0%

Shodan-Cli

shodan简单用法

初始化

1
shodan init {YOUR_API_KEY}

查看剩余用量

1
shodan info
20210430-22:00:43-_SKGT0d_SKGT0d_SKGT0d_31Lj9p

HELP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
shodan --help

alert Manage the network alerts for your account
convert Convert the given input data file into a different format.
count Returns the number of results for a search
data Bulk data access to Shodan
domain View all available information for a domain
download Download search results and save them in a compressed JSON...
honeyscore Check whether the IP is a honeypot or not.
host View all available information for an IP address
info Shows general information about your account
init Initialize the Shodan command-line
myip Print your external IP address
org Manage your organization's access to Shodan
parse Extract information out of compressed JSON files.
radar Real-Time Map of some results as Shodan finds them.
scan Scan an IP/ netblock using Shodan.
search Search the Shodan database
stats Provide summary information about a search query
stream Stream data in real-time.
version Print version of this tool.

search & download

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ shodan search --help
Usage: shodan search [OPTIONS] <search query>

Search the Shodan database

Options:
--color / --no-color
--fields TEXT List of properties to show in the search
results.

--limit INTEGER The number of search results that should
be returned. Maximum: 1000

--separator TEXT The separator between the properties of
the search results.

-h, --help Show this message and exit.

基础查询

语法和Web上的一样,也可以指定product,指定地域什么的。

查询weblogic

1
shodan search product:weblogic

只输出指定信息

输出是weblogic,地域是cn的,然后只输出ip,端口,组织,主机名。

1
shodan search --fields ip_str,port,org,hostnames product:weblogic country:"CN"

然后可以使用--limit来设置搜索数量--separator用指定字符分隔。

1
2
3
 $ shodan search --fields ip_str,port product:weblogic country:"CN" --limit 2  --separator ,
120.52.40.52,7001,
139.159.225.112,7001,

因为search并没提供保存文件的选项,所以如果你想保存搜索结果得用dowabload

Download

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ shodan download --help
Usage: shodan download [OPTIONS] <filename> <search query>

Download search results and save them in a compressed JSON
file.

Options:
--limit INTEGER The number of results you want to download. -1
to download all the data possible.

--skip INTEGER The number of results to skip when starting
the download.

-h, --help Show this message and exit.
1
shodan download test rememberMe=deleteMe country:"CN" #test是保存的文件名, 文件名后面是查询语法。可以用--limit来限制下载量。

like this

image-20210522175712017

Domain

查看帮助手册

1
2
3
4
5
6
7
8
9
10
11
12
Usage: shodan domain [OPTIONS] <domain>

View all available information for a domain

Options:
-D, --details Lookup host information for any IPs in the domain results
-S, --save Save the information in the a file named after the domain
(append if file exists).

-H, --history Include historical DNS data in the results
-T, --type TEXT Only returns DNS records of the provided type
-h, --help Show this message and exit.

域名历史解析

1
shodan domain -H atsud0.me
20210430-22:07:43-_l3rIEt_l3rIEt_l3rIEt_AFtooK

域名详情

1
shodan domain -D atsud0.me

查找指定的DNS类型信息

1
2
#shodan domain -T DNS类型 域名
shodan domain -T TXT atsud0.me
20210507-15:08:00-_9rjwJs_9rjwJs_9rjwJs_FvebjE

保存查找到的信息到指定文件中

1
shodan domain -D baidu.com -S

之后将会输出保存成域名baidu.com.json.gz和baidu.com-hosts.json.gz两个文件
可以用gzip 解压

1
gzip -d baidu.com.json.gz

是json格式的,可以的很方便用各种编程语言进行操作。

1
2
3
4
5
6
7
$ cat baidu.com.json
{"tags": [], "subdomain": "", "type": "A", "ports": [80, 443], "value": "39.156.69.79", "last_seen": "2021-05-07T08:04:44.699306+00:00"}
{"tags": [], "subdomain": "", "type": "A", "ports": [80, 443], "value": "220.181.38.148", "last_seen": "2021-05-07T08:04:44.694834+00:00"}
{"subdomain": "", "type": "MX", "value": "mx1.baidu.com", "last_seen": "2021-05-05T13:09:55.188748+00:00"}
{"subdomain": "", "type": "MX", "value": "mx50.baidu.com", "last_seen": "2021-05-05T13:09:55.197526+00:00"}
{"subdomain": "", "type": "MX", "value": "mx.n.shifen.com", "last_seen": "2021-05-05T13:09:55.206696+00:00"}
{"subdomain": "", "type": "MX", "value": "mx.maillb.baidu.com", "last_seen": "2021-05-05T13:09:55.202202+00:00"}

