Search engines index websites on the web so you can find them more efficiently, and the same is true for internet-connected devices. Shodan indexes devices like webcams, printers, and even industrial controls into one easy-to-search database, giving hackers access to vulnerable devices online across the globe. And you can search its database via its website or command-line library.
Shodan has changed the way hackers build tools, as it allows for a large part of the target discovery phase to be automated. Rather than needing to scan the entire internet, hackers can enter the right search terms to get a massive list of potential targets. Shodan's Python library allows hackers to quickly write Python scripts that fill in potential targets according to which vulnerable devices connect at any given moment.
You can imagine hunting for vulnerable devices as similar to trying to find all the pages on the internet about a specific topic. Rather than searching every page available on the web yourself, you can enter a particular term into a search engine to get the most up-to-date, relevant results. The same is true for discovering connected devices, and what you can find online may surprise you!
Step 1Log into Shodan
First, whether using the website or the command line, you need to log in to shodanhq.com in a web browser. Although you can use Shodan without logging in, Shodan restricts some of its capabilities to only logged-in users. For instance, you can only view one page of search results without logging in. And you can only see two pages of search results when logged in to a free account. As for the command line, you will need your API Key to perform some requests.
Step 2Set Up Shodan via Command Line (Optional)
A particularly useful feature of Shodan is that you don't need to open a web browser to use it if you know your API Key. To install Shodan, you'll need to have a working Python installation. Then, you can type the following in a terminal window to install the Shodan library.
Then, you can see all the available options -h to bring up the help menu.
These controls are pretty straightforward, but not all of them work without connecting it to your Shodan API Key. In a web browser, log in to your Shodan account, then go to "My Account" where you'll see your unique API Key. Copy it, then use the init command to connect the key.
Search for Accessible Webcams
There are many ways to find webcams on Shodan. Usually, using the name of the webcam's manufacturer or webcam server is a good start. Shodan indexes the information in the banner, not the content, which means that if the manufacturer puts its name in the banner, you can search by it. If it doesn't, then the search will be fruitless.
One of my favorites is webcamxp, a webcam and network camera software designed for older Windows systems. After typing this into the Shodan search engine online, it pulls up links to hundreds, if not thousands, of web-enabled security cameras around the world.
To do this from the command line, use the search option. (Results below truncated.)
To exit results, hit Q on your keyboard. If you only want to see certain fields instead of everything, there are ways to omit some information. First, let's see how the syntax works by viewing the help page for a search.
Unfortunately, the help page does not list all of the available fields you can search, but Shodan's website has a handy list, seen below.
So, if we wanted to only view the IP address, port number, organization name, and hostnames for the IP address, we could use --fields as such:
Look through the results and find webcams you want to try out. Input their domain name into a browser and see if you get instant access. Here is an array of open webcams from various hotels in Palafrugell, Spain, that I was able to access without any login credentials:
Although it can be fun and exciting to voyeuristically watch what's going on in front of these unprotected security cameras, unbeknownst to people around the world, you probably want to be more specific in your search for webcams.Try Default Username & Passwords
Although some of the webcams Shodan shows you are unprotected, many of them will require authentication. To attempt to gain access without too much effort, try the default username and password for the security camera hardware or software. I have compiled a short list of the default username and passwords of some of the most widely used webcams below.
- ACTi: admin/123456 or Admin/123456
- Axis (traditional): root/pass,
- Axis (new): requires password created during the first login
- Cisco: No default password, requires creation during the first login
- Grandstream: admin/admin
- IQinVision: root/system
- Mobotix: admin/meinsm
- Panasonic: admin/12345
- Samsung Electronics: root/root or admin/4321
- Samsung Techwin (old): admin/1111111
- Samsung Techwin (new): admin/4321
- Sony: admin/admin
- TRENDnet: admin/admin
- Toshiba: root/ikwd
- Vivotek: root/<blank>
- WebcamXP: admin/ <blank>
There is no guarantee that any of those will work, but many inattentive and lazy administrators simply leave the default settings in place. In those cases, the default usernames and passwords for the hardware or software will give you access to confidential and private webcams around the world.
step 4Search for Webcams by Geography
Now that we know how to find webcams and potentially log in to them using default usernames and passwords, let's get more specific and try to find webcams in a specific geographical location. For example, if we were interested in webcams by the manufacturer WebcamXP in Australia, we could find them by typing webcamxp country: AU into the search box on Shodan's website.
So how would we do an advanced search in the command line? Here's a quick list of some of the things you can search for in Shodan via the command line:
So if we were to search webcamxp country: AU on the website directly, to do it from the command line, you would format as one of the ways below. However, if you're not on a paid plan, you can't use the Shodan API to perform detailed searches like we are trying to here. But you can still perform an advanced search on Shodan's website, with the regular restrictions for free users.On the website, searching for webcamxp country: AU will pull up a list of every WebcamXP in Australia that is web-enabled in Shodan's index, as shown below.
Narrow Your Search for Webcams to a City
To be even more specific, we can narrow our search down to an individual city. Let's see what we can find in Sydney, Australia, by typing webcamxp city: Sydney into the website's search bar. For the command line, it would look like one of the following commands — but it's a paid-only feature with the API.
On the Shodan website, the search yields the results below.
When we click on one of these links, we find ourselves in someone's backyard in Sydney, Australia!
Find Webcams by Longitude & Latitude
Shodan even enables us to be very specific in searching for web-enabled devices. In some cases, we can specify the longitude and latitude of the devices we want to find.
In this case, we will be looking for WebcamXP cameras at the longitude and latitude (-37.81, 144.96) of the city of Melbourne, Australia. When we search, we get a list of every WebcamXP at those coordinates on the globe. We must use the keyword geo followed by the longitude and latitude. So in the search bar, use webcamxp geo: -37.81,144.96. On the command line interface, again, which is a paid feature, it'd look like one of these:
When we get that specific, on Shodan's website, it only finds four WebcamXP cameras. Click on one, and we can find that once again, we have a private webcam view of someone's camera in their backyard in Melbourne, Australia.