Shodan Reconnaissance and Pentesting
Purpose
Provide systematic methodologies for leveraging Shodan as a reconnaissance tool during penetration testing engagements. This skill covers the Shodan web interface, command-line interface (CLI), REST API, search filters, on-demand scanning, and network monitoring capabilities for discovering exposed services, vulnerable systems, and IoT devices.
Inputs / Prerequisites
- **Shodan Account**: Free or paid account at shodan.io
- **API Key**: Obtained from Shodan account dashboard
- **Target Information**: IP addresses, domains, or network ranges to investigate
- **Shodan CLI**: Python-based command-line tool installed
- **Authorization**: Written permission for reconnaissance on target networks
Outputs / Deliverables
- **Asset Inventory**: List of discovered hosts, ports, and services
- **Vulnerability Report**: Identified CVEs and exposed vulnerable services
- **Banner Data**: Service banners revealing software versions
- **Network Mapping**: Geographic and organizational distribution of assets
- **Screenshot Gallery**: Visual reconnaissance of exposed interfaces
- **Exported Data**: JSON/CSV files for further analysis
Core Workflow
1. Setup and Configuration
#### Install Shodan CLI
# Using pip
pip install shodan
# Or easy_install
easy_install shodan
# On BlackArch/Arch Linux
sudo pacman -S python-shodan#### Initialize API Key
# Set your API key
shodan init YOUR_API_KEY
# Verify setup
shodan info
# Output: Query credits available: 100
# Scan credits available: 100#### Check Account Status
# View credits and plan info
shodan info
# Check your external IP
shodan myip
# Check CLI version
shodan version2. Basic Host Reconnaissance
#### Query Single Host
# Get all information about an IP
shodan host 1.1.1.1
# Example output:
# 1.1.1.1
# Hostnames: one.one.one.one
# Country: Australia
# Organization: Mountain View Communications
# Number of open ports: 3
# Ports:
# 53/udp
# 80/tcp
# 443/tcp#### Check if Host is Honeypot
# Get honeypot probability score
shodan honeyscore 192.168.1.100
# Output: Not a honeypot
# Score: 0.33. Search Queries
#### Basic Search (Free)
# Simple keyword search (no credits consumed)
shodan search apache
# Specify output fields
shodan search --fields ip_str,port,os smb#### Filtered Search (1 Credit)
# Product-specific search
shodan search product:mongodb
# Search with multiple filters
shodan search product:nginx country:US city:"New York"#### Count Results
# Get result count without consuming credits
shodan count openssh
# Output: 23128
shodan count openssh 7
# Output: 219#### Download Results
# Download 1000 results (default)
shodan download results.json.gz "apache country:US"
# Download specific number of results
shodan download --limit 5000 results.json.gz "nginx"
# Download all available results
shodan download --limit -1 all_results.json.gz "query"#### Parse Downloaded Data
# Extract specific fields from downloaded data
shodan parse --fields ip_str,port,hostnames results.json.gz
# Filter by specific criteria
shodan parse --fields location.country_code3,ip_str -f port:22 results.json.gz
# Export to CSV format
shodan parse --fields ip_str,port,org --separator , results.json.gz > results.csv4. Search Filters Reference
#### Network Filters
ip:1.2.3.4 # Specific IP addres
<!-- truncated -->