Host

从shodan数据库中查询IP数据

帮助

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ shodan host --help
Usage: shodan host [OPTIONS] <ip address>

View all available information for an IP address

Options:
--format [pretty|tsv] The output format for the host
information. Possible values are:
pretty, tsv.

--history Show the complete history of the host.
-O, --filename TEXT Save the host information in the given
file (append if file exists).

-S, --save Save the host information in the a file
named after the IP (append if file
exists).

-h, --help Show this message and exit.

基础查询

1
2
3
4
5
6
7
8
9
10
11
12
13
$ shodan host 223.5.5.5
223.5.5.5
Hostnames: public1.alidns.com
City: Beijing
Country: China
Organization: Aliyun Computing Co., LTD
Updated: 2021-05-20T14:32:29.660612
Number of open ports: 2

Ports:
53/udp
443/tcp
|-- SSL Versions: -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3

可以用--format来指定输出格式,--history可以查询到这个ip历史的数据,如果不使用该选项,就会默认输出最新的端口信息数据。

和Domain查询一样,也能用-S/--save选项来将查询到的数据保存到本地。

alert

感觉不是特别重要。。。

帮助

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ shodan alert
Usage: shodan alert [OPTIONS] COMMAND [ARGS]...

Manage the network alerts for your account

Options:
-h, --help Show this message and exit.

Commands:
clear Remove all alerts
create Create a network alert to monitor an external...
disable Disable a trigger for the alert
domain Create a network alert based on a domain name
enable Enable a trigger for the alert
info Show information about a specific alert
list List all the active alerts
remove Remove the specified alert
triggers List the available notification triggers

创建一个报警

1
2
3
4
5
6
7
8
9
10
11
12
13
##shodan alert create <name> <netblocks>

##基于IP
shodan alert create test <Your_IP>

shodan alert list #找到刚刚创建的告警任务

shodan alert enable <alert_ID> <trigger_name> ##trigger_name能用shodan alert triggers 列出,不过有可能有部分不可用。

shodan alert disable <alert_ID> <trigger_name> # 关闭报警

## 基于域名
shodan alert domain atsud0.me --triggers new_service # 不过有可能会提示没有该域名的数据

列出现有的报警任务

1
shodan alert list

Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ shodan scan -h
Usage: shodan scan [OPTIONS] COMMAND [ARGS]...

Scan an IP/ netblock using Shodan.

Options:
-h, --help Show this message and exit.

Commands:
internet Scan the Internet for a specific port and protocol using the...
list Show recently launched scans
protocols List the protocols that you can scan with using Shodan.
status Check the status of an on-demand scan.
submit Scan an IP/ netblock using Shodan.

基础扫描

1
shodan scan submit IP

列出扫描任务

(已删除ID部分内容)

1
2
3
4
5
6
shodan scan list
# 3 Scans Total - Showing 10 most recent scans:
# Scan ID Status Size Timestamp
L QUEUE 2 2021-04-22T08:28:33.434000
f QUEUE 1 2021-04-22T08:28:26.624000
H QUEUE 1 2021-04-22T08:28:19.008000

查看扫描任务状态

1
shodan scan status SCAN_ID

扫描全网端口服务(PS:该选项只有企业用户能用)

1
2
3
4
5
6
7
8
9
10
11
12
13
$ shodan scan internet  -h
Usage: shodan scan internet [OPTIONS] PORT PROTOCOL

Scan the Internet for a specific port and protocol using the Shodan
infrastructure.

Options:
--quiet Disable the printing of information to the screen.
-h, --help Show this message and exit.


