IANAL, but more likely it depends on intent and context. So shodan.io is okay because it’s not explicitly malicious, and they have clear paths to contact them if you suspect abuse. Whereas, if you’re suspected of hacking a website, the fact that you port scanned it a week prior to password spraying it might serve as evidence against you. That is, it seems unlikely anyone would be prosecuted for port scanning alone, but it could be an act that demonstrates intent of a later action.
One time, I port scanned my public IP (of my ISP) from an EC2 box, and I got an email from EC2 saying they received an abuse complaint from the ISP for port scanning activity.
What's Shodan.io's legitimate use? Sounds like the "torrents can be used for legitimate content" type argument where in reality you a rounding error the use is not lawful??
There are plenty of legitimate uses of port scanning, and specifically, a port scanning database like Shodan. For example:
- Monitoring your own network or that of your clients for exposed ports
- Researching Internet topology, or performing aggregate queries like “how many nginx servers are connected to the Internet”
Can you use it maliciously? Yes. But, most of the time, if you have a target it would make more sense to do the port scan yourself. And if you’re just dragnet searching for vulnerabilities, most you find will probably already have been exploited. Sites like shodan are good for the overall health of the web because they force website owners to maintain security posture. If you know that foregoing a wordpress upgrade means you’re one script kiddy with a shodan account away from getting hacked, you’re going to keep your site up to date. This saves you from script kiddies, but also from the more sophisticated hackers who would run a port scan themselves anyway.
>There are plenty of legitimate uses of port scanning, and specifically, a port scanning database like Shodan. //
Any legitimate security service is going to be doing there own scans, surely.
Statistics, yes, but I can't see those stats being especially good. You could probably get equally good nGinx data from netcraft, who IIUC get the data from http responses banners on :80 :443.
I'm not sure I buy the "security posture" line, isn't it circular. Tools to help crack your site are good because it means to have to have counter-measures to combat tools for cracking your site?
Only legitimate use of port scanning for me has been testing access to my own/clients computers, I feel. That's not too say I've not used it for illegitimate things ...
If I were a serious baddie, I'd be afraid of using Shodan. Who knows who has what logging on that, and what honeypots may have been seeded into it for just such an occasion? It's not that hard to get that information yourself, from sources you control yourself.
Legitimate usage from researchers and people reading about infrastructure they have the right to do security testing on may be a larger percentage than you think.
Shodan is used by most of the Fortune 100 companies for a variety of use cases. Here are the most common ones:
1. External network monitoring: know what you have connected to the Internet and get notified if anything changes unexpectedly. This has actually gotten significantly more challenging with services deployed to the cloud where your IT department might not even know which IPs to keep track of.
2. 3rd-party risk assessment: understand the security exposure of your partners, vendors, supply chain or other 3rd-parties. For example, lets say you're an insurance company that wants to provide cyber insurance. Shodan data can help you understand what sort of risk you'd be taking on. The data has also been used in M&A as part of due diligence to get a metric on the security of the IT department of the company they're thinking of acquiring.
3. Market intelligence: basically Netcraft on steroids. Shodan doesn't just have web information but also for many other protocols. This information is used by hedge funds and vendors to understand which products are purchased and deployed to the Internet. The data is skewed due to the nature of public IPs but there are still things you can do.
4. Policy impact: get a measure for how policies at the country-level are impacting Internet connectivity. For example, the OECD used Shodan to get a measure of Internet-connectivity per capita.
5. Fraud detection: is your customer trying to make a purchase from a machine that's been compromised? Or running a a VPN/ proxy? Shodan is used in transactional fraud detection to flag suspicious payments.
