Shodan是用于搜索连接到互联网的设备的工具。与搜索引擎可以帮助你找到网站不同,Shodan可以帮助你找到有关台式机,服务器,IoT设备等的信息。此信息包括元数据,例如在每个设备上运行的软件。
Shodan的常见用途包括网络安全,市场研究,网络风险,扫描IoT设备和跟踪勒索软件。本指南将侧重于在渗透测试中涉及的这些应用。
1.什么是Shodan?
Shodan是用于搜索互联网连接设备的搜索引擎。 它由John C. Matherly(@achillean)于2009年创建。
Shodan可让你探索互联网。发现连接在网络中的设备或网络服务,监视网络安全性,进行全球性统计等。
Shodan的网站/数据库引用了广泛的互联网端口扫描的结果。
2.Shodan接口
本节将展示连接Shodan的各种方法。我们可以通过主站、官方的python命令行界面工具和库,各种语言的社区驱动库以及官方的REST API与Shodan进行交互。
2.1 CLI工具
由python编写的shodan官方命令行界面(CLI),可在终端中快速使用。
2.1.1安装
在pyenv这样的虚拟python环境中:
$ easy_install shodan
在BlackArch上,可以安装以下软件包:
#pacman -S python-shodan
安装shodan CLI工具后,只需执行以下步骤即可设置API令牌:
$ shodan init
2.1.2命令概述
2.1.2.1 帮助(–help)
$ shodan –help
Usage: shodan [OPTIONS] COMMAND [ARGS]…
Options:
-h, –help Show this message and exit.
Commands:
alert Manage the network alerts for your account.
convert Convert the given input data file into a different format.
count Returns the number of results for a search.
data Bulk data access to Shodan.
domain View all available information for a domain.
download Download search results and save them in a compressed JSON file.
honeyscore Check whether the IP is a honeypot or not.
host View all available information for an IP address.
info Shows general information about your account.
init Initialize the Shodan command-line.
myip Print your external IP address.
org Manage your organization’s access to Shodan.
parse Extract information out of compressed JSON files.
radar Real-Time Map of some results as Shodan finds them.
scan Scan an IP/ netblock using Shodan.
search Search the Shodan database.
stats Provide summary information about a search query.
stream Stream data in real-time.
version Print version of this tool.
2.1.2.2 信息(info)
如果已设置API令牌,可以检查剩余的积分数:
$ shodan info
Query credits available: 100
Scan credits available: 100
查询积分(Query credits)用于搜索Shodan,扫描积分(Scan credits)用于扫描IP。
2.1.2.3 版本(version)
$ shodan version
1.21.2
2.1.2.4 计数
返回搜索查询的结果数。
$ shodan count openssh
23128
$ shodan count openssh 7
219
2.1.2.5 下载
搜索Shodan并将结果下载到文件中,其中每一行都是JSON语句。
默认情况下,仅下载1,000个结果,如果要下载更多结果,请查看–limit标志。
下载命令使你可以保存结果,然后使用parse
命令对其进行处理。
因此,如果你经常搜索相同的查询,将有助于你节省积分。
导出积分用于以以下速率从网站下载数据:1个导出积分可让你下载多达10,000个结果。它们是一次性的,这意味着一旦你使用它们,它们就不会在月初自动更新。但是,如果你没有导出积分,则可以使用1个查询积分来保存100个结果。
$ shodan download -h
Usage: shodan download [OPTIONS]
Download search results and save them in a compressed JSON file.
Options:
--limit INTEGER The number of results you want to download.
-1 to download all the data possible.
--skip INTEGER The number of results to skip when starting the download.
-h, --help Show this message and exit.
2.1.2.6 主机
查看有关主机的信息,例如主机的位置,打开的端口以及哪个组织拥有IP。
$ shodan host 1.1.1.1
1.1.1.1
Hostnames: one.one.one.one
Country: Australia
Organization: Mountain View Communications
Updated: 2020-01-21T22:26:00.168041
Number of open ports: 3
Ports:
53/udp
80/tcp
443/tcp
|-- SSL Versions: -SSLv2, -SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
$ shodan host 138.201.81.199
138.201.81.199
Hostnames: apollo.archlinux.org
Country: Germany
Organization: Hetzner Online GmbH
Updated: 2020-01-21T03:02:11.476262
Number of open ports: 4
Ports:
22/tcp OpenSSH (8.1)
25/tcp Postfix smtpd
80/tcp nginx (1.16.1)
443/tcp nginx (1.16.1)
|-- SSL Versions: -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3
2.1.2.7 myip
返回你的互联网IP地址:
$ shodan myip
199.30.49.210
2.1.2.8 parse
使用parse来分析使用download命令生成的文件。
此命令使你可以过滤出你感兴趣的字段,将JSON转换为CSV,并且便于通过管道传输到其他脚本中。
$ shodan parse -h
Usage: shodan parse [OPTIONS]
Extract information out of compressed JSON files.
Options:
--color / --no-color
--fields TEXT List of properties to output.
-f, --filters TEXT Filter the results for specific values using key:value
pairs.
-O, --filename TEXT Save the filtered results in the given file (append if
file exists).
--separator TEXT The separator between the properties of the search
results.
-h, --help Show this message and exit.
