Shodan is very popular to search for vulnerable devices over the internet. As Shodan ping all the devices that are connected to the internet. Shodan shows every port which is associated with the devices connected to the internet. In Shodan we can find devices like databases, open cameras, open servers, boats, and many devices that are connected via the Internet, ethical hacking courses explain. Today we will show tools associated with shodansploit.

Ethical hacking researcher of the International Institute of Cyber Security says shodansploit can be helpful in the information gathering phase.

Shodansploit is a tool that is used to make details search on your target using a command line interface. This tool also provides specific searches that are possible. Shodansploit works with shodan API. Shodansploit works according to the API privilege you have. This tool acts as a command line interface of Shodan.

  • Shodansploit is tested on Kali Linux 2018.4.
  • For downloading: type git clone https://github.com/ismailtasdelen/shodansploit.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/ismailtasdelen/shodansploit.git
 Cloning into 'shodansploit'…
 remote: Enumerating objects: 51, done.
 remote: Counting objects: 100% (51/51), done.
 remote: Compressing objects: 100% (46/46), done.
 remote: Total 51 (delta 15), reused 0 (delta 0), pack-reused 0
 Unpacking objects: 100% (51/51), done.
  • Type cd shodansploit && ls
root@kali:/home/iicybersecurity/Downloads# cd shodansploit/
 root@kali:/home/iicybersecurity/Downloads/shodansploit# ls
 doc  img  LICENSE  README.md  shodansploit.py
  • Type chmod u+x shodansploit.py
root@kali:/home/iicybersecurity/Downloads/shodansploit# chmod u+x shodansploit.py
  • Type nano shodansploit
  • Enter shodan API in the first else statement. To get shodan API go to: https://account.shodan.io. Create your account. Then log in through your account.
  • After login click on the My Account tab. On that page, you can get Shodan API. Copy Shodan API and paste it in shodansploit.py in the required statement.
else:
     file = open('api.txt', 'w')
     shodan_api = raw_input('[*] Please enter a valid Shodan.io API Key: ')
     file.write(shodan_api)
     print('[~] File written: ./api.txt')
     file.close()
  • After adding the Shodan API, type python shodansploit.py
  • If you are confused enter shodan API in shodansploit code. Type shodansploit.py and then enter the Shodan API key.
root@kali:/home/iicybersecurity/shodansploit# python shodansploit.py
 [*] Please enter a valid Shodan.io API Key:
  • Type python shodansploit.py
root@kali:/home/iicybersecurity/shodansploit# python shodansploit.py
      _               _                       _       _ _
  ___| |__   ___   __| | __ _ _ __  ___ _ __ | | ___ (_) |_
 / __| '_ \ / _ \ / _` |/ _` | '_ \/ __| '_ \| |/ _ \| | __|
 \__ \ | | | (_) | (_| | (_| | | | \__ \ |_) | | (_) | | |_
 |___/_| |_|\___/ \__,_|\__,_|_| |_|___/ .__/|_|\___/|_|\__|
                                       |_|            v1.1.0
        Author : Ismail Tasdelen
        GitHub : github.com/ismailtasdelen
      Linkedin : linkedin.com/in/ismailtasdelen
       Twitter : twitter.com/ismailtsdln

[1] GET > /shodan/host/{ip}
[2] GET > /shodan/host/count
[3] GET > /shodan/host/search
[4] GET > /shodan/host/search/tokens
[5] GET > /shodan/ports

[6] GET > /shodan/exploit/author
[7] GET > /shodan/exploit/cve
[8] GET > /shodan/exploit/msb
[9] GET > /shodan/exploit/bugtraq-id
[10] GET > /shodan/exploit/osvdb
[11] GET > /shodan/exploit/title
[12] GET > /shodan/exploit/description
[13] GET > /shodan/exploit/date
[14] GET > /shodan/exploit/code
[15] GET > /shodan/exploit/platform
[16] GET > /shodan/exploit/port

[17] GET > /dns/resolve
[18] GET > /dns/reverse
[19] GET > /labs/honeyscore/{ip}

[20] GET > /account/profile
[21] GET > /tools/myip
[22] GET > /tools/httpheaders
[23] GET > /api-info

