Shodan gets more simpler, using Shodansploit

Shodan is very popular to search for vulnerable devices over the internet. As shodan ping all the devices which are connected to the internet. Shodan shows each and every port which are associated with the devices connected to the internet. In shodan we can find devices like databases, open camera, open servers, boats and many devices which are connected via internet. Today we will show tool which associated with shodansploit.

Ethical hacking researcher of international institute of cyber security says shodansploit can be helpful in information gathering phase.

Shodansploit is a tool which is used to make details search on your target using command line interface. This tool also provide specific searches that possible. Shodansploit works with shodan API. Shodansploit works according API privilege you have. This tool act as a command line interface of shodan.

  • Shodansploit is tested on Kali Linux 2018.4.
  • For downloading : type git clone https://github.com/ismailtasdelen/shodansploit.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/ismailtasdelen/shodansploit.git
Cloning into 'shodansploit'…
remote: Enumerating objects: 51, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (46/46), done.
remote: Total 51 (delta 15), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (51/51), done.
  • Type cd shodansploit && ls
root@kali:/home/iicybersecurity/Downloads# cd shodansploit/
root@kali:/home/iicybersecurity/Downloads/shodansploit# ls
doc img LICENSE README.md shodansploit.py
  • Type chmod u+x shodansploit.py
root@kali:/home/iicybersecurity/Downloads/shodansploit# chmod u+x shodansploit.py
  • Type nano shodansploit
  • Enter shodan API in first else statement. For getting shodan API go to : https://account.shodan.io. Create your account. Then login through your account.
  • After login click to My account tab. On that page you can get Shodan API. Copy Shodan API and paste it in shodansploit.py in the required statement.
else:
file = open('api.txt', 'w')
shodan_api = raw_input('[*] Please enter a valid Shodan.io API Key: ')
file.write(shodan_api)
print('[~] File written: ./api.txt')
file.close()
  • After adding shodan API, type python shodansploit.py
  • If you are confused to enter shodan API in shodansploit code. Type shodansploit.py and then enter the shdoan API key.
root@kali:/home/iicybersecurity/shodansploit# python shodansploit.py
[*] Please enter a valid Shodan.io API Key:
  • Type python shodansploit.py
root@kali:/home/iicybersecurity/shodansploit# python shodansploit.py
      _               _                       _       _ _
  ___| |__   ___   __| | __ _ _ __  ___ _ __ | | ___ (_) |_
 / __| '_ \ / _ \ / _` |/ _` | '_ \/ __| '_ \| |/ _ \| | __|
 \__ \ | | | (_) | (_| | (_| | | | \__ \ |_) | | (_) | | |_
 |___/_| |_|\___/ \__,_|\__,_|_| |_|___/ .__/|_|\___/|_|\__|
                                       |_|            v1.1.0
        Author : Ismail Tasdelen
        GitHub : github.com/ismailtasdelen
      Linkedin : linkedin.com/in/ismailtasdelen
       Twitter : twitter.com/ismailtsdln

[1] GET > /shodan/host/{ip}
[2] GET > /shodan/host/count
[3] GET > /shodan/host/search
[4] GET > /shodan/host/search/tokens
[5] GET > /shodan/ports

[6] GET > /shodan/exploit/author
[7] GET > /shodan/exploit/cve
[8] GET > /shodan/exploit/msb
[9] GET > /shodan/exploit/bugtraq-id
[10] GET > /shodan/exploit/osvdb
[11] GET > /shodan/exploit/title
[12] GET > /shodan/exploit/description
[13] GET > /shodan/exploit/date
[14] GET > /shodan/exploit/code
[15] GET > /shodan/exploit/platform
[16] GET > /shodan/exploit/port

[17] GET > /dns/resolve
[18] GET > /dns/reverse
[19] GET > /labs/honeyscore/{ip}

[20] GET > /account/profile
[21] GET > /tools/myip
[22] GET > /tools/httpheaders
[23] GET > /api-info

