Introduction:
Building upon my previous blog post, where I explained simple Shodan searches utilizing the Shodan search filters. These searches prove advantageous for the blue team in discerning unusual instances of internet exposure that could potentially pose security risks.
In this blog, I will showcase the Shodan searches using CLI which can be followed in a systematic manner to streamline Shodan-based monitoring.
To start with the CLI-based searches, first, we need to install the Shodan CLI (Command Line Interface) on the system, whether it is Windows, Linux or MAC OS.
- Install the Python: on the system from the official Python website (https://www.python.org/downloads/).
- Shodan Account: If you don’t have one already, sign up for a Shodan account at https://www.shodan.io/. You will need an API key to use the Shodan CLI. Signing up for an account is FREE.
- Install Shodan Module: Open your terminal or command prompt and run the following command to install the Shodan module using pip, the Python package manager:
pip install shodan - API Key Configuration: Once the Shodan module is installed, you need to configure your API key. Run the following command in the terminal: shodan init YOUR_API_KEY.
ReplaceYOUR_API_KEYwith the actual API key you obtained from your Shodan account. - Verify Installation: To verify that the installation was successful and the API key is correctly configured, you can run a simple command:
shodan infoThis command will display information about your Shodan account.
Next
Let's start the shodan CLI with the basic search and see what the output looks like in the Command Line Interface.
Shodan search parameter is used in Command-Line to conduct searches and conveniently view the results within a terminal environment.
Search 1: Basic Search
In this search, we will query the same network segment that we used in our previous blog (i.e. 118.69.133.0/24) and display upto 10 results with the fields comprising of IP Address, Port, Hostname, OS, Country, and City.
And fields parameter used to filter only the fields that you’re interested in,
If we don't specify any limit of results, by default it will only display 1,000 results. If you want to search and display the results upto 10 use limit flag. Ex. — — limit 10
shodan search net:118.69.133.0/24 --fields ip_str,port,hostnames,os,country,city --limit 10
The only displayed fields in the final results are IP address , port and hostname as rest of the data isn’t displayed by fields commands (weird I know)
Search 2: Adding more search operators
In the next search, rather than searching for a network segment, search organization name along with country and city. Interested fields to be displayed as results are IP address, port,hostname, os, country and city with a limit of 10.
shodan search org:"Amazon" country:IN City:Delhi --fields ip_str,port,hostnames,os,country,city --limit 10
Search 3: Blind Search
This search is the same as what we did in Search 7 of my previous blog. To do a blind Shodan Search with the message “Your files have been encrypted” with a limit of 10 results without screenshots.
shodan search "Your Files Have Been Encrypted" --limit 10
Search 4: Exporting Results In a File
In this search, I look for port 21 and the results fields are defined as IP address, port, and organization with a limit of 5 results, and the results will be stored in a file ( Here I mention the file name as “list” (you can mention any filename))
shodan search --fields ip_str,port,org port:21 --limit 5 > list.txtTo review the results, use the command cat <filename>
Search 5: Combine Search Operator with Separator
In this search, the title is “Citrix Gateway” running on port 9000 with a limit of 15 results. The key factor in this search is a separator parameter comma (,) which is used to separate out the mentioned fields.
One can use anything like “-” / “ — “ as a separator in the Shodan CLI query.
shodan search 'title="Citrix Gateway"' --fields ip_str,port,org port:9000 --limit 15 --separator ","
Search 6: Using AWK
In this example, we performed a Shodan search for the favicon hash -305179312 (Confluence Server) with a limit of 5 results.
The entire below command searches for Shodan results with a specific favicon hash -305179312 (Confluence Server), selects specific fields from those results, and then processes and prints those fields in a customized format using the awk command (GAWK for Windows). The final output will be a list of results in the format: IP:Port,Title,Organization,City,Country.
shodan search 'http.favicon.hash:-305179312' --fields ip_str,port,title,org,city,country --limit 5 | awk '{print $1":"$2","$3","$4","$5","$6}'$1, $2, $3, $4,$5,$6 represent the fields/columns in the input data. Here’s how they correspond to the Shodan fields:
- $1 corresponds to ip_str
- $2 corresponds to port
- $3 corresponds to title
- $4 corresponds to org
- $5 corresponds to city
- $6 corresponds to country
Shodan stats
Shodan can be used to perform facets queries and provide summary information based on the Shodan CLI query. Facets are basically to match a property like city, port etc. and provide you the breakdown of the top values of the defined property in results.
