OSINT

Shodan Eye: Search tool for Shodan

The Shodan Eye tool is part of a collection of Ethical Hacking tools written by fellow Dutchie Jolanda de Koff, a.k.a. Bulls Eye. It is a Python script to easily search Shodan and save your results locally for further analysis. Let’s give this one a try.

If you want to find a new pair of sneakers you use search engines like Google. If you want to find devices connected to the internet you have different search engines to help you on that quest. Shodan is one of the most popular databases for searching through the internet of things. With Shodan Eye, you can search the Shodan database while not having to leave your beloved terminal window.

Installation of Shodan Eye

Before we can start and use the tool it needs to be installed. It is not part of the default toolset of Kali or Parrot but resides on GitHub making it easy to install it. I first clone the repository to my local machine.

git clone https://www.github.com/xxxxxx

When the installation is finished the tool is ready to be used. The only thing you have to get yourself is a Shodan API key. Even the free version get an API-key, so log in to your Shodan account and grab the key from your profile. It looks like the screenshot below.

When you have your API key you are ready to launch Shodan Eye.

Running the tool to search Shodan

When you run the tool for the first time it will ask if you would like to save the output to a file and your API-key. The key is stored in a file called api.txt so you don’t have to enter it every time you run the tool. After it verifies the API-key is working it lets you choose your search keywords and start searching Shodan.

As you can see in the image above I entered ‘Synology’ as keyword for my search. Lets see if Shodan Eye can find some Synology products visible from the internet. Since they provide services like Web, FTP or Surveillance Station it is not weird to see them exposed. The question always remains: was it really needed to expose you device directly to the internet.

To give you an idea about how you get the results from Shodan Eye, I have some of the output here below. It’s just two hits from a much larger list but you get the idea.

[✓] Result: 98. Search query: synology

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

[+] IP: 35.175.108.100
[+] Port: 8834
[+] Organization: Amazon.com
[+] Location: {'city': None, 'region_code': None, 'area_code': None, 'longitude': -97.822, 'country_code3': None, 'latitude': 37.751, 'postal_code': None, 'dma_code': None, 'country_code': 'US', 'country_name': 'United States'}
[+] Layer: tcp
[+] Layer: tcp
[+] Domains: ['amazonaws.com']
[+] Hostnames: ['ec2-35-175-108-100.compute-1.amazonaws.com']
[+] The banner information for the service: 

HTTP/1.1 200 OK
Date: Sat, 05 Sep 2020 11:56:08 GMT
X-Powered-By: PHP/5.5.9-1ubuntu4.21
Server: Synology/DSM/192.168.1.100
Content-Length: 0


[✓] Result: 99. Search query: synology
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

[+] IP: 61.143.48.152
[+] Port: 1900
[+] Organization: China Telecom
[+] Location: {'city': None, 'region_code': None, 'area_code': None, 'longitude': 113.7266, 'country_code3': None, 'latitude': 34.7725, 'postal_code': None, 'dma_code': None, 'country_code': 'CN', 'country_name': 'China'}
[+] Layer: udp
[+] Layer: udp
[+] Domains: []
[+] Hostnames: []
[+] The banner information for the service: 

HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1900
ST: upnp:rootdevice
USN: uuid:73796E6F-6473-6D00-0000-001132cc360c::upnp:rootdevice
EXT:
SERVER: Synology/DSM/192.168.3.20
LOCATION: http://192.168.3.20:5000/ssdp/desc-DSM-ovs_eth0.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1
BOOTID.UPNP.ORG: 1
CONFIGID.UPNP.ORG: 1337

Having this information stored in a file is convenient. I noticed in the first sample that the Synology device is still running the old PHP 5 version as a package. To find more Synology devices with an outdated PHP version I could easily filter it from the export.

As you can see it an easy tool to have in your toolbox. It is advised to have a paid subscription to Shodan because of the limitations of the search result in the free version. Keep an eye out for discounts, they have them every now and then.

Tool created by: Jolanda de Koff ‘Bulls Eye’



Tags

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
%d bloggers like this: