Shodan

Web Interface

- Search Query

By default, the search query only looks at the main banner text and doesn’t search the meta-data.

- Filters

https://www.shodan.io/search/filters

To search the meta-data you need to use search filters.

If a filter doesn’t allow commas in its value (ex. port, hostname, net) then it lets you provide multiple values.

The format for entering filters is:

filtername:value

To use a value that contains a space with a filter you have to wrap the value in double quotes.

A few filters let you specify several values that are separated by a comma “,”.

port, for example, to find devices that are running Telnet on ports 23 and 1023:

port:23,1023

city, for example, the following would return all devices that aren’t located in San Diego:

-city:"San Diego"

There are many situations where excluding is easier than including. For example, the following search query uses hash:0 to provide results for services on port 8080 where the main text banner isn’t empty:

port:8080 -hash:0

Every banner on Shodan has a numeric hash property calculated; for empty banners that value is zero. If you’re trying to find devices that have a short, static banner then the hash filter may provide a good way to accurately identify them.

net only show results inside the provided IP range in CIDR format:

net:190.30.40.0/24

org narrow results based on the organization that owns the IP

org:”Verizon Wireless”

We can also exclude something from results, for example, to search SSH running in non-default ports (exclude port 22):

product:openssh -port:22

- Download data

Download Data button will provide the option of downloading the search results in JSON, CSV or XML formats.

- Generate report

Generate Report lets you generate a report based off of a search query. The report contains graphs/ charts providing you a big picture view of how the results are distributed across the Internet.

- Share Search Queries

Shared Search Queries are public queries in which people are able to readily describe, tag and share their search queries for others to use. Usefull because finding specific devices requires knowledge about the software they run and how they respond to banner grabs over the Internet

- Shodan Maps

Shodan Maps provides a way to explore search results visually instead of the text-based main website. It displays up to 1,000 results at a time and as you zoom in/ out Maps adjusts the search query to only show results for the area you’re looking at.

All search filters that work for the main Shodan website also work on Maps.

- Shodan Exploits

Shodan Exploits collects vulnerabilities and exploits from CVE, Exploit DB and Metasploit to make it searchable via web interface.

The following search filters are available:

author -> Author of the vulnerability/ exploit

description -> Description

platform -> Platform that it targets (ex: php, windows, linux)

type -> Exploit type (ex: remote, dos)

- Shodan Images

For a quick way to browse all the screenshots that Shodan collects check out Shodan Images. It is a user-friendly interface around the has_screenshot filter.

The search box at the top uses the same syntax as the main Shodan search engine. It is most useful to use the search box to filter by organization or netblock.

Shodan Command-Line Interface

- SetUp

easy_install shodan

shodan init YOUR_API_KEY

- info

Obtain general information about your API plan, including how many query and scan credits you have remaining this month.

shodan info

- myip

Returns your Internet-facing IP address.

shodan myip

- alert

The alert command provides you the ability to create, list, clear and remove network alerts.

- convert

Convert the compressed JSON file generated by Shodan into a different file format. At the moment

it supports output to kml and csv.

- count

Returns the number of results for a search query.

shodan count microsoft iis 6.0

- download

Search Shodan and download the results into a file where each line is a JSON banner.

By default it will only download 1,000 results, if you want to download more look at the --limit flag (i.e. --limit 100 will print out the first 100 reults).

shodan download microsoft-data microsoft iis 6.0

- parse

Use parse to analyze a file that was generated using the download command. It lets you filter out the fields that you’re interested in, convert the JSON to a CSV and is friendly for pipe-ing to other scripts.

shodan parse --fields ip_str,port,org --separator , microsoft-data.json.gz

- host

See information about the host such as where it’s located, what ports are open and which organization owns the IP.

shodan host 189.201.128.250

- honeyscore

Check whether an IP address is a honeypot pretending to be an industrial control system.

shodan honeyscore 41.231.95.212

- scan

The scan command provides a few sub-commands but the most important one is submit which lets you perform network scans using Shodan.

shodan scan submit 202.69.165.20

This command lets you search Shodan and view the results in a terminal-friendly way. By default it will display the IP, port, hostnames and data. You can use the –fields parameter to print whichever banner fields you’re interested in.

For example, to search Microsoft IIS 6.0 and print out their IP, port, organization and hostnames use the following command:

shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0

- stats

The stats command lets you print the facets for a search query.

For example, the following command shows the most popular countries where Apache web servers are located in:

shodan stats --facets country apache

- stream

The stream command provides access to the real-time stream of data that the Shodan crawlers collect.

shodan stream --datadir /var/lib/shodan/

shodan stream --ports 80,8080

For example, to research telnet:

shodan stream --ports 23,1023,2323 --datadir telnet-data/ --limit 10000

API Scripts

- Nmap Script

https://nmap.org/nsedoc/scripts/shodan-api.html

nmap --script shodan-api x.y.z.0/24 -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'

nmap --script shodan-api -iL targets.txt -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'

nmap --script shodan-api --script-args 'shodan-api.target=x.y.z.a,shodan-api.apikey=SHODANAPIKEY'

nmap -sn -Pn -n --script=shodan-api -script-args ‘shodan-api.apikey=XXXXXX’ worldsworstwebsiteever.com

nmap -Pn -n --script=shodan-api -script-args ‘shodan-api.apikey=XXXXXX’ 10.10.10.10

- Shodan Sploit

https://github.com/shodansploit/shodansploit

- Script Collection from random-robbie

https://github.com/random-robbie/My-Shodan-Scripts/tree/master

- hunter_shodan

https://github.com/sh377c0d3/hunter_shodan/tree/master

- Smap

http://github.com/s0md3v/Smap

For passive port scan.

- Karna v2

https://github.com/Dheerajmadhukar/karma_v2

Automated Shodan.

- wtfis

https://github.com/pirxthepilot/wtfis

Maltego Add-On

The Shodan add-on for Maltego provides 2 new entities (Service and Exploit) and 5 transforms:

  • searchShodan

  • searchShodanByDomain

  • searchShodanByNetblock

  • toShodanHost

  • searchExploits

Browser Plug-Ins

The Shodan plugin tells you where the website is hosted (country, city), who owns the IP and what other services/ ports are open.

https://addons.mozilla.org/es/firefox/addon/shodan-addon/

https://chromewebstore.google.com/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap

Last updated