly every web-enabled device on planet earth.

Shodan Doesn't Index Content, It Indexes Banners

It's important to note that unlike Google, Bing, Yahoo, and other search engines, Shodan does not index the content of a website, rather it indexes the information in the banner. These banners will tell us whether the device is a webcam, a router, a VOIP phone system, or whatever, along with something about the underlying technology.

To do a specific search in Shodan, you need to understand what is in these banners and how we can use it to search for a specific and vulnerable site.

The Search Tools Are a Lot Like Other Search Engines

The search syntax for Shodan is very similar to the searching on other search engines, but what you are searching for is very different. Shodan accepts the same standard Boolean operators as the others (+-|) and quotation marks can be used to narrow a search to only the exact content between the quotation marks.

Shodan also accepts some basic filters that allows you to narrow down your search results. These include the following.

  • after/before - limits our results to banners that have been indexed before or after a specific date
  • country - filters our results by country using the two-letter country code
  • hostname - filters results by domain name
  • net - filters results by IP address range using CIDR notation
  • geo - filters by longitude and latitude
  • os - filters results by host operating system
  • port - filters results by port

Now that we have the basics of Shodan searching and filtering, let's see what we can find.

Step 1: Log in to Shodan

First, let's log in to Shodan. Although you can use Shodan without logging in, some of the filters we will use here require us to login to enable them. Navigate to shodanhq.com and log in.

Step 2: Search for Cisco Routers

Once logged in, let's do a search for Cisco banners. These would be the banners on Cisco devices (the most widely used routers and switches in the world) that have a Internet-enabled administration panel. When we do, Shodan finds over 3 million devices! It breaks it down by country on the left side panel as you can see below.

Step 3: Filter by Country

So, now we have all the Cisco devices indexed by Shodan. The 3+ million devices is a pretty unwieldy amount to work with, so let's try to target our search by country. In this case, let's find all the Cisco devices in India.

To do so, we will need the two-letter country code of India, which is IN. The syntax then finding all the Cisco routers in India is below. Note the colon (:) between the keyword country and the two-letter country code.

  • cisco country:IN

When we do so, we narrow our search considerably. As you can see in the screenshot below, we are now down to 71,147 routers. Still an unwieldy amount, but considerably smaller.

Step 4: Filter by Port

Let's continue to narrow our search and try to become very specific for what we are seeking. Let's imagine that we are looking for Cisco routers that enable VOIP in India. We know that VOIP uses the SIP protocol and the SIP protocol uses port 5060, so let's find all the Cisco routers in India that use VOIP. We can type in the search window:

  • cisco country:IN port:5060

As you can see below, we have now narrowed our results down dramatically to just 2,435 routers.

Step 5: Narrow the Results by IP Address

Finally, let's narrow our search down a even further. Let's add one more condition, an IP address range. Let's look for Cisco routers in India that use port 5060 (VOIP) on the IP address range of 125.63.65.0/24.

  • cisco country:IN port:5060 net:125.63.65.0/24

As you can see, we have narrowed our search of Cisco routers from 3 million to a single router in India with port 5060 open!

Step 6: Open the Results

Finally, let's click on the info for that router. As you can see below, Shodan provide us a significant amount of info on this single router.

To be able to access these devices, you would be well-advised to first look up the admin username and password as many admins are too lazy or reckless to change them. If you look through this banner carefully, there is an indication that there is at least a single user named "root". With that info, it becomes a password cracking exercise.

In my next Shodan post, we will examine further ways to find vulnerable sites, so keep coming back!

Map image via Shodan, Crosshairs via Shutterstock

28 Comments

how can? name and password

Zizo:

The first step is to try the default username and password. If that doesn't work, then it is more difficult but not impossible. You can try a tool like Hydra to crack the username and password.

OTW

I'm loving these posts about Shodan, OTW. Such an interesting search engine; I can't wait to see more of what it can do for us.

ghost_

mster otw:

how can i access my collg cams...when my collg is using private ip's????

whn i search web cams than i found only 3 in my city...r they vulnerable all???