##example 扫描全网22端口 (我这api不是企业用户的,命令格式就差不多这个样子。。
$ shodan scan internet 22 ssh

列出当前api能扫描的端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
$ shodan scan protocols
afp AFP server information grabbing module
ajp Check whether the Tomcat server running AJP protocol
amqp Grab information from an AMQP service
andromouse Checks whether the device is running the remote mouse AndroMouse service.
apple-airport-admin Check whether the device is an Apple AirPort administrative interface.
ard Query the Apple Remote Desktop service for information about the device
auto Detect the type of service that runs on the port and send the appropriate request.
automated-tank-gauge Get the tank inventory for a gasoline station.
bacnet Gets various information from a BACnet device.
beanstalk Get general information about the Beanstalk daemon
bgp Checks whether the device is running BGP.
bitcoin Grabs information about a Bitcoin daemon, including any devices connected to it.
bittorrent-tracker Check whether there is a BitTorrent tracker running.
blackshades Determine whether a server is running a Blackshades C&C
cassandra Get cluster information for the Cassandra database software.
checkpoint-hostname Get hostnames for the CheckPoint firewall and management station.
cisco-smi Check whether the device supports the Cisco Smart Install feature.
citrix-apps This module attempts to query Citrix Metaframe ICA server to obtain a published list of applications.
clamav Determine whether a server is running ClamAV
coap Check whether the server supports the CoAP protocol
coap-dtls Check whether the server supports the CoAP protocol with DTLS
codesys Grab a banner for Codesys daemons
consul Determine wether consul is running & collect relevant info
couchdb HTTP banner grabbing module
crestron Checks for other servers with the same serial number on the local network. AAAAAA is a dummy value.
dahua-dvr Grab the serial number from a Dahua DVR device.
darktrack-rat Checks whether the device is a C2 for DarkTrack RAT.
dhcp Send a DHCP INFORM request to learn about the lease information from the DHCP server.
dht Gets a list of peers from a DHT node.
dicom Checks whether the DICOM service is running.
dictionary Connects to a dictionary server using the DICT protocol.
dnp3 A dump of data from a DNP3 outstation
dns-tcp Try to determine the version of a DNS server by grabbing version.bind
dns-udp Try to determine the version of a DNS server by grabbing version.bind
echo-udp Checks whether the device is running echo.
epmd Get a list of Erlang services and the ports they are listening on
etcd Etcd cluster information
ethereum-rpc Grabs version information about the Ethereum node.
ethernetip Grab information from a device supporting EtherNet/IP over TCP
ethernetip-udp Grab information from a device supporting EtherNet/IP over UDP
flux-led Grab the current state from a Flux LED light bulb.
fox Grabs a banner for proprietary FOX protocol by Tridium
ftp Grab the FTP banner
gardasoft-vision Grabs the version for the Gardasoft controller.
gearman Gather usage information from a Gearman queue
general-electric-srtp Check whether the GE SRTP service is active on the device.
ghost-rat Checks whether the device is a C2 for Gh0st RAT.
git Check whether git is running.
gtp-v1 Checks whether the device is running a GPRS Tunnel.
hart-ip-udp Checks whether the IP is a HART-IP gateway.
hbase Grab the status page for HBase database software.
hbase-old Grab the status page for old, deprecated HBase database software.
hddtemp View hard disk information from hddtemp service.
hifly Checks whether the HiFly lighting control is running.
http HTTP banner grabbing module
http-simple-new HTTP banner grabber only (no robots, sitemap etc.)
http-supermicro HTTP banner grabbing module for Supermicro servers
https HTTPS banner grabbing module
https-simple-new HTTPS banner grabber only (no robots, sitemap etc.)
ibm-db2-das Grab basic information about the IBM DB2 Database Server.
ibm-db2-drda Checks for support of the IBM DB2 DRDA protocol.
ibm-nje Check whether the z/OS Network Job Entry service is running.
identd Check whether the service is running identd
idera Grab target system info through Idera uptime agent system
idevice Connects to an iDevice and grabs the property list.
iec-104 Banner grabber for the IEC-104 protocol.
