上QQ阅读APP看书，第一时间看更新

Shodan scripting

As we learned in Chapter 2, Getting Started with Kali Linux, within Kali Linux, you are able to use scripts. Let's take a look at a script that can work with Shodan.

The first thing you should do is register for an account with Shodan. This can be done by navigating directly to https://account.shodan.io/register. Once you have created an account, navigate to My Account and obtain your API key. Keep you API key as you will use it in the script.

From your Kali Linux machine, you need to perform a few tasks before you can begin writing the script:

Ensure that you are running the latest updates and upgrades and have python 2.7 installed. Running the following command will ensure that you meet this requirement:

sudo apt-get update && sudo apt-get install python2.7

We will leverage the pip command to install the required shodan files. This is done using the following command:

sudo pip install shodan

Once you have all the requirements installed, you can create a script that performs whatever search you want to perform. Note that for all the queries leveraging Shodan, you will need to leverage your API key. You can replace the text "insert your API key here" with your actual API key. We will create a script that will allow us to perform information gathering on our target. By using the sample script the follows, we can leverage Shodan to obtain results using the api.search query.

We will create a new Python script using the nano shodan-iis.py command and the following code:

import shodan
SHODAN_API_KEY = "insert your API key here"
api = shodan.Shodan(SHODAN_API_KEY)
# Wrap the request in a try/ except block to catch errors
try:
        # Search Shodan
        results = api.search('IIS')

        # Show the results
        print('Results found: {}'.format(results['total']))
        for result in results['matches']:
                print('IP: {}'.format(result['ip_str']))
                print(result['data'])
                print('')
except shodan.APIError, e:
        print('Error: {}'.format(e))

To save a file in nano, you can use Ctrl + O and exit using Ctrl + X. Once the file has been saved, we can run it using the python shodan-iis.py command.

Note that my search is not specific to any country—I am merely searching for IIS servers:

If you purchase a subscription to Shodan, you are able to use a lot more search operators within your API query. The free version limits you to basic searches and only 2 pages of results.

Figure 4: Output of the shodan-iis script

In the preceding output (Figure 4), we have a number of results. Now, we can filter the results so that we have the IP addresses only. Using these IP addresses, we can then leverage a simple Nmap script to perform a scan of the IP addresses.

Modify the script so that only the IP addresses are displayed. To do this, we need to remove IP from the line print('IP: {}'.format(result['ip_str'])) and remove the lines print(result['data']) and print(''). The new code should look like this:

import shodan
SHODAN_API_KEY = "insert your API key here"
api = shodan.Shodan(SHODAN_API_KEY)
# Wrap the request in a try/ except block to catch errors
try:
        # Search Shodan
        results = api.search('IIS')

        # Show the results
        print('Results found: {}'.format(results['total']))
        for result in results['matches']:
                print(' {}'.format(result['ip_str']))
except shodan.APIError, e:
        print('Error: {}'.format(e))

Note that we now have just the IP addresses. Using this, we can pipe the output to a text file using the python shodan-iis.py >> shodan-iis.txt command as shown in Figure 5:

Figure 5: Output of shodan-iis script filtering only IP addresses.

Now that we have the IP addresses, we can build a simple bash script to run an Nmap scan against them.

Create a simple bash script by entering the nano shodan-nmap-iis.sh command. Inside nano, enter the following code:

#!/bin/bash 
cat shodan-iis.txt | while read line
do
nmap -sS -sV $line
done

Save the script as you did for the Python script, and change the permissions to enable it to run using the chmod +x shodan-nmap-iis.sh command. Then, run the script using the ./shodan-nmap-iis.sh command.

In the preceding code, we started with the crunchbang (#!) and defined the shell we will run the script in. Then, we defined the source file. While the script reads each line, it then performs a Nmap TCP syn scan (-sS), and a service and version detection on the ports (-sV). The results are as shown in Figure 6:

Figure 6: Results of the bash script

Shodan truly is a search engine for hackers. There is a wealth of information that can be obtained on any type of internet-connected device.