以下命令输出上述例子中下载的openssh数据的过滤数据:
$ shodan parse --fields location.country_code3,ip_str,hostnames -f port:2222 openssh-data.json.gz
ITA 89.107.109.247
HUN 193.6.173.187
FRA 77.87.111.110 pro-sip1.srv.proceau.net
USA 50.210.94.33
USA 35.130.36.118 035-130-036-118.biz.spectrum.com
AUT 80.120.19.180
JPN 124.155.95.212 v095212.ppp.asahi-net.or.jp
POL 83.144.70.114 83-144-70-114.static.chello.pl
BGR 84.238.200.8
AUT 80.120.19.168
USA 162.211.126.140
CAN 76.10.173.222 mail.nanoman.ca
USA 24.172.82.71 rrcs-24-172-82-71.midsouth.biz.rr.com
AUT 80.120.19.182
ITA 188.14.96.151 host151-96-static.14-188-b.business.telecomitalia.it
USA 216.67.111.198 216-67-111-198.static.acsalaska.net
USA 73.179.238.221 c-73-179-238-221.hsd1.fl.comcast.net
HKG 113.28.18.59 113-28-18-59.static.imsbiz.com
$ shodan parse --fields port,ip_str,location.city,location.postal_code -f location.country_code:FR --separator , openssh-data.json.gz
22,188.92.65.5,Hésingue,68220
2222,77.87.111.110,,
22,51.89.105.163,,
22,5.135.218.249,,
22,93.177.70.142,,
2222,81.250.129.207,Paris,75116
22,51.255.85.97,,
22,193.52.218.40,Aix-en-provence,13090
22,51.77.112.86,,
22,149.202.19.41,,
22,5.39.117.104,,
22,195.154.53.223,Beaumont,95260
22,37.71.132.198,,
22,178.33.71.35,,
22,212.83.188.179,Jouy-le-moutier,95280
2222,195.200.166.216,Berre-l'etang,13130
22,82.251.157.165,Paris,75004
2.1.2.9 搜索
此命令使你通过终端的方式搜索Shodan并查看结果。
默认情况下,它将显示IP,端口,主机名和数据。你可以使用–fields
参数来输出你感兴趣的任何字段。
一个简单的查询不会消耗任何积分,但是如果你使用搜索过滤器或请求第2页及以后的页面,则会消耗积分。
$ shodan search -h
Usage: shodan search [OPTIONS]
Search the Shodan database
Options:
--color / --no-color
--fields TEXT List of properties to show in the search results.
--limit INTEGER The number of search results that should be returned.
Maximum: 1000
--separator TEXT The separator between the properties of the search
results.
-h, --help Show this message and exit.
不扣积分的查询示例:
$ shodan search --fields ip_str,port,os smb
156.226.167.81 445 Windows Server 2008 R2 Datacenter 7601 Service Pack 1
156.243.104.194 445 Windows Server 2008 R2 Enterprise 7601 Service Pack 1
91.230.243.89 445 Windows 10 Pro 16299
85.3.170.18 445 Windows 6.1
213.238.170.132 445 Windows Server 2012 R2 Standard 9600
154.208.176.81 445 Windows Server 2008 R2 Enterprise 7601 Service Pack 1
103.235.171.78 445 Windows Server 2016 Datacenter 14393
102.130.40.85 445 Windows Server 2016 Standard 14393
50.3.151.113 445 Windows Server 2012 R2 Standard 9600
220.241.112.233 445 Windows Server 2019 Standard 17763
100.27.15.229 445 WWindows Server 2012 R2 Standard 9600
212.71.136.11 445 Unix
156.255.174.225 445 Windows Server 2008 R2 Datacenter 7601 Service Pack 1
156.232.162.239 445 WWindows Server 2008 R2 Enterprise 7601 Service Pack 1
186.210.102.132 445 Unix
154.94.153.34 445 Windows Server 2012 R2 Datacenter 9600
213.130.28.31 445 Windows 6.1
花费1个积分的查询示例(由于使用了过滤器):
$ shodan search --fields ip_str,port,org,info product:mongodb
165.22.3.203 27017 Digital Ocean
213.159.208.76 27017 JSC The First
209.6.48.11 27017 RCN
23.239.0.110 27017 Linode
52.220.230.134 27017 Amazon.com
47.91.139.188 27017 Alibaba
159.203.169.196 27017 Digital Ocean
49.233.135.180 27017 Tencent cloud computing
122.228.113.75 27017 WENZHOU, ZHEJIANG Province, P.R.China.
106.14.42.66 27017 Hangzhou Alibaba Advertising Co.,Ltd.
59.108.91.3 27017 Beijing Founder Broadband Network Technology Co.,L
115.29.176.18 27017 Hangzhou Alibaba Advertising Co.,Ltd.
148.251.46.75 27017 Hetzner Online GmbH
3.121.222.150 27017 Amazon.com
47.75.211.162 27017 Alibaba
200.219.217.122 27017 Equinix Brazil
2.1.2.10 扫描
$ shodan scan -h
Usage: shodan scan [OPTIONS] COMMAND [ARGS]...
Scan an IP/ netblock using Shodan.
Options:
-h, --help Show this message and exit.
Commands:
internet Scan the Internet for a specific port and protocol using the...
list Show recently launched scans
protocols List the protocols that you can scan with using Shodan.
status Check the status of an on-demand scan.
submit Scan an IP/ netblock using Shodan.
启动扫描将产生以下费用:1个扫描积分可让你扫描1个IP
默认情况下,扫描结果将显示到stdout,但是你可以将其保存到文件中以便以后解析。
$ shodan scan submit --filename 104.27.154.244_scan.json.gz 104.27.154.244
如果主机在最近24小时内已经被扫描,那么如果没有企业级账户,将无法再次扫描。
$ shodan scan submit --filename 104.27.154.244_scan.json.gz 104.27.154.244
Starting Shodan scan at 2020-01-22 23:46 - 100 scan credits left
No open ports found or the host has been recently crawled and cant get scanned again so soon.
你还可以查看之前启动的扫描及其ID和状态:
$ shodan scan list
# 2 Scans Total - Showing 10 most recent scans:
# Scan ID Status Size Timestamp
zmWj3RNgiPbiQjx9 PROCESSING 1 2020-01-22T22:49:39.037000
8J9yu7jqTQO7AIiP PROCESSING 1 2020-01-22T22:46:34.790000
不必强制使用–filename命令要去保存扫描结果。你可以简单地启动扫描而不保存它,然后借助扫描ID在以后下载结果:
$ shodan download --limit -1 scan-results.json.gz scan:zmWj3RNgiPbiQjx9
由于扫描是异步进行的,因此你可以随时检查扫描状态。
$ shodan scan status zmWj3RNgiPbiQjx9
DONE
在启动扫描时查看扫描ID,你可以使用verbose
模式:
$ shodan scan submit --verbose 13.226.145.4
Starting Shodan scan at 2020-01-23 00:00 - 97 scan credits left
# Scan ID: 3z6Cqf1CCyVLtc6P
# Scan status: DONE
拥有企业数据许可证的客户只需指定端口和协议/模块,就可以请求对整个Internet进行扫描。
$ shodan scan internet 8080 wemo-http
可用的协议和模块可以与shodan扫描协议一起列出。
2.1.2.11统计
提供有关搜索查询的摘要信息
$ shodan stats -h
Usage: shodan stats [OPTIONS]
Provide summary information about a search query
Options:
--limit INTEGER The number of results to return.
