How Attackers Use Shodan & FOFA

April 24, 2025

Metadata search engines like Shodan, FOFA, and ZoomEye are specialized tools that scan the internet for publicly accessible devices and services. Instead of indexing websites like Google does, these platforms collect and catalog technical details—called metadata—about connected devices.

Attackers use this metadata to identify vulnerable systems, such as misconfigured routers, webcams, or servers running outdated software. That’s how they can build lists of targets.

Shodan: the search engine for the internet of things

Shodan is a metadata search engine that scans the internet for connected devices (like servers, routers, webcams). It gathers information such as open ports, SSL certificates, and banners. Users can filter by organization, country, or service to find exposed systems. It also allows pivoting using facets like SSL subjects or hostnames to drill deeper.

Shodan's most valuable features:

Devices enumeration: Shodan scans for publicly exposed devices, such as webcams, routers, industrial control systems (ICS), servers, and more.
Filtering & querying: You can refine your searches using filters (e.g., “port:443”, “country:US”, “org:SomeISP”) to find specific devices and services.
Metadata insights: Shodan retrieves banners from various ports, showing server versions, potential vulnerabilities, and other details.

FOFA: Foresee & Find it All

FOFA is a Chinese-developed internet asset search engine similar to Shodan. It indexes devices and services exposed online, supports advanced queries, and emphasizes fingerprinting technologies. It’s often quicker to react to vulnerabilities and provides high-speed results for vulnerabilities.

FOFA's most valuable features:

Asset discovery: FOFA collects data from multiple sources, scanning various protocols and ports to catalog connected devices and applications.
Flexible syntax search: Like Shodan, FOFA supports advanced query syntax (e.g., “protocol==https”, “ip==123.123.123.123”, “body==’login’”).
Extensive fingerprinting:The service emphasizes “fingerprinting” technology, identifying software and frameworks via unique signatures.

Shodan vs. FOFA

Both platforms help identify exposed systems, but they differ in syntax and coverage. Sometimes FOFA finds devices that Shodan misses and vice versa. Security teams and attackers alike benefit from using both, correlating data to get a more complete picture of the exposed attack surface.

Here's how they compare:

	Shodan	FOFA
Primary Focus	Global IoT/ICS, general internet-connected devices	Broad coverage with strong emphasis on Chinese-speaking regions, but also global
Search Capabilities	Advanced search filters, robust syntax, strong ICS focus	Advanced query syntax, extensive fingerprint libraries
Data Coverage	Global indexing; large user base & data sets	Also global, but particularly well-adopted in China/Asia-Pacific; can sometimes provide region-specific insights
User Interface	Straightforward interface with filter-based search	Web interface supports multiple filter types; Chinese/English UI can vary in clarity but is improving
APIs & Integrations	Comprehensive API, popular among open-source tools, widely integrated across the security community	API available with tiered subscription; used within many Chinese security tools
Unique Strengths	Longstanding reputation and community, detailed ICS/IoT coverage	Strong focus on fingerprints, region-specific data, and a growing global footprint

How attackers use search engines to identify targets

Attackers (like Black Basta) begin by automating the scraping of data from Shodan and FOFA, extracting metadata about exposed devices and storing the results in downloadable archives for further use.

They then segment these targets by geography using ZoomEye, another Chinese search engine. Unlike Shodan and FOFA, ZoomEye scans deeper into the application layer and leverages unique fingerprinting capabilities, which helps attackers identify technologies like Jenkins servers across multiple countries with greater precision.

*Screenshot of the ZoomEye interface displaying credentials (not related to Black Basta)*

What attackers do after identifying targets

After mapping out exposed infrastructure, attackers don’t stop at reconnaissance—they move quickly into active exploitation.

Groups like Black Basta illustrate this clearly. Once they’ve built a list of vulnerable targets, they begin probing them for weaknesses using two primary strategies:

Credential-based brute-force attacks
CVE-based exploitation

Brute-force attacks using default or reused credentials

One of the most common follow-up tactics is credential-based brute-forcing. Black Basta, for example, targeted login portals across a wide range of technologies—including Microsoft RDWeb, Palo Alto GlobalProtect VPNs, and Citrix NetScaler Gateways.

Their approach involved harvesting hundreds of endpoints, then using tools like Brute Ratel to automate login attempts using default credentials, passwords reused across systems, or previously leaked combinations. These attempts are often scripted, with usernames and passwords separated by semicolons to streamline high-volume testing.

Examples of techniques used by Black Basta:

RDWeb Brute-Force: Black Basta harvested and attempted logins on hundreds of Microsoft Remote Desktop Web Access (RDWeb) endpoints.
GlobalProtect Portals (VPNs): They also extensively targeted Palo Alto’s GlobalProtect VPN portals.
Citrix Portals: They attempted credential stuffing on Citrix NetScaler Gateway instances

Because these portals are frequently exposed without additional protections like MFA, and users often reuse passwords, attackers can gain access with minimal effort—especially if defenses lack behavioral detection mechanisms.

CVE-Based Exploitation

Simultaneously, attackers leverage known vulnerabilities to bypass authentication entirely.

In the case of Jenkins, Black Basta exploited CVE-2024-23897—a critical vulnerability that allows unauthenticated users to read arbitrary files on the server through the Jenkins CLI. This includes sensitive files like /etc/shadow, which contain hashed credentials and can lead to full compromise.

*Screenshot of a search for vulnerable Jenkins servers in Shodan*

Attackers use metadata from Shodan and FOFA to pinpoint unpatched Jenkins instances, then launch automated exploits as part of their initial access playbooks.

These CVE-driven attacks are particularly dangerous because:

They often require no credentials.
Exploitation is fast and quiet.
They provide direct access to privileged or sensitive data.

How Vectra AI disrupts the attack chain

Everything we’ve covered—from automated reconnaissance with Shodan and FOFA to brute-force attacks and CVE exploitation—underscores how quickly attackers can turn exposed infrastructure into active intrusions. That’s where Vectra AI makes the difference. The Vectra AI Platform continuously monitors your environment for signs of compromise before attackers succeed.

When an adversary begins testing stolen or guessed credentials—whether it's through RDWeb, VPN portals, Citrix, or Jenkins—Vectra detects anomalies like:

Repeated failed login attempts
Unusual account activity
Unexpected lateral movement
Privilege escalation attempts

In short, Shodan and FOFA tell you what’s exposed to the world—Vectra AI tells you what’s happening inside. It empowers your team to shut down attacks like Black Basta’s before they escalate into full-blown breaches.

Want to learn more about the Vectra AI Platform? Get in touch or request a demo!

---