Secret:

Remember, this search engine pulls banners. To find the interface, you need to know what the banner looks like. That banner is dependent upon the manufacturer.

OTW

thank you very much, please more on shodan, i am enjoying every post on shodan, please more more tutorial on shodan....

Master

is it possible to hack into a neighbor's ADSL router to retrieve a wifi password? if it is could you please make a tutorial for that.

I have tried a couple of methods like Angry IP Scanner and Asterisk Key but never found port 80 open.

if hack into router without wifi password is possible then i think this method would be much easier than dictionary attack for WPA2 password hacking.

Yes, it is possible, but you likely need the brand of the router and maybe the GPS coordinates. If successful, you will then have to enter the admin console to get the password. Assuming they left the admin with the default settings, then the rest should be easy.

is this website safe to use? or i need any VPS/proxy or smth like that?

thanks for your reply master.

As for the brand of the router it seems easy to find but i do not know how to get the GPS coordinates of the router. And as for the admin panel most of the people do not bother to change the router default password as you have already mentioned in your other tutorials.

please make a short tutorial for this. thanks

Great post! Thank you very much for your time writing this great article! I really can't believe how easy and dangerous Shodan is in the same time. I would like to write a script in Python in order to automate some search for well-known exploits or at least enumerate some Windows XP boxes prior to SP3. Any ideas how can I do that?

Thanks

Thanks for the kind words.

I think you might be misunderstanding Shodan. It pulls the banner and not the OS.

Please thanks for this post. may God bless you.

my problem is that if someone is able to login to the routers admin control panel remotely can that person who has no physical access nor no wireless link to the router use the internet from the router remotely?

Please if possible, by what means. Thanks for your respose.
Long live NULL-BYTE.....

I'm kind of having trouble understanding what it is you're asking.

If you are wanting to connect to the internet via a particular router, then you must be within a relatively close proximity. Either to connect via a CAT cable to the modem or within range to connect wirelessly.

I hope I answered your question correctly, if not, please rephrase it.

ghost_

Oooooooooooh I see what he was asking now...

ghost_

Please thanks for your quick reply.
Sorry if I did not state my question clearly.

Assuming I have a router which I usually connect to the internet either using wifi or LAN or any other means because am physically accessible to the router. That is ok.

Now I have traveled to a different town and am now not physically accessible to the router anymore but I can login using the router's IP address. Now my question is can I still use my router remotely?

Please if possible, HOW???
Thanks for your kind consideration.
Long live NULL-BYTE!!!!!!

Asante:

If you have the IP address, you can login remotely to the admin panel.

OTW

Thanks Sir.

I have logged in to my router's admin panel now and that has worked perfectly now. But PLEASE I don't know how to use the internet connection from my router remotely.

Any directive as to how to go about it would be highly appreciated.
Thanks for your time and may GOD BLESS YOU!!!!!!

You're asking if you can use your home internet connection to access the internet while you're in another town, correct?

If that's what you're asking, that's a no. You need to have an available connection that is physically close to you like a public AP.

You can still access your router's admin panel while in another town, given you have internet access where you are at that moment.

ghost_

Yes after I have logged in, I can see Some settings like NAT, DHCP, VIRTUAL SERVER, PORT MAPPING, and some others.

Is there any means of using the internet from the router remotely? like VPN, port forwarding, oppening certain ports etc any means possible??? I am really stuck......

I really appreciate your efforts.

Well typed you about 150 word answer but this sums it up best.
Team Viewer is your friend.

Call home tell somebody to install it? Nobody home right?

Thanks, but still can't figure out how to go about it using the suggested Team Viewer method.

Is there any settings I can make at the admin control panel that will enable me use the router's internet remotely???
Thanks in advance....

No there isn't.

ghost_

Oooh ok thanks for your time.

you know ive read books with sections on shodan and i didnt get it till now.. thanks a bunch Sensei OTW can't wait to read the rest of your articles about SHodaN.

hello

i need to convert asterisk (password) into text
in tp-link router

Share Your Thoughts

  • Hot
  • Latest