Search 7: Diving into Facet
In this shodan query, the command requests statistical facets about the top 5 cities associated with search results containing the term “telnet”. The command will provide information about the distribution of results across different cities for the specified search query.
shodan stats --facets city:5 telnet
Search 8: Combine Facet with Stats Operators
Vuln and tag filter premium filters are not available in the Basic Shodan plan.
In this scenario, we can use the stats with the facet of top vulnerability in the organization “WeWork” in India. Since we have not defined any limit in the top results, using stats will show the top 10 results.
shodan stats --facets vuln country:IN org:WeWork
Search 9: Get Facet for a Network Segment
The below query is another use of Shodan stats where it shows the top 10 results of port with the count of a defined sample network segment. Pretty useful if you have to monitor IP range of your company.
shodan stats --facets port net:118.69.133.0/24 
Search 10: Shodan Scan for an IP address
Shodan conducts comprehensive scans of the entire Internet on a weekly basis. Using the Shodan CLI ( Command Line Interface) one can initiate the on-demand scanning of a network segment/IP address.
Please Note: On-demand scan takes query credits depending on the number of scan credits available on the API plan.
In this Shodan query, the Shodan scans the IP address: 8.8.4.4
shodan scan submit 8.8.4.4Similar way one can submit the scan for a Net Segment. Like shodan scan submit 86.57.198.0/24
This scan search will take time to complete (between 5–10 mins per IP).
Search 11: Domain Details Search
Shodan domain, providing Shodan with the domain name will trigger an automatic discovery of all associated subdomains and their corresponding IP addresses. It will be consistently updated to reflect any alterations in the DNS information related to your target.
The below domain query is performed for the organization WeWork.
shodan domain wework.com
Search 12: Download Shodan Results In a File
Shodan download and parse parameter use query credits of the Shodan CLI account.
Shodan download initiates a search and saves the outcome in a local data file.
The Shodan CLI query performs a Shodan search with specific filters: results with “Microsoft” as the organization and “CH” (Switzerland) as the country. It then downloads the first 50 search results, saving them in a compressed JSON file named testresults.json.gz.
shodan download testresults.json.gz org:Microsoft country:CH --limit 50
The result of the scan saved in a local file can be used as input for Shodan parse.
Search 13: Parse the results and Save in a Local File
Use parse to analyze a file that was generated using the download command. It lets you filter out the fields that you’re interested in, convert the JSON to a CSV, and is also friendly for pipe-ing to other scripts. For example, here’s the command to output the IP address, port, and organization in CSV:
shodan parse --fields ip_str,port,org testresults.json.gzExtract information out of compressed JSON files.
Search 14: Convert the results into Different Formats
Shodan convert command serves as a way to transform Shodan search results into different output formats. This is particularly useful when you want to work with search results outside of the Shodan platform or integrate them into other tools or systems. The command enables you to convert the results from their default JSON format into formats that are more convenient or compatible with your needs.
shodan convert testresults.json.gz xlsxHere’s the basic breakup of the shodan convert command:
- testresults.json.gz corresponds to input file ( local file saved on the system)
- xlsx corresponds to output format ( the desired output format to which one wants to convert the results. Ex. CSV, JSON, HTML)
This is how the contents of the .xlsx file look like:
That's all the Good Stuff, let's move to the conclusion now.
Conclusion:
Shodan CLI is a powerful tool that can be used by Cyber Security blue teams to monitor their external networks. You can use the CLI to automate tasks and create custom scripts. This can be helpful for tasks such as running regular scans of your network or gathering data for reports.
The Shodan CLI is more portable. You can use the CLI on any computer that has a terminal emulator. This means that you can use it on your home computer, your work computer, or from a cloud server.
By using Shodan CLI, Cyber Security blue teams can gain valuable insights into their external networks in a more formalized way, and identify potential security risks by repeating a few commands regularly like (a day or week). This information can be used to improve the security posture of the organization and protect against Cyber attacks.
My next blog will be talking about automating even these manual tasks and making Shodan monitoring a source of generating detections and triggering security events. Stay Tuned!
Go Back to Part 1: https://medium.com/@jsaxena017/shodan-for-blue-team-part-1-325ffeba71ab