--facets TEXT List of facets to get statistics for.
-O, --filename TEXT Save the results in a CSV file of the provided name.
-h, --help Show this message and exit.
目测默认情况下,你只会获得前十名,而不是所有方面:
$ shodan stats nginx
Top 10 Results for Facet: country
US 13,598,596
CN 6,013,993
ZA 3,067,296
DE 1,560,114
HK 1,065,990
RU 869,931
FR 859,715
GB 555,946
NL 550,591
JP 526,386
Top 10 Results for Facet: org
Amazon.com 1,897,943
CloudInnovation infrastructure 1,288,280
Leaseweb USA 1,200,146
EGIHosting 1,131,973
DXTL Tseung Kwan O Service 1,052,688
Hangzhou Alibaba Advertising Co.,Ltd. 770,553
Digital Ocean 749,221
Asline Limited 680,364
Power Line Datacenter 678,264
Quantil Networks 585,935
但是我们可以自定义:
$ shodan stats --facets domain,port,asn --limit 5 nginx
Top 5 Results for Facet: domain
amazonaws.com 2,208,958
scalabledns.com 435,980
googleusercontent.com 308,114
t-ipconnect.de 225,276
your-server.de 180,711
Top 5 Results for Facet: port
80 10,019,366
443 5,300,058
5000 588,809
5001 563,208
8080 453,604
Top 5 Results for Facet: asn
as37353 2,447,679
as35916 1,878,181
as15003 1,508,786
as16509 1,236,249
as18779 1,132,180
2.2 网站
2.2.1 主界面
Shodan的主要界面是搜索引擎。
它的工作方式类似于CLI工具的搜索命令,但带有精美的WebUI来显示结果。它显示每个主机的摘要,与查询匹配的主机总数(如CLI的count命令)和一些统计信息(如stats命令)。
选择主机后,你将可以看到快照规范表,漏洞影响主机,开放端口和开放端口标识信息。
2.2.1.1 下载数据
搜索后,将显示“下载结果”按钮:
仅有JSON格式可以包含完整数据,并与Shodan CLI工具兼容。 而CSV格式将仅包含IP,端口,banner,组织和主机名。
Shodan不建议使用XML格式,因为XML比JSON占用更多的空间。
2.2.1.2 生成报告
Shodan可以基于搜索查询生成报告。
该报告包含图形/图表,可让你大致了解结果如何在Internet上分布。此功能是免费的,任何人都可以使用。
要生成报告,请在搜索结果页面上单击“创建报告”按钮:
生成报告通常需要花费几分钟,当Shodan准备好带有链接的报告后,你会收到一封电子邮件。报告是静态的,不会自动更新。
另外,你可以在报告页面上找到所有以前的报告。
2.2.2地图
用于搜索Shodan数据库的地图界面的工作方式类似于CLI的stats命令,但是根据主机的物理位置,在交互式地图中显示结果。
由于它不会显示超过1000个结果,因此你必须放大或缩小或四处移动才能显示其他结果。
2.2.3图片
图片是可检索的抓取设备截图的图库。
图像数据是从5种不同的源收集来的:VNC,远程桌面(RDP),RTSP,网络摄像头和X Windows。
has_screenshot:true
过滤操作可以在全局搜索引擎中使用,以仅保留具有屏幕截图的主机。
2.2.4漏洞利用
Exploits 是可一次在各种漏洞数据库中查找poc的搜索引擎。
2.2.5开发人员仪表板
开发人员信息中心会显示你的积分消费和API计划。
2.2.6 网络监控器
跟踪你架设在互联网上的设备。设置通知,启动扫描并完全监控你的服务器或设备。
监控仪表板可让你跟踪设备,在检测到可疑事件时提醒你,启动扫描并显示合成仪表板上的内容。
首先,添加要监视的IP,范围或域,然后选择通知服务。
然后,你可以管理资产,从此处可以启动扫描或修改触发规则。
你可以选择哪种事件将触发警报。
然后,仪表板将显示公开的服务。
2.2.7 ICS雷达
ICS Radar是由Shodan爬虫建立的工业控制系统(ICS)设备的3D地图。
2.2.8 Honeypot score
Honeypot or not?服务会将Honeyscore归因于一个IP地址(成为蜜罐的可能性)。
就像CLI的honeyscore命令一样,它只是API的抽象化:
$ shodan honeyscore 46.244.103.227
Not a honeypot
Score: 0.3
2.2.9 Shodan 2000
Shodan 2000类似于Tron的界面,可随机显示主机。
2.2.10社区查询
我们可以浏览社区其他用户导出和共享的查询结果。
共享查询具有标题,描述和标签,因此可以轻松浏览它们。
当然你也可以共享查询,请单击搜索结果页面上的“共享搜索”按钮。
2.3 REST API
Shodan带有REST API,可用于构建基于Shodan的Web应用程序服务,或者如果您喜欢的语言中尚不存在封装库,则可以创建库。
API的基本URL为:https://api.shodan.io,所有API方法的速率均限制为1 req / sec。
该API需要通过身份验证,因此,如果您忘记提供API密钥,则会收到HTTP 401错误。
使用curl查询API计划信息的示例:
curl -s https://api.shodan.io/api-info?key={YOUR_API_KEY} | jq
{
"scan_credits": 95,
"usage_limits": {
"scan_credits": 100,
"query_credits": 100,
"monitored_ips": 16
},
"plan": "dev",
"https": false,
"unlocked": true,
"query_credits": 94,
"monitored_ips": 2,
"unlocked_left": 94,
"telnet": false
}
另一个获取主机信息的查询:
curl -s https://api.shodan.io/shodan/host/1.1.1.1?key={YOUR_API_KEY} | jq
{
"region_code": null,
"ip": 16843009,
"postal_code": null,
"country_code": "AU",
"city": null,
"dma_code": null,
"last_update": "2020-01-25T15:55:54.880090",
"latitude": -33.494,
"tags": [],
"area_code": null,
"country_name": "Australia",
"hostnames": [
"one.one.one.one"
],
"org": "Mountain View Communications",
"data": [
{
"_shodan": {
"id": "f4218ca0-2728-4d7b-97f8-875f4f04149d",
"options": {
"referrer": "601b650e-3cc7-4189-babe-921fdf53a9e2",
"hostname": "www.1yhaoduo.com"
},
"ptr": true,
"module": "http",
"crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"
},
"hash": -237371161,
"os": null,
"opts": {},
"ip": 16843009,
"isp": "APNIC and Cloudflare DNS Resolver project",
"http": {
"html_hash": 1145258596,
"robots_hash": null,
"redirects": [],
"securitytxt": null,
"title": "DNS resolution error | www.1yhaoduo.com | Cloudflare",
"sitemap_hash": null,
"waf": "CloudFlare",
"robots": null,
"favicon": null,
"host": "www.1yhaoduo.com",
...