[24] Exit
  • Type <1> & then type <IP address> of your target.
  • 1 will find the basic details of the target.
Which option number : 1
 Shodan Host Search : 74.50.111.244
 {
   "area_code": 813,
   "asn": "AS29802",
   "city": "Tampa",
   "country_code": "US",
   "country_code3": "USA",
   "country_name": "United States",
   "data": [
     {
       "_shodan": {
         "crawler": "a3cc14ebb782071aec2032690d4fd1979446a9ab",
         "id": "ec4e8de3-02e7-4c2d-bce7-071a1326a11b",
         "module": "http",
         "options": {},
         "ptr": true
       },
       "asn": "AS29802",
       "data": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html; charset=us-ascii\r\nDate: Sat, 02 Feb 2019 18:41:30 GMT\r\nConnection: close\r\nContent-Length: 315\r\n\r\n",
       "domains": [
         "hvvc.us"
       ],
       "hash": 1275063445,
       "hostnames": [
         "74-50-111-244.static.hvvc.us"
       ],
       "http": {
         "components": {},
         "favicon": null,
         "host": "74.50.111.244",
         "html": "\r\nNot Found
\r\n\r\n
Not Found
\r\n
HTTP Error 404. The requested resource is not found.
\r\n\r\n",
         "html_hash": 1489525118,
         "location": "/",
         "redirects": [],
         "robots": null,
         "robots_hash": null,
         "securitytxt": null,
         "securitytxt_hash": null,
         "server": null,
         "sitemap": null,
         "sitemap_hash": null,
         "title": "Not Found"
  • After executing with 1 and the target IP address. Shodansploit has found many details. Details like area code, ASN code, city.
  • These details can be used in dictionary attacks & further hacking activities.
  • Type <3> & target <IP address>
Which option number : 3
 Shodan Host Search : 162.241.216.11
 {
   "matches": [
     {
       "_shodan": {
         "crawler": "62861a86c4e4b71dceed5113ce9593b98431f89a",
         "id": "e0f7df01-a19f-4aa2-bd90-44433b41cea4",
         "module": "https-simple-new",
         "options": {},
         "ptr": true
       },
       "asn": "AS20013",
       "data": "HTTP/1.1 401 Access Denied\r\nConnection: close\r\nContent-Type: text/html; charset=\"utf-8\"\r\nDate: Sat, 09 Feb 2019 04:57:11 GMT\r\nCache-Control: no-cache, no-store, must-revalidate, private\r\nPragma: no-cache\r\nSet-Cookie: whostmgrrelogin=no; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: whostmgrsession=%3aku20Vju9PIy161cD%2cd1b6a1ec42e7edd4e6362ab95b9012dd; HttpOnly; path=/; port=2087; secure\r\nSet-Cookie: roundcube_sessid=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: roundcube_sessauth=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: horde_secret_key=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/horde; port=2087; secure\r\nSet-Cookie: PPA_ID=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: imp_key=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: key=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/3rdparty/squirrelmail/; port=2087; secure\r\nSet-Cookie: SQMSESSID=expired; HttpOnly; domain=162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087; secure\r\nSet-Cookie: Horde=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087\r\nSet-Cookie: horde_secret_key=expired; HttpOnly; domain=.162.241.216.11; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2087\r\nCache-Control: no-cache, no-store, must-revalidate, private\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 36260\r\n\r\n",
       "domains": [
         "bluehost.com"
       ],
       "hash": 1033132057,
       "hostnames": [
         "box5331.bluehost.com"
       ],
       "http": {
         "components": {},
         "favicon": null,
         "host": "162.241.216.11",
         "html": "\n\n\n\n    
\n    
\n    
\n    
\n    WHM Login
\n    
\n\n    
\n    
\n    
\n\n    \n/<em>\n  This css is included in the base template in case the css cannot be loaded because of access restrictions\n  If this css is updated, please update securitypolicy_header.html.tmpl as well\n</em>/\n.copyright {\n  background: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzNTlwdCIgaGVpZ2h0PSIzMjAiIHZpZXdCb3g9IjAgMCAzNTkgMjQwIj48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiPjxwYXRoIGQ9Ik0xMjMgMGgyMzUuMzd2MjQwSDEyM3ptMCAwIi8+PC9jbGlwUGF0aD48L2RlZnM+PHBhdGggZD0iTTg5LjY5IDU5LjEwMmg2Ny44MDJsLTEwLjUgNDAuMmMtMS42MDUgNS42LTQuNjA1IDEwLjEtOSAxMy41LTQuNDAyIDMuNC05LjUwNCA1LjA5Ni0xNS4zIDUuMDk2aC0zMS41Yy03LjIgMC0xMy41NSAyLjEwMi0xOS4wNSA2LjMtNS41MDUgNC4yLTkuMzUzIDkuOTA0LTExLjU1MiAxNy4xMDMtMS40IDUuNDAzLTEuNTUgMTAuNS0uNDUgMTUuMzAyIDEuMDk4IDQuNzk2IDMuMDQ3IDkuMDUgNS44NTIgMTIuNzUgMi43OTcgMy43MDMgNi40IDYuNjUyIDEwLjc5NyA4Ljg1IDQuMzk3IDIuMiA5L</p>
