|Router Security||Shodan and Census Queries||
Website by |
Shodan promotes itself as a search engine that lets you see which computing devices on your network are directly accessible from the Internet. That's a bit of a stretch, but it is, nonetheless, a useful security checkup. Technically, it reports on open TCP/IP ports in your router and offers some information about the software behind those ports. It may be possible to link this software information to a specific device connected to the router.
In the best case, there should be no ports open. This page generates a Shodan Query of your public IP address (your router) for you.
On October 12, 2018, this page was enhanced to also query Censys.
All the computing devices in a home share one public IP address and it is assigned to the router. All your other computers, tablets, phones, IoT devices, etc. have private IP addresses that are normally not visible to the outside world. However, routers and IoT devices that support UPnP can be configured (I would argue "abused" in the better term) to make make devices in your home directly accessible from the Internet. Hello bad guys.
Your public IP address is: 18.104.22.168
Click the link below to see what Shodan knows about your public IP address. It opens in a new browser window/tab.
Your Customized Shodan Query: www.shodan.io/host/22.214.171.124
Click the link below to see what Censys.io knows about your public IP address. It opens in a new browser window/tab.
Your Customized Censys Query: www.censys.io/ipv4/126.96.36.199
Click the link below to see what urlscan.io knows about your public IP address. It opens in a new browser window/tab. No news is good news.
Your Customized urlscan query: urlscan.io/ip/188.8.131.52
Click the link below to see what Virus Total knows about your public IP address. It opens in a new browser window/tab.
Your Customized VirusTotal query: www.virustotal.com/#/ip-address/184.108.40.206
Click the link below to see what Security Trails knows about your public IP address. It opens in a new browser window/tab.
Your Customized SecurityTrails query: securitytrails.com/list/ip/220.127.116.11
If you have a Cisco router, then click the link below. It tests an information disclosure bug from Jan. 2019. More details are on the Bugs page. Not seeing details about your router is a good result. It opens in a new browser window/tab.
Your Customized Cisco router query: http://18.104.22.168/cgi-in/config.exp:8007
Not that it matters much, but your router may also have a public name. Censys displays this public name and, as shown below, any website can get access to it. Oftentimes, the public name includes the public IP address. Sometimes it is the public IP address. Sometimes, it identifies the ISP.
The public name of your router: ec2-34-207-152-62.compute-1.amazonaws.com
Not all routers are assigned a name, this is left up to the Internet Service Provider. Many ISPs assign names that include their name. For example, some Spectrum customers have public names that end in rr.com because in the old days Time Warner called their Internet service Road Runner. Comcast names in the U.S. often end with XX.comcast.net where XX is a two letter abbreviation for the state where the router is located. Sometimes an ISP will assign a name exactly the same as the IP address. The public name does not matter because you normally do not directly address your router when away from home. A more technical name for this, is Reverse DNS. Shodan refers to the public name as "Hostnames."
Both queries are keyed off your public IP address. If you load this page from a device connected to a VPN, then the public IP address is that of a VPN server, not your router. Hiding the public IP address of your router is a core function of a VPN. With that in mind, you could use this page as a poor man's VPN tester. You better, see a different public IP address with the VPN connected and disconnected.
Likewise, if this page is loaded from a computer connected to the TOR network, the public IP address will be that of the TOR exit node and not the router.
With billions of computers on the Internet, neither Shodan nor Censys can query each one every day. There is a chance the reports of your current public IP address may be for someone else's router. This can happen because your current public IP address may not have been your IP address yesterday or last week when it was scanned by Shodan. It is not yet clear to me if Censys is reporting real time information or not.
Most consumer Internet connections have dynamic (i.e. variable) IP addresses. When the IP address changes, is totally up to your Internet Service Provider. Most of the time, you could care less about your public IP address. But, for Shodan and Censys testing, it matters. They may have last checked the IP address you are currently assigned, a week or two ago. In Shodan, look for the "Last Update" field on the left side. Censys does not indicate when their data was collected. At the time these search engines last checked your current IP address, it may have been assigned to someone else. Thus, this could all be a waste of time.
The format of the Shodan Last Update timestamp can be confusing. In the example below
The date is March 8, 2017, not August 3, 2017. Everything after the T is a timestamp.
Finally, Shodan does not query every IP address. You may well get a Not Found error as shown at the right. That's fine. Note that the error message is wrong. What is not found, is an IP address, not a website.
The goal, for most people, with a Shodan Report is to have NO open TCP/IP ports. You are most secure with all ports closed. One reason that every article about router security says to disable Remote Administration, is that it opens a port.
The big upside to Shodan is that it can show ports that were opened by IoT devices using the miserably insecure UPnP and NAT-PMP protocols. It also shows ports that are open as backdoor into the router for an Internet Service Provider. There are two examples of this below. While I am no fan of consumer routers, at least they don't come with ISP backdoors built into them. Shodan also shows some information about the open port(s) and its report is a bit more approachable for non-techies.
A downside to Shodan is that it does not show anything about closed ports that it tested. Ports are not simply open or closed, they can be Open, Closed or Stealthed. For that level of detail, there are many other websites that report on TCP/IP ports listed on the Test Your Router page.
One port you do not want to find open is 7547. It is often left open on devices given out by an ISP so that they can remotely access the box. Technically, this port is used by a remote management protocol known as both TR-069 and CWMP. Many times this has been abused by bad guys to hack the router. In April 2017 it was reported that Shodan found over 41 million devices with port 7547 open.
Most press coverage of Shodan focuses on finding specific vulnerable devices, rather than reporting on a home router. The example below is thus a more typical usage of Shodan. From analyzing the response to queries on port 8443, Shodan was able to learn that the thing it found was an Avtech AVN801 network camera.
An interesting report, shown below, is from a VPN server. It has four open ports, 80, 443, 500 and 1723. The last two are for the VPN. Port 443 is for secure HTTPS web pages. Port 80 is for insecure HTTP web pages, a strange thing to see on a VPN server.
If you run across any interesting Shodan reports, send me the screen shot.
Bullguard offers an Internet of Things Scanner that also uses your public IP address to query Shodan. But, its an HTTP site, not HTTPS - a bad look for a security tester. It also does not explain anything about the vulnerabilities it looks for.