查看REST API文档以获取所有方法的完整说明。
2.4语言包(库)
要将工具与Shodan API接口,可以使用封装库之一。
官方库是用Python制作的,但是在Ruby,PHP,Haskell,Rust,Perl,Node.js,Go,PowerShell,Java和C#中也有公共库。
这里给出三个示例:
- Python – shodan-python
- Ruby – shodanz
- Node.js – shodan-client
2.4.1 Python – shodan-python
2.4.1.1安装
与CLI工具的安装相同,因为CLI工具是在python库上制作的,它们被打包在一起。
在像pyenv这样的虚拟python环境中:
$ easy_install shodan
在BlackArch上,可以安装以下软件包:
# pacman -S python-shodan
然后,API密钥将始终像我们的代码中那样进行初始化:
import shodan
SHODAN_API_KEY = 'API key here'
api = shodan.Shodan(SHODAN_API_KEY)
注意:该库适用于python 2和python 3,但由于不推荐使用python 2,因此我们仅使用python 3。
2.4.1.2示例
# 基本搜索示例:
try:
# Shodan搜索
results = api.search('apache')
## 输出结果
print('Results found: {}'.format(results['total']))
for result in results['matches']:
print('IP: {}'.format(result['ip_str']))
print(result['data'])
print('')
except shodan.APIError as e:
print('Error: {}'.format(e))
# 结果输出示例:
IP: 65.99.237.196
HTTP/1.1 200 OK
Date: Sat, 25 Jan 2020 16:07:19 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html
IP: 212.72.184.58
HTTP/1.1 200 OK
Date: Sat, 25 Jan 2020 16:07:29 GMT
Server: Apache/2.2.22 (Debian) mod_python/3.3.1 Python/2.7.3 mod_ssl/2.2.22 OpenSSL/1.0.1t
X-Powered-By: PHP/5.4.45-0+deb7u14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sat, 25 Jan 2020 16:07:29 GMT
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html
IP: 208.109.44.217
HTTP/1.1 404 Not Found
Date: Sat, 25 Jan 2020 16:07:20 GMT
Server: Apache
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
# 探测主机的可用端口示例:
try:
# 查找主机
host = api.host('1.1.1.1')
# 输出基本信息
print("""
IP: {}
Organization: {}
Operating System: {}
""".format(host['ip_str'], host.get('org', 'n/a'), host.get('os', 'n/a')))
# Print all banners
for item in host['data']:
print("""
Port: {}
Banner: {}
""".format(item['port'], item['data']))
except shodan.APIError as e:
print('Error: {}'.format(e))
# 结果输出示例:
IP: 1.1.1.1
Organization: Mountain View Communications
Operating System: None
Port: 80
Banner: HTTP/1.1 409 Conflict
Date: Sat, 25 Jan 2020 15:55:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d6241813d879cf2a39d03f5d6ce5a1abc1579967754; expires=Mon, 24-Feb-20 15:55:54 GMT; path=/; domain=.www.1yhaoduo.com; HttpOnly; SameSite=Lax
Cache-Control: max-age=6
Expires: Sat, 25 Jan 2020 15:56:00 GMT
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 55ab6f23aee09cbd-AMS
Port: 443
Banner: HTTP/1.1 301 Moved Permanently
Date: Sat, 25 Jan 2020 15:47:19 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 25 Jan 2020 16:47:19 GMT
Location: https://get.vitalsource.com/
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 55ab628f3b05acca-OTP
Port: 53
Banner: \x00\x00\x80\x83\x00\x01\x00\x00\x00\x01\x00\x00\t_services\x07_dns-sd\x04_udp\x05local\x00\x00\x0c\x00\x01\x00\x00\x06\x00\x01\x00\x00(\xac\x00@\x01a\x0croot-servers\x03net\x00\x05nstld\x0cverisign-grs\x03com\x00xf\xf1\xd4\x00\x00\x07\x08\x00\x00\x03\x84\x00\t:\x80\x00\x01Q\x80
# 显示统计信息示例:
# 我们想要的摘要信息的属性列表
FACETS = [
('org', 3),
'domain',
'port',
'asn',
('country', 10),
]
FACET_TITLES = {
'org': 'Top 3 Organizations',
'domain': 'Top 5 Domains',
'port': 'Top 5 Ports',
'asn': 'Top 5 Autonomous Systems',
'country': 'Top 10 Countries',
}
try:
# 查询
query = 'apache 2.4'
# 计算结果
result = api.count(query, facets=FACETS)
print('Shodan Summary Information')
print('Query: %s' % query)
print('Total Results: %s\n' % result['total'])
# 从列表facets中打印摘要信息
for facet in result['facets']:
print(FACET_TITLES[facet])
for term in result['facets'][facet]:
print('%s: %s' % (term['value'], term['count']))
# Print an empty line between summary info
print('')
except shodan.APIError as e:
print('Error: {}'.format(e))
# 结果输出示例:
Shodan Summary Information
Query: apache 2.4
Total Results: 64678
Top 3 Organizations
Liquid Web, L.L.C: 23199
Amazon.com: 7588
Hetzner Online GmbH: 1818
Top 5 Domains
amazonaws.com: 10679
telecom.net.ar: 1661