[24] Exit
  • Type <1> & then type <IP address> of your target.
  • 1 will find the basic details of the target.
Which option number : 1
Shodan Host Search : 74.50.111.244
{
"area_code": 813,
"asn": "AS29802",
"city": "Tampa",
"country_code": "US",
"country_code3": "USA",
"country_name": "United States",
"data": [
{
"_shodan": {
"crawler": "a3cc14ebb782071aec2032690d4fd1979446a9ab",
"id": "ec4e8de3-02e7-4c2d-bce7-071a1326a11b",
"module": "http",
"options": {},
"ptr": true
},
"asn": "AS29802",
"data": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html; charset=us-ascii\r\nDate: Sat, 02 Feb 2019 18:41:30 GMT\r\nConnection: close\r\nContent-Length: 315\r\n\r\n",
"domains": [
"hvvc.us"
],
"hash": 1275063445,
"hostnames": [
"74-50-111-244.static.hvvc.us"
],
"http": {
"components": {},
"favicon": null,
"host": "74.50.111.244",
"html": "\r\nNot Found
\r\n\r\n
Not Found
\r\n
HTTP Error 404. The requested resource is not found.
\r\n\r\n",
"html_hash": 1489525118,
"location": "/",
"redirects": [],
"robots": null,
"robots_hash": null,
"securitytxt": null,
"securitytxt_hash": null,
"server": null,
"sitemap": null,
"sitemap_hash": null,
"title": "Not Found"
  • After executing with 1 and the target IP address. Shodansploit has found many details. Details like area code, asn code, city.
  • These details can be used in dictionary attacks & further hacking activities.
  • Type <3> & target <IP address>
Which option number : 3
Shodan Host Search : 162.241.216.11
{
"matches": [
{
"_shodan": {
"crawler": "62861a86c4e4b71dceed5113ce9593b98431f89a",
"id": "e0f7df01-a19f-4aa2-bd90-44433b41cea4",
"module": "https-simple-new",
"options": {},
"ptr": true
},
"asn": "AS20013",
"data": "HTTP/1.1 401 Access Denied\r\nConnection: close\r\nContent-Type: text/html; charset=\"utf-8\"\r\nDate: Sat, 09 Feb 2019 04:57:11 GMT\r\nCache-Control: no-cache, no-store, must-revalidate, private\r\nPragma: no-cache\r\nSet-Cookie: whostmgrrelogin=no; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: whostmgrsession=%3aku20Vju9PIy161cD%2cd1b6a1ec42e7edd4e6362ab95b9012dd; HttpOnly; path=/; port=2087; secure\r\nSet-Cookie: roundcube_sessid=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: roundcube_sessauth=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: horde_secret_key=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/horde; port=2087; secure\r\nSet-Cookie: PPA_ID=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: imp_key=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: key=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/3rdparty/squirrelmail/; port=2087; secure\r\nSet-Cookie: SQMSESSID=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087\r\nSet-Cookie: horde_secret_key=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087\r\nCache-Control: no-cache, no-store, must-revalidate, private\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 36260\r\n\r\n",
"domains": [
"bluehost.com"
],
"hash": 1033132057,
"hostnames": [
"box5331.bluehost.com"
],
"http": {
"components": {},
"favicon": null,
"host": "162.241.216.11",
"html": "\n\n\n\n
\n
\n
\n
\n WHM Login
\n
\n\n
\n
\n
\n\n \n/<em>\n This css is included in the base template in case the css cannot be loaded because of access restrictions\n If this css is updated, please update securitypolicy_header.html.tmpl as well\n</em>/\n.copyright {\n background: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzNTlwdCIgaGVpZ2h0PSIzMjAiIHZpZXdCb3g9IjAgMCAzNTkgMjQwIj48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiPjxwYXRoIGQ9Ik0xMjMgMGgyMzUuMzd2MjQwSDEyM3ptMCAwIi8+PC9jbGlwUGF0aD48L2RlZnM+PHBhdGggZD0iTTg5LjY5IDU5LjEwMmg2Ny44MDJsLTEwLjUgNDAuMmMtMS42MDUgNS42LTQuNjA1IDEwLjEtOSAxMy41LTQuNDAyIDMuNC05LjUwNCA1LjA5Ni0xNS4zIDUuMDk2aC0zMS41Yy03LjIgMC0xMy41NSAyLjEwMi0xOS4wNSA2LjMtNS41MDUgNC4yLTkuMzUzIDkuOTA0LTExLjU1MiAxNy4xMDMtMS40IDUuNDAzLTEuNTUgMTAuNS0uNDUgMTUuMzAyIDEuMDk4IDQuNzk2IDMuMDQ3IDkuMDUgNS44NTIgMTIuNzUgMi43OTcgMy43MDMgNi40IDYuNjUyIDEwLjc5NyA4Ljg1IDQuMzk3IDIuMiA5L</p>
  • Third query shows the html of the target. This query tries to get summary information of the URL.
  • This information can be considered in initial phase of pentesting. As it only shows html of the target URL.
  • Type <5> then press enter
Which option number : 5
[
7,
11,
13,
15,
17,
19,
21,
22,
23,
25,
26,
37,
43,
49,
53,
69,
70,
79,
80,
81,
82,
83,
84,
88,
102,
104,
110,
111,
113,
119,
123,
129,
137,
143,
161,
175,
179,
195,
264,
311,
389,
443,
444,
445,
465,
500,
502,
503,
515,
520,
523,
554,
587,
623,
626,
631,
636,
666,
771,
789,
873,
902,
992,
993,
995,
1010,
  • The above query shows the ports which shodan use in scanning. These are the list of ports which are used by shodan.
  • Type <6> & then type <microsoft>
  • microsoft is the target.
  • This query shows vulnerabilities which are caused in the target.
Which option number : 6
Exploit Author : Microsoft
{
"matches": [
{
"_id": 19361,
"author": "Microsoft",
"code": "source: http://www.securityfocus.com/bid/477/info\r\n\r\n\r\nThis vulnerability could allow a web site viewer to obtain the source code for .asp and similar files if the server's default language (Input Locale) is set to Chinese, Japanese or Korean. How this works is as follows:\r\n\r\nIIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code. \r\n\r\nRequest a URL of a known-good file that requires server processing, then append a hex value between x81 and xfe to the URL. For example: http://myhost/main.asp%81. If your server is vulnerable you will receive back the source code of your .asp file.",
"cve": [],
"date": "1999-06-24T00:00:00+00:00",
"description": "Microsoft IIS 3.0/4.0 - Double Byte Code Page",
"platform": "windows",
"port": 0,
"source": "ExploitDB",
"type": "remote"
},
{
"_id": "exploit/windows/fileformat/adobe_libtiff",
"alias": null,
"arch": "[]",
"author": [
"Microsoft",
"villy villys777@gmail.com",
"jduck jduck@metasploit.com"
],
"bid": [
"38195"
],
  • The above query shows the vulnerabilities that are caused in the target. It shows that website viewer can get source code of the target. The information can be useful in other hacking activities.
  • Type <13> & type <date>
  • Type any date
Which option number : 13
Exploit Date : 2018/04//13
{
"matches": [
{
"_id": "2018-7559",
"bid": [],
"cve": [
"CVE-2018-7559"
],
"description": "An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.",
"msb": [],
"osvdb": [],
"source": "CVE"
}
],
"total": 1
}
  • After executing shodansploit shows the vulnerability that can allow attacker to get private key by sending tokens to the target. The information can be useful in initial phase of pentesting.
(Visited 257 1 times,)