iec-61850 MMS protocol
ike Checks wheter a device is running a VPN using IKE.
ike-nat-t Checks wheter a device is running a VPN using IKE and NAT traversal.
ikettle Check whether the device is a coffee machine/ kettle.
imap Get the welcome message of the IMAP server
imap-ssl Get the welcome message of the secure IMAP server
insteon-plm Checks whether the device is Insteon PLM type
iota-rpc Grabs version information about the IOTA node.
ipmi Checks whether a device is running IPMI remote management software.
iscsi Determine whether a server is an iSCSI target
java-rmi Check whether the device is running Java RMI.
kafka Get information about a Kafka cluster.
kamstrup Kamstrup Smart Meters
kerberos Checks whether a device is running the Kerberos authentication daemon.
kilerrat Determine whether a server is running a KilerRAT C&C
knx Grabs the description from a KNX service.
language-server-protocol Checks whether the port is running a language server.
lantronix-udp Attempts to grab the setup object from a Lantronix device.
ldap-tcp LDAP banner grabbing module
ldap-udp CLDAP banner grabbing module
ldaps LDAPS banner grabbing module
libreoffice-impress Check whether the LibreOffice Impress Remote Server is enabled
lifx Check whether there is a BitTorrnt tracker running.
line-printer-daemon Get a list of jobs in the print queue to verify the device is a printer.
matrikon-opc Checks whether the device is running Matrikon OPC.
mdns Perform a DNS-based service discovery over multicast DNS
melsec-q-tcp Get the CPU information from a Mitsubishi Electric Q Series PLC.
melsec-q-udp Get the CPU information from a Mitsubishi Electric Q Series PLC.
memcache Get general information about the Memcache daemon
memcache-udp Get general information about the Memcache daemon responding on UDP
microhard Checks whether the device is running Microhard.
mikrotik-routeros Check whether the device operates the Oracle Weblogic T3 protocol
minecraft Gets the server status information from a Minecraft server
modbus Grab the Modbus device information via functions 17 and 43.
monero-rpc Collect information about the Monero daemon.
mongodb Collects system information from the MongoDB daemon.
moxa-nport Attempts to grab information from Moxna Nport devices.
mqtt Grab a list of recent messages from an MQTT broker.
ms-portmap-tcp Queries an MSRPC endpoint mapper for a list of mapped services and gathered information.
ms-sql Check whether the MS-SQL database server is running
ms-sql-monitor Pings an MS-SQL Monitor server
mumble-server Grabs the version information for the Murmur service (Mumble server)
munin Check whether a Munin node is active and list its plugins
mysql Grabs the version of the running MySQL server
nanocore-122-rat Checks whether the device is a C2 for NanoCore Version 1.2.2.0 Cracked
nanocore-rat Checks whether the device is a C2 for NanoCore RAT.
natpmp Checks whether NAT-PMP is exposed on the device.
netbios Grab NetBIOS information including the MAC address.
netmobility Checks whether the device is a NetMobility.
newline-tcp Connect to a server with TCP and send a newline.
newline-udp Connect to a server with UDP and send a newline.
njrat Determine whether a server is running a njRAT C&C
nntp Get the welcome message of a Network News server
nodata-dtls Check whether the service supports DTLS and store whatever is returned
nodata-tcp Connect to a server without sending any data and store whatever it returns.
nodata-tcp-small Connect to a server without sending any data and store whatever it returns.
nodata-tcp-ssl Connect to a server using SSL and without sending any data.
ntp Get a list of IPs that NTP server recently saw and try to get version info.
nuclear-rat Checks whether the device is a C2 for Nuclear RAT.
omron-tcp Gets information about the Omron PLC.
onvif Check whether the Onvif camera is operating.
opc-ua Grab a list of nodes from an OPC UA service
open-tcp Checks whether a port is open and nothing else.
openvpn Checks whether the other server runs an OpenVPN that doesnt require TLS auth
oracle-tns Check whether the Oracle TNS Listener is running.
orcus-rat Checks whether the device is a C2 for Gh0st RAT.
pcanywhere-status Asks the PC Anywhere status daemon for basic information.
pcworx Gets information about PC Worx device.
plc5 Checks whether the device is running Poison Ivy.