your-server.de: 1243
t-ipconnect.de: 664
vultr.com: 443
Top 5 Ports
80: 21212
443: 19890
8080: 3024
10000: 1723
8081: 1366
Top 5 Autonomous Systems
as53824: 13848
as32244: 9351
as16509: 6294
as24940: 1759
as7303: 1453
Top 10 Countries
US: 31090
DE: 5833
CN: 4554
BR: 3010
AR: 1809
JP: 1475
GB: 1168
IN: 1009
FR: 756
CA: 613
2.4.2 Ruby– shodanz
2.4.2.1安装
在rbenv的虚拟ruby环境中:
然后,API密钥进行初始化:
require 'shodanz'
api = Shodanz.client.new(key: 'YOUR_API_KEY')
对于生产项目,您可能希望通过环境变量SHODAN_API_KEY读取API密钥。
2.4.2.2示例
# 基本搜索示例:
# Search Shodan
results = api.host_search('apache')
# Show results
puts "Results found: #{results['total']}"
results['matches'].each do |result|
puts "IP: #{result['ip_str']}"
puts result['data'] + "\n"
end
# 结果输出示例:
IP: 154.218.139.58
HTTP/1.1 200 OK
Date: Tue, 28 Jan 2020 22:13:53 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade, close
Last-Modified: Wed, 26 Apr 2017 08:03:47 GMT
ETag: "52e-54e0d47a39ec0"
Accept-Ranges: bytes
Content-Length: 1326
Vary: Accept-Encoding
Content-Type: text/html
IP: 132.148.235.102
HTTP/1.1 200 OK
Date: Tue, 28 Jan 2020 22:13:53 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Fri, 10 May 2019 09:10:49 GMT
ETag: "a4edb-7ab-58884f152c219"
Accept-Ranges: bytes
Content-Length: 1963
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
IP: 112.126.140.94
HTTP/1.1 404 Not Found
Date: Tue, 28 Jan 2020 22:13:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
X-UA-Compatible: IE=EmulateIE7
Transfer-Encoding: chunked
Content-Type: text/html
# 探测主机的可用端口示例:
# Lookup the host
host = api.host('1.1.1.1')
# Print general info
puts "
IP: #{host['ip_str']}
Organization: #{host['org'] || 'n/a'}
Operating System: #{host['os'] || 'n/a'}
"
# Print all banners
host['data'].each do |item|
puts "
Port: #{item['port'] || 'n/a'}
Banner: #{item['data'] || 'n/a'}
"
end
# 结果输出示例:
IP: 1.1.1.1
Organization: Mountain View Communications
Operating System: n/a
Port: 443
Banner: HTTP/1.1 403 Forbidden
Server: cloudflare
Date: Tue, 28 Jan 2020 18:34:35 GMT
Content-Type: text/html
Content-Length: 553
Connection: keep-alive
CF-RAY: 55c50fb4e8149d5a-AMS
Port: 80
Banner: HTTP/1.1 409 Conflict
Date: Tue, 28 Jan 2020 17:26:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d189a930262f96d94a707a90d853a56bd1580232414; expires=Thu, 27-Feb-20 17:26:54 GMT; path=/; domain=.www.1yhaoduo.com; HttpOnly; SameSite=Lax
Cache-Control: max-age=6
Expires: Tue, 28 Jan 2020 17:27:00 GMT
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 55c4ac8fba63801a-SAN
Port: 53
Banner:
Recursion: enabled
Resolver ID: AMS
# 显示统计信息:
# The list of properties we want summary information on
FACETS = {
'org': 3,
'domain': 5,
'port': 5,
'asn': 5,
'country': 10,
}
FACET_TITLES = {
'org': 'Top 3 Organizations',
'domain': 'Top 5 Domains',
'port': 'Top 5 Ports',
'asn': 'Top 5 Autonomous Systems',
'country': 'Top 10 Countries',
}
# Query
query = 'apache 2.4'
# Count results
result = api.host_count(query, facets: FACETS)
puts 'Shodan Summary Information'
puts "Query: #{query}"
puts "Total Results: #{result['total']}\n"
# Print the summary info from the facets
result['facets'].each do |facet, _v|
puts FACET_TITLES[facet]
result['facets'][facet].each do |term|
puts "#{term['value']}: #{term['count']}"
end
# Print an empty line between summary info
puts ''
end
# 输出结果示例:
Shodan Summary Information
Query: apache 2.4
Total Results: 63939
Liquid Web, L.L.C: 23126
Amazon.com: 7843
Hetzner Online GmbH: 1798
amazonaws.com: 10398
telecom.net.ar: 1609
your-server.de: 1232
t-ipconnect.de: 629
vultr.com: 450
80: 21131
443: 19772
8080: 3023
10000: 1672
8081: 1372
as53824: 13810
as32244: 9316
as16509: 6138
as24940: 1740
as7303: 1410
US: 30877
DE: 5781
CN: 4432
BR: 2949
AR: 1757
JP: 1472
GB: 1168
IN: 1030
FR: 720
CA: 613
# 基于API流的异步支持
require 'async'
require 'shodanz'
api = Shodanz.client.new(key: 'YOUR_API_KEY')