  • The third query shows the html of the target. This query tries to get summary information of the URL.
  • This information can be considered in the initial phase of pentesting. As it only shows html of the target URL.
  • Type <5> then press enter
Which option number : 5
 [
   7,
   11,
   13,
   15,
   17,
   19,
   21,
   22,
   23,
   25,
   26,
   37,
   43,
   49,
   53,
   69,
   70,
   79,
   80,
   81,
   82,
   83,
   84,
   88,
   102,
   104,
   110,
   111,
   113,
   119,
   123,
   129,
   137,
   143,
   161,
   175,
   179,
   195,
   264,
   311,
   389,
   443,
   444,
   445,
   465,
   500,
   502,
   503,
   515,
   520,
   523,
   554,
   587,
   623,
   626,
   631,
   636,
   666,
   771,
   789,
   873,
   902,
   992,
   993,
   995,
   1010,
  • The above query shows the ports that Shodan uses in scanning. These are the list of ports that are used by Shodan.
  • Type <6> & then type <microsoft>
  • microsoft is the target.
  • This query shows vulnerabilities that are caused in the target.
Which option number : 6
 Exploit Author : Microsoft
 {
   "matches": [
     {
       "_id": 19361,
       "author": "Microsoft",
       "code": "source: http://www.securityfocus.com/bid/477/info\r\n\r\n\r\nThis vulnerability could allow a web site viewer to obtain the source code for .asp and similar files if the server's default language (Input Locale) is set to Chinese, Japanese or Korean. How this works is as follows:\r\n\r\nIIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code. \r\n\r\nRequest a URL of a known-good file that requires server processing, then append a hex value between x81 and xfe to the URL. For example: http://myhost/main.asp%81. If your server is vulnerable you will receive back the source code of your .asp file.",
       "cve": [],
       "date": "1999-06-24T00:00:00+00:00",
       "description": "Microsoft IIS 3.0/4.0 - Double Byte Code Page",
       "platform": "windows",
       "port": 0,
       "source": "ExploitDB",
       "type": "remote"
     },
     {
       "_id": "exploit/windows/fileformat/adobe_libtiff",
       "alias": null,
       "arch": "[]",
       "author": [
         "Microsoft",
         "villy [email protected]",
         "jduck [email protected]"
       ],
       "bid": [
         "38195"
       ],
  • The above query shows the vulnerabilities that are caused in the target. It shows that website viewers can get the source code of the target. The information can be useful in other hacking activities.
  • Type <13> & type <date>
  • Type any date
Which option number : 13
 Exploit Date : 2018/04//13
 {
   "matches": [
     {
       "_id": "2018-7559",
       "bid": [],
       "cve": [
         "CVE-2018-7559"
       ],
       "description": "An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.",
       "msb": [],
       "osvdb": [],
       "source": "CVE"
     }
   ],
   "total": 1
 }
  • After executing shodansploit shows the vulnerability that can allow an attacker to get the private key by sending tokens to the target. The information can be useful in the initial phase of pentesting.
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

4 browsers for safe anonymous surfing

  Internet comes with full of productivity & entertainment solutions. Being anonymous is...
All-new App Store for hackers, Kali Nethunter

Many times pentesters/ security researchers needs to scan URLs or they need to do penetration...
All-new Windows Exploit suggester is here, WES-NG

Windows is the most popular operating system. Because of its easy usability, easy to...
Android mobile hacks with android debug bridge(ADB) - Part l

ANDROID ARCHITECTURE – Hardware Components :- Hardware components interact with the drivers...
Android mobile hacks with android debug bridge(ADB) - Part ll

Earlier in part I we have shown adb hacks which are used in testing or foot printing phases. That...