poison-ivy-rat Checks whether the device is running Poison Ivy.
pop3 Grab the POP3 welcome message
pop3-ssl Grab the secure POP3 welcome message
portmap-tcp Get a list of processes that are running and their ports.
portmap-udp Get a list of processes that are running and their ports.
postgresql Collects system information from the PostgreSQL daemon
pptp Connect via PPTP
printer-job-language Get the current output from the status display on a printer
proconos Gets information about the PLC via the ProConOs protocol.
qrat Determine whether a server is running a QRAT C&C
quic Checks whether a service supports the QUIC HTTP protocol
rdate Get the time from a remote rdate server
rdp RDP banner grabbing module
realport Get the banner for the Digi Realport device
redis Redis banner grabbing module
redlion-crimson3 A fingerprint for the Red Lion HMI devices running CrimsonV3
remcos-pro-rat Checks whether the device is a C2 for RemCos Pro 2.05
riak Sends a ServerInfo request to Riak
rip Checks whether the device is running the Routing Information Protocol.
ripple-rtxp Grabs the list of peers from an RTXP Ripple daemon.
rsync Get a list of shares from the rsync daemon.
rtsp-tcp Determine which options the RTSP server allows.
s7 Communicate using the S7 protocol and grab the device identifications.
sap-router Check whether the SAP Router is active
scpi Check for the SCPI protocol used by lab equipment
secure-fox Grabs a banner for proprietary FOX protocol by Tridium
serialnumbered Checks for other servers with the same serial number on the local network. AAAAAA is a dummy value.
sip Gets the options that the SIP device supports.
smarter-coffee Checks the device status of smart coffee machines.
smb Grab a list of shares exposed through the Server Message Block service
smtp Get basic SMTP server response
smtps Grab a banner and certificate for SMTPS servers
snmp Performs an SNMP walk of the system OID
ssh Get the SSH banner, its host key and fingerprint
statsd-admin Gathers statistics from the StatsD service.
steam-a2s Get a list of IPs that NTP server recently saw and try to get version info.
steam-dedicated-server-rcon Checks whether an IP is running as a Steam dedicated game server with remote authentication enabled.
steam-ihs Steam In-Home Streaming protocol
tacacs Check whether the device supports TACACS+ AAA.
tc-b Cursory check whether a device is running the TC-B protocol
teamviewer Determine whether a server is running TeamViewer
telnet Telnet banner grabbing module
telnets Telnet wrapped in SSL banner grabbing module
teradici-pcoip Check whether the device is running Teradici PCoIP Management Console.
teradici-pcoip-old Check whether the device is running Teradici PCoIP Management Console.
tibia Grab general information from Open Tibia servers
tor-control Checks whether a device is running the Tor control service.
tor-versions Checks whether the device is running the Tor OR protocol.
toshiba-pos Grabs device information for the IBM/ Toshiba 4690.
tuya Check whether a device supports the Tuya API
ubiquiti-discover Grabs information about the Ubiquiti-powered device
udpxy Udpxy banner grabbing module
unitronics-pcom Collects device information for Unitronics PLCs via PCOM protocol.
upnp Collects device information via UPnP.
vault Determine wether vault is running & collect relevant info
ventrilo Gets the detailed status information from a Ventrilo server.
vertx-edge Checks whether the device is running the VertX/ Edge door controller.
voldemort Pings the Voldemort database.
wdbrpc Checks whehter the WDB agent (used for debugging) is enabled on a VxWorks device.
weblogic-t3 Check whether the device operates the Oracle Weblogic T3 protocol
wemo-http Connect to a Wemo Link and grab the setup.xml file
whois Check whether the port is running WHOIS
x11 Connect to X11 w/ no auth and grab the resulting banner.
xiaongmai-backdoor Detect backdoor in xiaongmai devices.
xmpp Sends a hello request to the XMPP daemon
yahoo-smarttv Checks whether the device is running the Yahoo Smart TV device communication service.
zookeeper Grab statistical information from a Zookeeper node

honeyscore

可以用来检查ip是不是个蜜罐

1
shodan shoneyscore 1.1.1.1

其他

输出当前的ip地址

1
shodan myip

输出版本信息

1
shodan version

count

返回搜索结果数量

1
2
$ shodan count product:redis country:CN
6468