# Asynchronously stream banner info from shodan and check any
# IP addresses against the experimental honeypot scoring service.
api.streaming_api.banners do |banner|
if ip = banner['ip_str']
Async do
score = api.rest_api.honeypot_score(ip).wait
puts "#{ip} has a #{score * 100}% chance of being a honeypot"
rescue Shodanz::Errors::RateLimited
sleep rand
retry
rescue # any other errors
next
end
end
end
注意:这个异步示例来自shodanz文档。
# 可用到的方法:
# Returns all the protocols that can be used when launching an Internet scan
api.protocols
# Returns a list of port numbers that the Shodan crawlers are looking for
api.ports
# Returns information about the Shodan account linked to this API key
api.profile
# Look up the IP address for the provided list of hostnames
api.resolve('archlinux.org', 'blackarch.org')
# Look up the hostnames that have been defined for the given list of IP addresses
api.reverse_lookup('138.201.81.199', '176.31.253.211')
# Get your current IP address as seen from the Internet
api.my_ip
# Calculates a honeypot probability score ranging from 0 (not a honeypot) to 1.0 (is a honeypot)
api.honeypot_score('1.1.1.1')
# API Plan Information
api.info
# Exploits API
puts client.exploit_count(port: 22, page: 1)
puts client.exploit_search('rce couchdb', type: 'remote', platform: 'linux', author: 'Metasploit')
你可以在此处找到更多示例,或阅读shodanz API文档。
2.4.3 Node.js – shodan客户端
2.4.3.1安装
在nodenv的虚拟nodejs环境中:
$ npm i shodan-client
然后,API密钥进行初始化:
const util = require('util');
const api = require('shodan-client');
const key = 'API key here';
2.4.3.2示例
# 基本搜索示例:
const searchOpts = {};
const searchQuery = 'apache';
api
.search(searchQuery, key, searchOpts) // Search Shodan
.then(results => {
console.log('Results found: ' + results['total'] + "\n"); // Show results
for (const result of results['matches']) {
console.log(`IP: ${result['ip_str']}`);
console.log(result['data'] + "\n");
}
})
.catch(err => {
console.log('Error:');
console.log(err);
});
# 结果输出示例:
Results found: 25855805
IP: 210.143.102.156
HTTP/1.1 302 Found
Date: Sat, 01 Feb 2020 18:45:43 GMT
Server: Apache/2.2.15 (Scientific Linux)
Location: https://210.143.102.156/
Content-Length: 299
Connection: close
Content-Type: text/html; charset=iso-8859-1
IP: 52.168.162.242
HTTP/1.1 200 OK
Date: Sat, 01 Feb 2020 18:44:49 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 13 Aug 2019 14:51:43 GMT
ETag: "f11-59000c7615dc0"
Accept-Ranges: bytes
Content-Length: 3857
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html; charset=UTF-8
Set-Cookie: pwcount=2;Secure;Path=/
Cache-Control: no-cache
IP: 217.160.91.209
HTTP/1.1 403 Forbidden
Date: Sat, 01 Feb 2020 18:45:18 GMT
Server: Apache
Content-Length: 1364
X-Frame-Options: deny
Content-Type: text/html
# 探测主机的可用端口示例:
const searchOpts = {};
const ip = '1.1.1.1';
api
.host(ip, key, searchOpts) // Lookup the host
.then(host => {
// Print general info
console.log(`
IP: ${host['ip_str']}
Organization: ${host['org'] || 'n/a'}
Operating System: ${host['os'] || 'n/a'}
`);
// Print all banners
for (const item of host['data']) {
console.log(`
Port: ${item['port'] || 'n/a'}
Banner: ${item['data'] || 'n/a'}
`);
}
})
.catch(err => {
console.log('Error:');
console.log(err);
});
# 结果输出示例:
IP: 1.1.1.1
Organization: Mountain View Communications
Operating System: n/a
Port: 443
Banner: HTTP/1.1 403 Forbidden
Server: cloudflare
Date: Sat, 01 Feb 2020 19:26:14 GMT
Content-Type: text/html
Content-Length: 553
Connection: keep-alive
CF-RAY: 55e650de89868020-SAN
Port: 80
Banner: HTTP/1.1 409 Conflict
Date: Sat, 01 Feb 2020 19:16:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=dd6d38c961c18135646e1681bd1f809ad1580584576; expires=Mon, 02-Mar-20 19:16:16 GMT; path=/; domain=.www.1yhaoduo.com; HttpOnly; SameSite=Lax
Cache-Control: max-age=6
Expires: Sat, 01 Feb 2020 19:16:22 GMT
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 55e64240bb5a801a-SAN
# 显示统计信息:
const FACETS = {
'org': 3,
'domain': 5,
'port': 5,
'asn': 5,
'country': 10,
};
const FACET_TITLES = {
'org': 'Top 3 Organizations',
'domain': 'Top 5 Domains',
'port': 'Top 5 Ports',
'asn': 'Top 5 Autonomous Systems',
'country': 'Top 10 Countries',
};
// https://github.com/jesusprubio/shodan-client/issues/34
// const opts = { facets: FACETS };
const opts = { facets: JSON.stringify(FACETS).replace(/["{}]/g, '') };
// Query
const query = 'apache 2.4';
api
.count(query, key, opts) // Count results
.then(result => {
console.log('Shodan Summary Information');
console.log(`Query: ${query}`);
console.log(`Total Results: ${result['total']}\n`);
// Print the summary info from the facets
for (const facet in result['facets']) {
console.log(FACET_TITLES[facet]);
for (const term of result['facets'][facet]) {
console.log(`${term['value']}: ${term['count']}`);
}
// Print an empty line between summary info
console.log('');
}
})
.catch(err => {
console.log('Error:');
console.log(err);
});
# 结果输出示例:
Shodan Summary Information
Query: apache 2.4
Total Results: 63112
Top 3 Organizations
Liquid Web, L.L.C: 22985
Amazon.com: 8614
Hetzner Online GmbH: 1797
Top 5 Domains
amazonaws.com: 10051
telecom.net.ar: 1600
your-server.de: 1220
t-ipconnect.de: 603
vultr.com: 429
Top 5 Ports
80: 21098
443: 19669
8080: 3040
10000: 1669
8081: 1411
Top 5 Autonomous Systems
as53824: 13725
as32244: 9260
as16509: 5941
as24940: 1750
as7303: 1383
Top 10 Countries
US: 30672
DE: 5780
CN: 4072
BR: 2931
AR: 1745
JP: 1415
GB: 1147
IN: 939
FR: 738
CA: 675
2.5插件
2.5.1 Firefox
该附加组件Shodan.io会检索收集你正在浏览当前网站的Shodan数据。它向你展示基本信息(例如组织)以及开放端口。
2.5.2 Chromium
Shodan插件会展示网站服务器的托管位置(国家/地区,城市),IP的所有者以及开放的端口或运行的服务。
Chrome的Shodan插件会自动检查Shodan是否具有当前网站的任何信息。目标网站是否还运行FTP,DNS,SSH或某些不寻常服务?使用此插件,您可以查看Shodan在指定的网站/域上收集的所有信息。
3.Shodan搜索查询语法
3.1 标语和属性
为了充分利用Shodan,了解搜索查询语法很重要。在Shodan的语法表中,标语是包含服务信息的对象。
在官方文档中,给出了以下简化的标语示例:
{
"data": "Moxa Nport Device
Status: Authentication disabled
Name: NP5232I_4728
MAC: 00:90:e8:47:10:2d",
"ip_str": "46.252.132.235",
"port": 4800,
"org": "Starhub Mobile",
"location": {
"country_code": "SG"
}
}
字典的每个键都称为一个属性(data,ip_str,端口等)。每个属性存储有关服务的不同类型的信息。
默认情况下,Shodan仅在未提供过滤条件的情况下查看data属性。
3.2 搜索过滤条件
您可以通过搜索Moxa Nport设备找到上一个示例标语,但是如果您从Starhub Mobile中搜索设备,则不会返回预期的结果。正如前面所说,这是因为Shodan默认情况下仅搜索data属性!
