By now, everyone should know what Shodan is, and how to use it. It’s been out for a couple of years, has had multiple presentations on it, and its capabilities have been added to at least a few tools out there (I believe) when used for reconnaissance. Shodan indexes a large amount of data, which is really helpful when searching for specific devices which happen to be connected to the internet.
In my case, I wanted to start adding signatures of different devices to EyeWitness, but I needed something that could quickly find the devices I wanted to write a signature for. Quite obviously, Shodan was my answer. Something else that I wanted to do, was to stage multiple searches for different devices on Shodan. However, if I were to do this via the web interface, I would either have to perform a search, and then perform the new search, or manage a large number of tabs. I figured it would be easier to write a quick script that utilizes Shodan’s API (grab an API key here), as it would give me flexibility to script up a large number of search for review later on. This spawned in a quick script to search Shodan, fittingly called, ShodanSearch.
The simplest way to use this script is to call it with the -search option, and provide a string to search for. This is just like searching for a string on the website. So you could perform that search by typing something similar to the following:
./ShodanSearch.py -search Apache
And see something similar to this:
Another feature that can be useful, is to search Shodan by IP. This will return everything Shodan has indexed about the services available on the provided IP. There’s three different ways to do this within ShodanSearch, you can either use the -ip, -cidr, or -f options. The -ip option will perform a Shodan search for a single IP address, the -cidr option will perform a search on Shodan for every ip within the provided CIDR network range, and the -f option will take a file that contains IPs, and search for all results on those IP addresses. Your searches could look similar to the following:
These last few search options have been helpful when my team is on assessments, and we just want to script up a way to see what’s been publicly indexed about our targets. Most of the time, it’s purely informational documents, but it’s something that has been valuable to our customers, so we provide it to them.
The only thing you’ll need to do to get up and running, is to add your Shodan API key in the script. After that, you should be good to go! Hope this helps, feel free to get in touch with me for any questions you may have.