Archive - OSINT - Using Shodan.io to protect your school district

Nathan McNulty

May 15, 2022 • 3 min read

https://t.co/vTZO8QvQBx should be used by every K12 sys admin. It's free for the educational sector and it helps identify your external exposure for your network. "net:x.x.x.x/24 port:3389" shows RDP data but there are many other filters which are also useful.
— EricArline (@____EJA) November 7, 2019

A huge shout out to Eric Arline for raising awareness on this. I had heard Shodan provided free accounts to education, but I was always under the impression it was higher education only. Next thing I know, Harold Gale was nice enough to ask the following:

yes, it is :)
— Shodan (@shodanhq) November 7, 2019

So, let's talk about Shodan Monitor

If you aren't familiar with Shodan, think of it as a network security scanner that scans the entire Internet looking for what technologies are in use on every IP address and any details it can gather about the network, hardware, and software being used. It can also report on known vulnerabilities making it simple to search it's massive database for all affected devices on the Internet. We can leverage this information to ensure our Internet presences are kept secure, and nothing pops up unexpectedly (I'm looking at you old firewall rule that never got cleaned up).

Traditionally, if we wanted to monitor our Internet presence, we would have to deploy a VM in the cloud to do nmap, OpenVAS, Nessus, etc. scans against our external IP's, but this usually doesn't have the best of alerting or indexing for later searches. With Shodan, we can simply search our network ranges for port:3389 as Eric mentioned to see if we are exposing RDP to the Internet (and if you are, please stop, stop it now!). This is great for ad hoc searches, and we can look through the results for our ranges to look at cipher suites and other random services we might be exposing to the Internet.

But what if we want to actively monitor, get alerts, then verify after we have remediated issues? Welcome to Shodan Monitor!

Shodan Monitor is part of the Premium offering which they generously give to us for free. As you click through some of your IP's, you will notice the time when they last scanned your IP's. This is important to keep in mind if you have recently made changes and are trying to figure out why it still shows up or has a listed vulnerability. And if you have recently added something to the Internet, you should receive an alert looking like this!

How to get your free education Shodan account

The most important thing here is to sign up with your school district email address. They will not upgrade you if you try to use your personal account. That said, head on over to https://www.shodan.io, sign up, verify your account, and then send an email to [email protected] letting them know you are an educational institution. You will receive a "Welcome to Shodan Academic" email, and then you can head on over to https://monitor.shodan.io to set up your monitoring.

Good luck!