要使用其他属性搜索数据,我们必须使用过滤器。
搜索过滤条件是特殊的关键字,用于告诉Shodan你希望搜索特定的属性。
过滤条件的格式设置为key:value
示例:
- 要搜索位于Starhub移动网络中的设备:
- org:”Starhub Mobile”
- 要搜索位于新加坡的设备:
- country:SG
- 当然可以将它们组合在一起:
- org:”Starhub Mobile” country:SG
Properties/filters specification
这是标语属性的完整列表(来源:官方文档)。
一般属性:
可选属性:
SSL属性
4.Shodan dorks和使用案例
Shodan已经给出了CLI的简单示例。
1. 易受心脏滴血漏洞影响的设备数量:
$ shodan count vuln:cve-2014-0160
80467
2. 获取域的子域名列表
$ shodan domain cnn.com
CNN.COM
A 151.101.193.67
A 151.101.129.67
A 151.101.65.67
A 151.101.1.67
...
newsroom.blogs CNAME cnnnewsroom.wordpress.com
newsstream.blogs CNAME cnninewsstream.wordpress.com
now CNAME www.cnn.com
ntm.blogs CNAME ntm.blogs.cnn.com.edgesuite.net
olympics.blogs CNAME olympics.blogs.cnn.com.edgesuite.net
olympics.edition CNAME cnn.site.scribblelive.com
on A 157.166.224.172
outfront.blogs CNAME cnnoutfront.wordpress.com
pagingdrgupta.blogs CNAME cnnpagingdrgupta.wordpress.com
parkerspitzer.blogs CNAME cnnparkerspitzer.wordpress.com
...
3.为你的网络创建一个私人防护并订阅它
$ shodan alert create mynetwork 198.20.58.0/24 && shodan stream --alerts=all
4.查找位于瑞士的服务器最常见的10个漏洞
$ shodan stats --facets vuln country:CH
Top 10 Results for Facet: vuln
cve-2018-1312 36,562
cve-2017-7679 31,109
cve-2019-0220 28,882
cve-2016-8612 27,638
cve-2018-17199 26,706
cve-2016-4975 26,560
cve-2018-1283 25,477
cve-2017-15715 25,477
cve-2017-15710 25,477
cve-2017-7668 23,261
我们将继续进行一些公开共享的查询:
5.D-Link网络摄像机DCS-5300系列,无需身份验证
$ shodan search 'd-Link Internet Camera, 200 OK'
6.启用匿名身份验证的FTP服务器
$ shodan search '230 login successful port:21'
7.数据库
# MySQL
$ shodan search 'product:MySQL'
# MongoDB
$ shodan search 'product:MongoDB'
# elastic
$ shodan search 'port:9200 json'
# Memcached
$ shodan search 'product:Memcached'
# CouchDB
$ shodan search 'product:CouchDB'
# PostgreSQL
$ shodan search 'port:5432 PostgreSQL'
# Riak
$ shodan search 'port:8087 Riak'
# Redis
$ shodan search 'product:Redis'
# Cassandra
$ shodan search 'product:Cassandra'
8.游戏
# Minecraft
$ shodan search 'Minecraft Server port:25565'
# Counter-Strike: Global Offensive
$ shodan search 'product:"Counter-Strike Global Offensive"'
# Starbound
$ shodan search 'product:Starbound'
# ARK: Survival Evolved
$ shodan search 'product:"ARK Survival Evolved"'
9.工业控制系统
# XZERES Wind Turbine
$ shodan search 'title:"xzeres wind"'
# PIPS Automated License Plate Reader
$ shodan search 'html:"PIPS Technology ALPR Processors"'
# Modbus
$ shodan search 'port:502'
# Niagara Fox
$ shodan search 'port:1911,4911 product:Niagara'
# GE-SRTP
$ shodan search 'port:18245,18246 product:"general electric"'
# MELSEC-Q
$ shodan search 'port:5006,5007 product:mitsubishi'
# CODESYS
$ shodan search 'port:2455 operating system'
# S7
$ shodan search 'port:102'
# BACnet
$ shodan search 'port:47808'
# HART-IP
$ shodan search 'port:5094 hart-ip'
# Omron FINS
$ shodan search 'port:9600 response code'
# IEC 60870-5-104
$ shodan search 'port:2404 asdu address'
# DNP3
$ shodan search 'port:20000 source address'
# EtherNet/IP
$ shodan search 'port:44818'
# PCWorx
$ shodan search 'port:1962 PLC'
# Crimson v3.0
$ shodan search 'port:789 product:"Red Lion Controls"'
# ProConOS
$ shodan search 'port:20547 PLC'
10.ASCII视频示例
Shodan on asciinema.org
11.被黑的Ubiquiti Networks设备
$ shodan search 'hacked-router-help-sos'
12.监控摄像头,用户:admin,无密码
13.家用路由器的存储设备/附加的USB存储设备
$ shodan search 'IPC$ all storage devices'
14.无需身份验证的PBX电话网关
$ shodan search 'port:23 console gateway -password'
15.Lantronix以太网适配器的管理界面,无需密码
$ shodan search 'Press Enter for Setup Mode port:9999'
16.Polycom视频会议系统免认证shell
$ shodan search '"polycom command shell"'
17.未经身份验证的VNC服务器
$ shodan search '"authentication disabled" port:5900,5901'
18.NPort串口转eth / MoCA设备无密码
$ shodan search 'nport -keyin port:23'
一些 PenTestIT 查询:
1.Jenkins默认安装
$ shodan search 'http.favicon.hash:81586312'
2.SonarQube安装
$ shodan search 'http.favicon.hash:1485257654'
3.IBM WebSphere版本泄漏
$ shodan search 'WASRemoteRuntimeVersion'
最后,提供了一系列搜索查询:Awesome Shodan Search Queries
- Website
- GitHub
5.应用Shodan的工具
- https://developer.shodan.io/apps
- https://github.com/BullsEye0/shodan-eye
- https://www.rapid7.com/db/modules/auxiliary/gather/shodan_search
- https://github.com/s0md3v/Striker
- https://github.com/lanmaster53/recon-ng
- https://github.com/smicallef/spiderfoot
- https://github.com/DefensePointSecurity/threat_note
- https://github.com/OWASP/Amass
- https://github.com/woj-ciech/Kamerka-GUI
- https://github.com/random-robbie/My-Shodan-Scripts
- https://github.com/jakejarvis/awesome-shodan-queries
- https://github.com/pielco11/fav-up
ShodanSploit
它允许你使用终端上的所有Shodan访问并进行详细查询。
Github repository: https://github.com/shodansploit/shodansploit
安装:
git clone https://github.com/ismailtasdelen/shodansploit.git
cd shodansploit
python shodansploit.py
docker run -t ismailtasdelen/shodansploit
Docker运行:
docker run –rm -it ismailtasdelen/shodansploit
菜单:
[1] GET > /shodan/host/{ip}
[2] GET > /shodan/host/count
[3] GET > /shodan/host/search
[4] GET > /shodan/host/search/tokens
[5] GET > /shodan/ports
[6] GET > /shodan/exploit/author
[7] GET > /shodan/exploit/cve
[8] GET > /shodan/exploit/msb
[9] GET > /shodan/exploit/bugtraq-id
[10] GET > /shodan/exploit/osvdb
[11] GET > /shodan/exploit/title
[12] GET > /shodan/exploit/description
[13] GET > /shodan/exploit/date
[14] GET > /shodan/exploit/code
[15] GET > /shodan/exploit/platform
[16] GET > /shodan/exploit/port
[17] GET > /dns/resolve
[18] GET > /dns/reverse
[19] GET > /labs/honeyscore/{ip}
[20] GET > /account/profile
[21] GET > /tools/myip
[22] GET > /tools/httpheaders
[23] GET > /api-info
[24] Exit
Fav-Up
描述:从favicon图标开始并使用Shodan来查找真实IP。
安装:
由于spicy语法,至少需要python3.6。
git clone https://github.com/pielco11/fav-up.git
pip3 install -r requirements.txt
命令概述:
示例:
Favicon-file:
python3 favUp.py –favicon-file favicon.ico -sc
Favicon-url
python3 favUp.py –favicon-url https://domain.behind.cloudflare/assets/favicon.ico -sc
Web
python3 favUp.py –web domain.behind.cloudflare -sc
插件:
from favUp import FavUp
f = FavUp()
f.shodanCLI = True
f.web = "domain.behind.cloudflare"
f.show = True
f.run()
for result in f.faviconsList:
print(f"Real-IP: {result['found_ips']}")
print(f"Hash: {result['favhash']}")
相关信息:https://pielco11.ovh/posts/cloud-hunting/
6.shodan高级应用案例
- Pivoting with Property Hashes
- Working with Shodan Data Files
- Create a GIF from an IP Image History
7.Shodan同类型工具
网络搜索替代产品
- Onyphe – 类似于Shodan,但除了扫描之外,它还从被动DNS查询,威胁列表查询和模糊站点查询中爬取数据。 但是,免费版本比Shodan更受限制。
- ZoomEye – 与Shodan非常相似,它具有大量的高级筛选规则,这些记录比Shodan的记录更先进,并且有大量的预设查询。还有一个很棒的免费API接口。
- Censys –像Shodan一样,它也具有跟踪网络变化,发送警报等的功能。似乎没有免费的API计划,唯一免费的是使用它。
- thingful – 仅针对物联网设备的搜索引擎。
- FOFA – 就像Shodan一样,它也具有CLI工具以及Java,Go,C和Python库。
- Greynoise – 就像Shodan,没有免费的API计划,只有Web可视化工具访问。但也具有python库和CLI工具。
- BinaryEdge – 像Shodan一样,有搜索引擎,蜜罐/服务器监测器,但有一个不常见的功能:Torrents / DHT Monitoring。有免费的Web和API计划。
开源自动托管替代产品
- IVRE – Source >具有WebUI和CLI工具,是一个网络侦查框架,包括用于被动侦查(依赖于Bro,Argus,Nfdump的流分析,基于Bro和p0f的指纹分析)和主动侦查(IVRE使用Nmap进行扫描,可以使用ZMap作为预扫描工具)的工具; IVRE还可以从Nmap和Masscan导入XML输出。
- purplepee – Source >允许你查看有关网站的HTTP标头、DNS记录、SSL证书和开放的TCP端口以及ASN whois信息的大概关系。除了开源项目,还在线托管了一个公共实例。
References
- SHODAN for Penetration testers
- Shodan – CLI Snippets
- Shodan Command-Line Interface
- Shodan library documentation
- Shodan help center
- 本文中直接引用了更多参考